Edit tour

Windows Analysis Report
WinUI.exe

Overview

General Information

Sample name:	WinUI.exe
Analysis ID:	1427802
MD5:	cbda0e120fd089cb6f31c81dcc3ad065
SHA1:	4f3e30004357b7f570a1719ecd99df25fd9b41c4
SHA256:	76b9211c8ccc28b01827089f4eda07f39a12f603b0e26726cdb0deec2c9a2893
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Detected potential crypto function

Found large amount of non-executed APIs

PE file contains sections with non-standard names

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

WinUI.exe (PID: 5956 cmdline: "C:\Users\user\Desktop\WinUI.exe" MD5: CBDA0E120FD089CB6F31C81DCC3AD065)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: WinUI.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: WinUI.exe
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbcccGCTL source: WinUI.exe

Source: C:\Users\user\Desktop\WinUI.exe

Code function: 0_2_00007FF62E5DFB00 FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,Concurrency::cancel_current_task,

0_2_00007FF62E5DFB00

Source: WinUI.exe	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: WinUI.exe	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?You
Source: WinUI.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: WinUI.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed&gui=trueShowing

Source: C:\Users\user\Desktop\WinUI.exe	Code function: 0_2_00007FF62E5E1AF0	0_2_00007FF62E5E1AF0
Source: C:\Users\user\Desktop\WinUI.exe	Code function: 0_2_00007FF62E5D2BA0	0_2_00007FF62E5D2BA0
Source: C:\Users\user\Desktop\WinUI.exe	Code function: 0_2_00007FF62E5D6750	0_2_00007FF62E5D6750
Source: C:\Users\user\Desktop\WinUI.exe	Code function: 0_2_00007FF62E5D9C20	0_2_00007FF62E5D9C20
Source: C:\Users\user\Desktop\WinUI.exe	Code function: 0_2_00007FF62E5DEFF0	0_2_00007FF62E5DEFF0

Source: WinUI.exe

Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Source: WinUI.exe	Binary or memory string: OriginalFilename vs WinUI.exe
Source: WinUI.exe, 00000000.00000000.1629017320.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWinUI.dll: vs WinUI.exe
Source: WinUI.exe	Binary or memory string: OriginalFilenameWinUI.dll: vs WinUI.exe

Source: classification engine

Classification label: clean4.winEXE@1/0@0/0

Source: WinUI.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\WinUI.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: WinUI.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: WinUI.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: WinUI.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed&gui=trueShowing error dialog for application: '%s' - error code: 0x%x - url: '%s' - dialog message: %sopenRedirecting errors to custom writer.invalid string position
Source: WinUI.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed

Source: C:\Users\user\Desktop\WinUI.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\WinUI.exe	Section loaded: kernel.appcore.dll			Jump to behavior

Source: WinUI.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: WinUI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: WinUI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: WinUI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: WinUI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: WinUI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: WinUI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: WinUI.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: WinUI.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: WinUI.exe
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbcccGCTL source: WinUI.exe

Source: WinUI.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: WinUI.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: WinUI.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: WinUI.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: WinUI.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\WinUI.exe

Code function: 0_2_00007FF62E5DF400 LoadLibraryA,GetProcAddress,_invalid_parameter_noinfo_noreturn,

0_2_00007FF62E5DF400

Source: WinUI.exe

Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\WinUI.exe

API coverage: 8.0 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\WinUI.exe

0_2_00007FF62E5DFB00

Source: C:\Users\user\Desktop\WinUI.exe

Code function: 0_2_00007FF62E5E4120 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF62E5E4120

Source: C:\Users\user\Desktop\WinUI.exe

Code function: 0_2_00007FF62E5DF400 LoadLibraryA,GetProcAddress,_invalid_parameter_noinfo_noreturn,

0_2_00007FF62E5DF400

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\WinUI.exe	Code function: 0_2_00007FF62E5E4120 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF62E5E4120
Source: C:\Users\user\Desktop\WinUI.exe	Code function: 0_2_00007FF62E5E3DD0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF62E5E3DD0
Source: C:\Users\user\Desktop\WinUI.exe	Code function: 0_2_00007FF62E5E42C8 SetUnhandledExceptionFilter,	0_2_00007FF62E5E42C8

Source: C:\Users\user\Desktop\WinUI.exe

Code function: 0_2_00007FF62E5E433C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF62E5E433C

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	Source	Malicious	Reputation
https://aka.ms/dotnet/app-launch-failed	WinUI.exe	false	high
https://aka.ms/dotnet-core-applaunch?You	WinUI.exe	false	high
https://aka.ms/dotnet/app-launch-failed&gui=trueShowing	WinUI.exe	false	high
https://aka.ms/dotnet-core-applaunch?	WinUI.exe	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427802
Start date and time:	2024-04-18 07:49:01 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WinUI.exe
Detection:	CLEAN
Classification:	clean4.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 7 Number of non-executed functions: 47
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

VT rate limit hit for: WinUI.exe

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.044007074169727
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	WinUI.exe
File size:	150'016 bytes
MD5:	cbda0e120fd089cb6f31c81dcc3ad065
SHA1:	4f3e30004357b7f570a1719ecd99df25fd9b41c4
SHA256:	76b9211c8ccc28b01827089f4eda07f39a12f603b0e26726cdb0deec2c9a2893
SHA512:	f392c1b801d50e58711c8f88fb1d4da1643c15318f0596914871440eab5364c0ed2b087bc04e74ddfe1d6bf6391edb616481c850ad360a0ca7ef1fe333f1f10e
SSDEEP:	3072:5czkitvo4BpYN/6mBPry8TXROLdW5m4mURu9OOG+0kD:5A4NCmBPry/N2KOOL
TLSH:	9BE32806B2AD01FCD1ABE33889A64A02F7767856473697CF0350867A1F777E0AE79311
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........}.............../......./......./......a.....S../........"...I../....I../....Rich............................PE..d.....oe...

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140013c60
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x656F0000 [Tue Dec 5 10:48:32 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	6dbf27f4c70fe2c8ed3e0122ba75d641

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F562928D7A8h
dec eax
add esp, 28h
jmp 00007F562928CF3Fh
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F562928D0E2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F562928D0E5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F562928D0DDh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F562928CAD6h
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ecx
mov ebx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007F562928D041h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x22474	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2a000	0x680	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x26000	0x1440	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x29000	0x318	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1efa0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1f180	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1f000	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1a000	0x408	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1821c	0x18400	0a11f732cbe48283e2e6549421819adc	False	0.49150289948453607	data	6.320245813356347	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1a000	0x9302	0x9400	a8afb7c703fa303aca864d47fd45e9e8	False	0.36906144425675674	data	4.525335266420824	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x24000	0x14f8	0xa00	6803f795472a57466539e7f6d412a3bb	False	0.183984375	DOS executable (block device driver)	2.4528649610883178	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x26000	0x1440	0x1600	6a2868947463d3292323bc1a5bca8733	False	0.4440696022727273	PEX Binary Archive	4.722703557900984	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x28000	0xf4	0x200	0a880db69ef3d95f9e9e17c8465b574f	False	0.30859375	data	2.4118532147102756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x29000	0x318	0x400	541be3271e778d705125ef64917f1dc4	False	0.55078125	data	4.693053408235668	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x2a000	0x680	0x800	b5d58817a64de1e9271fd1b607cb03f5	False	0.373046875	data	3.990675555787608	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x2a080	0x300	MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"			0.4674479166666667
RT_MANIFEST	0x2a380	0x2df	XML 1.0 document, ASCII text, with CRLF line terminators			0.48299319727891155

Imports

DLL	Import
KERNEL32.dll	FindNextFileW, GetCurrentProcess, GetModuleHandleExW, GetModuleFileNameW, LeaveCriticalSection, InitializeCriticalSection, GetEnvironmentVariableW, FindClose, MultiByteToWideChar, GetLastError, GetFileAttributesExW, GetFullPathNameW, GetProcAddress, DeleteCriticalSection, WideCharToMultiByte, IsWow64Process, LoadLibraryExW, FreeLibrary, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, EnterCriticalSection, FindFirstFileExW, OutputDebugStringW, LoadLibraryA, GetModuleHandleW, InitializeCriticalSectionAndSpinCount, SetLastError, RaiseException, RtlPcToFileHeader, RtlUnwindEx, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, IsDebuggerPresent, IsProcessorFeaturePresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, LCMapStringEx, DecodePointer, EncodePointer, InitializeCriticalSectionEx, GetStringTypeW
USER32.dll	MessageBoxW
SHELL32.dll	ShellExecuteW
ADVAPI32.dll	RegOpenKeyExW, RegGetValueW, DeregisterEventSource, RegisterEventSourceW, ReportEventW, RegCloseKey
api-ms-win-crt-runtime-l1-1-0.dll	_exit, __p___argc, _initterm_e, _initterm, _get_initial_wide_environment, _invalid_parameter_noinfo_noreturn, _initialize_wide_environment, _configure_wide_argv, _initialize_onexit_table, _set_app_type, __p___wargv, _seh_filter_exe, _register_onexit_function, _cexit, terminate, _errno, exit, abort, _crt_atexit, _c_exit, _register_thread_local_exe_atexit_callback
api-ms-win-crt-stdio-l1-1-0.dll	setvbuf, fflush, _wfopen, __stdio_common_vswprintf, __stdio_common_vfwprintf, _set_fmode, __stdio_common_vsprintf_s, __acrt_iob_func, fputwc, fputws, __p__commode
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, _callnewh, free, malloc, calloc
api-ms-win-crt-string-l1-1-0.dll	wcsnlen, strcpy_s, _wcsdup, strcspn, wcsncmp, toupper
api-ms-win-crt-convert-l1-1-0.dll	_wtoi, wcstoul
api-ms-win-crt-locale-l1-1-0.dll	setlocale, ___lc_locale_name_func, localeconv, _unlock_locales, _lock_locales, ___mb_cur_max_func, _configthreadlocale, __pctype_func, ___lc_codepage_func
api-ms-win-crt-math-l1-1-0.dll	frexp, __setusermatherr
api-ms-win-crt-time-l1-1-0.dll	_gmtime64_s, _time64, wcsftime

Target ID:	0
Start time:	07:49:47
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\WinUI.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\WinUI.exe"
Imagebase:	0x7ff62e5d0000
File size:	150'016 bytes
MD5 hash:	CBDA0E120FD089CB6F31C81DCC3AD065
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.4%
Total number of Nodes:	1367
Total number of Limit Nodes:	9

Executed Functions

Function 00007FF62E5E1AF0 Relevance: 88.2, APIs: 26, Strings: 24, Instructions: 675COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF62E5DDD10: GetModuleFileNameW.KERNEL32 ref: 00007FF62E5DDDE7
Part of subcall function 00007FF62E5DDD10: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5DDEDE

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E264A

Part of subcall function 00007FF62E5DF680: GetFileAttributesExW.KERNEL32 ref: 00007FF62E5DF6F5

Part of subcall function 00007FF62E5E17E0: MultiByteToWideChar.KERNEL32 ref: 00007FF62E5E1858
Part of subcall function 00007FF62E5E17E0: MultiByteToWideChar.KERNEL32 ref: 00007FF62E5E189A

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E2525
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E2579
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E25CF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E1D30

Part of subcall function 00007FF62E5D6BB0: EnterCriticalSection.KERNEL32(?,?,0000000100000004,00000000,00000000,00000000,00000000,00000007,FFFFFFFF,00007FF62E5D6A1B), ref: 00007FF62E5D6BE2
Part of subcall function 00007FF62E5D6BB0: __stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6C1B
Part of subcall function 00007FF62E5D6BB0: __stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6CEB
Part of subcall function 00007FF62E5D6BB0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D0E
Part of subcall function 00007FF62E5D6BB0: fputws.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D1A
Part of subcall function 00007FF62E5D6BB0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D25
Part of subcall function 00007FF62E5D6BB0: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D33
Part of subcall function 00007FF62E5D6BB0: OutputDebugStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D47
Part of subcall function 00007FF62E5D6BB0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D5B

Strings

hostfxr_set_error_writer, xrefs: 00007FF62E5E207C, 00007FF62E5E2095, 00007FF62E5E22F5, 00007FF62E5E230E
Probed for and did not resolve library symbol %S, xrefs: 00007FF62E5E1F7C, 00007FF62E5E209C, 00007FF62E5E2190, 00007FF62E5E21FE, 00007FF62E5E2315
hostfxr_main_bundle_startupinfo, xrefs: 00007FF62E5E1F60, 00007FF62E5E1F75
The library %s was found, but loading it from %s failed, xrefs: 00007FF62E5E1F11
Invoking fx resolver [%s] v1, xrefs: 00007FF62E5E21D0
- Installing .NET prerequisites might help resolve this problem., xrefs: 00007FF62E5E1F1D
hostfxr_main_startupinfo, xrefs: 00007FF62E5E2170, 00007FF62E5E2189
The required library %s does not support single-file apps., xrefs: 00007FF62E5E1F96
The application to execute does not exist: '%s'., xrefs: 00007FF62E5E1E64
Failed to resolve full path of the current executable [%s], xrefs: 00007FF62E5E2601
The required library %s does not contain the expected entry point., xrefs: 00007FF62E5E2218
Detected Single-File app bundle, xrefs: 00007FF62E5E1D6F
The required library %s does not support relative app dll paths., xrefs: 00007FF62E5E21B0
https://go.microsoft.com/fwlink/?linkid=798306, xrefs: 00007FF62E5E1F29
Host path: [%s], xrefs: 00007FF62E5E202A, 00007FF62E5E22B2
Invoking fx resolver [%s] hostfxr_main_bundle_startupinfo, xrefs: 00007FF62E5E200E
hostfxr_main, xrefs: 00007FF62E5E21E1, 00007FF62E5E21F7
Dotnet path: [%s], xrefs: 00007FF62E5E2044, 00007FF62E5E22CC
A fatal error was encountered. This executable was not bound to load a managed DLL., xrefs: 00007FF62E5E1BC0
Bundle Header Offset: [%lx], xrefs: 00007FF62E5E2070
Invoking fx resolver [%s] hostfxr_main_startupinfo, xrefs: 00007FF62E5E2296
%s, xrefs: 00007FF62E5E1F30
hostfxr.dll, xrefs: 00007FF62E5E1F0A
App path: [%s], xrefs: 00007FF62E5E2061, 00007FF62E5E22E9

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__acrt_iob_func$ByteCharFileMultiWide__stdio_common_vswprintf$AttributesCriticalDebugEnterModuleNameOutputSectionStringfputwcfputws
String ID: %s$ - Installing .NET prerequisites might help resolve this problem.$A fatal error was encountered. This executable was not bound to load a managed DLL.$App path: [%s]$Bundle Header Offset: [%lx]$Detected Single-File app bundle$Dotnet path: [%s]$Failed to resolve full path of the current executable [%s]$Host path: [%s]$Invoking fx resolver [%s] hostfxr_main_bundle_startupinfo$Invoking fx resolver [%s] hostfxr_main_startupinfo$Invoking fx resolver [%s] v1$Probed for and did not resolve library symbol %S$The application to execute does not exist: '%s'.$The library %s was found, but loading it from %s failed$The required library %s does not contain the expected entry point.$The required library %s does not support relative app dll paths.$The required library %s does not support single-file apps.$hostfxr.dll$hostfxr_main$hostfxr_main_bundle_startupinfo$hostfxr_main_startupinfo$hostfxr_set_error_writer$https://go.microsoft.com/fwlink/?linkid=798306
API String ID: 3488066100-2178251435
Opcode ID: 3fe97d1f1a519df4fcab6a169498e731899a9131dcdc252ef1cb52c927d3cfa7
Instruction ID: 3701549960bdf4177f2cde302a91a5babb038493e482bf142260f2222e78b544
Opcode Fuzzy Hash: 3fe97d1f1a519df4fcab6a169498e731899a9131dcdc252ef1cb52c927d3cfa7
Instruction Fuzzy Hash: 3A729566A28F4285FF00CB24EC643AD2361FB64398F584139FA5DA7A99DF7DE485C301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D6BB0 Relevance: 21.2, APIs: 14, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(?,?,0000000100000004,00000000,00000000,00000000,00000000,00000007,FFFFFFFF,00007FF62E5D6A1B), ref: 00007FF62E5D6BE2
__stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6C1B
__stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6CEB
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D0E
fputws.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D1A
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D25
fputwc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D33
OutputDebugStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D47
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D5B
__stdio_common_vfwprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D89
fputwc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D97
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6DCE
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6DE1
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5D6DF7

Part of subcall function 00007FF62E5E3718: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62E5D1C4D), ref: 00007FF62E5E3732

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: __acrt_iob_func$CriticalSection__stdio_common_vswprintffputwc$Concurrency::cancel_current_taskDebugEnterLeaveOutputString__stdio_common_vfwprintf_invalid_parameter_noinfo_noreturnfputwsmalloc
String ID:
API String ID: 742152493-0
Opcode ID: 58c2e7b25a33e6ffedc99cb14a7720a5e971c58ca368530c9475b07ccaba4ca5
Instruction ID: a2257aebb4a7ebd762293866b879f07695a3df86df9e311cbd6b86708e4353f2
Opcode Fuzzy Hash: 58c2e7b25a33e6ffedc99cb14a7720a5e971c58ca368530c9475b07ccaba4ca5
Instruction Fuzzy Hash: 10518325A28B4181EE109B21FC6437963A1EF99BA4F044239FE6EA37D5DF7DE4458301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5E2690 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF62E5D64E0: GetEnvironmentVariableW.KERNEL32 ref: 00007FF62E5D6537
Part of subcall function 00007FF62E5D64E0: GetLastError.KERNEL32 ref: 00007FF62E5D6543
Part of subcall function 00007FF62E5D64E0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D6717

EnterCriticalSection.KERNEL32 ref: 00007FF62E5E2744
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62E5E2751
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62E5E275C
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62E5E2765
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62E5E2770
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62E5E2779
LeaveCriticalSection.KERNEL32 ref: 00007FF62E5E2786

Part of subcall function 00007FF62E5D6B20: EnterCriticalSection.KERNEL32 ref: 00007FF62E5D6B52
Part of subcall function 00007FF62E5D6B20: __stdio_common_vfwprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62E5D6B7C
Part of subcall function 00007FF62E5D6B20: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62E5D6B8A
Part of subcall function 00007FF62E5D6B20: LeaveCriticalSection.KERNEL32 ref: 00007FF62E5D6B97

Strings

apphost, xrefs: 00007FF62E5E26C6
6.0.26, xrefs: 00007FF62E5E26BF
dc45e96840243b203b13e61952230e225d2aac52, xrefs: 00007FF62E5E26B3
Redirecting errors to custom writer., xrefs: 00007FF62E5E2709
--- Invoked %s [version: %s, commit hash: %s] main = {, xrefs: 00007FF62E5E26CD

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: CriticalSection$fflush$EnterLeave__acrt_iob_func$EnvironmentErrorLastVariable__stdio_common_vfwprintf_invalid_parameter_noinfo_noreturnfputwc
String ID: --- Invoked %s [version: %s, commit hash: %s] main = {$6.0.26$Redirecting errors to custom writer.$apphost$dc45e96840243b203b13e61952230e225d2aac52
API String ID: 3223879508-1783827699
Opcode ID: 350a5edf093ae0ad086516d0697309f0a4ec986958250bd9a3aa45c930d59259
Instruction ID: 48d90b2f4f56a97945ae902002013fe91e6143145c8ae22bd9dc8df5786f2339
Opcode Fuzzy Hash: 350a5edf093ae0ad086516d0697309f0a4ec986958250bd9a3aa45c930d59259
Instruction Fuzzy Hash: 40312124A38F4281EE109B60EC741B92361BF68B45F48103DF94EE32A6DE7EE549C342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D2480 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 239
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterEventSourceW.ADVAPI32 ref: 00007FF62E5D24B7

Part of subcall function 00007FF62E5D57D0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,?,00007FF62E5D23DC), ref: 00007FF62E5D5933
Part of subcall function 00007FF62E5D57D0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5D5981

ReportEventW.ADVAPI32 ref: 00007FF62E5D27D1
DeregisterEventSource.ADVAPI32 ref: 00007FF62E5D27DA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D2818

Strings

Application: , xrefs: 00007FF62E5D2526, 00007FF62E5D2546
Description: A .NET application failed., xrefs: 00007FF62E5D24E1
Path: , xrefs: 00007FF62E5D25EA, 00007FF62E5D260A
(, xrefs: 00007FF62E5D24D8
Message: , xrefs: 00007FF62E5D26A3, 00007FF62E5D26C3
.NET Runtime, xrefs: 00007FF62E5D24AE

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: Event$Source_invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDeregisterRegisterReport
String ID: ($.NET Runtime$Application: $Description: A .NET application failed.$Message: $Path:
API String ID: 1590356926-970997692
Opcode ID: e69c02a80248be455c259719f3e539824fe67ed41d84da92768ef9c93390835b
Instruction ID: 5dc1490d72f567429b4ed30c1a17114f8d6bb817dabdf8a9e4554debbfe502f4
Opcode Fuzzy Hash: e69c02a80248be455c259719f3e539824fe67ed41d84da92768ef9c93390835b
Instruction Fuzzy Hash: 51B1CD6AB24B4584EF14CF61E8602AD2371FB68B98F44113AEE4DA7B68EF3DD144C341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5E3ADC Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF62E5E3AF0

Part of subcall function 00007FF62E5E3790: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF62E5E37B2

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF62E5E3B05
__scrt_release_startup_lock.LIBCMT ref: 00007FF62E5E3B73
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E3BC1
_get_initial_wide_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E3BC6
__p___wargv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E3BCE
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E3BD6
__scrt_is_managed_app.LIBCMT ref: 00007FF62E5E3BEA
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E3BF8
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E3C52

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: __p___argc__p___wargv__scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_wide_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 3940706900-0
Opcode ID: 9baad04e32da97dfe58c31f91464f54df98b2aa5717a7082cef238bb28c49e17
Instruction ID: e127105166967266f43d9e2efbf9ba27956ccdaab50e621b3eb13c9455f28ba6
Opcode Fuzzy Hash: 9baad04e32da97dfe58c31f91464f54df98b2aa5717a7082cef238bb28c49e17
Instruction Fuzzy Hash: 58310A21A2CE4241EE14AB25AC363B92291AF65784F4C553CFA4EE72D7DE3EE4058242

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D3C40 Relevance: 7.9, APIs: 5, Instructions: 361
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF62E5DDD10: GetModuleFileNameW.KERNEL32 ref: 00007FF62E5DDDE7
Part of subcall function 00007FF62E5DDD10: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5DDEDE

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D3F59
GetModuleHandleW.KERNEL32 ref: 00007FF62E5D3F98
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D3FF7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D404B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5D4084

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Module$Concurrency::cancel_current_taskFileHandleName
String ID:
API String ID: 1091411171-0
Opcode ID: e55fe4e6014d1dff07f6d5449918019ceea8d0041f3cd64099c86efab912ce9a
Instruction ID: e6f322f3cfbe3212a3c67084d33ae6ddad073a7b7c43e858ba247dc1ae6cff00
Opcode Fuzzy Hash: e55fe4e6014d1dff07f6d5449918019ceea8d0041f3cd64099c86efab912ce9a
Instruction Fuzzy Hash: 75F1EF26B24B4685EF14CF64E8243AC23A5EB247A8F444639EE6D63BD8DF3ED444C301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5E39F0 Relevance: 4.6, APIs: 3, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF62E5E37DC: _initialize_onexit_table.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E3816

_RTC_Initialize.LIBCMT ref: 00007FF62E5E3A28
_configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF62E5E3A74
_initialize_wide_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E3A82

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: Initialize_configthreadlocale_initialize_onexit_table_initialize_wide_environment
String ID:
API String ID: 2955177221-0
Opcode ID: 179c0bb19fa0e0eb09f19558a3c2f6784e9049ed7313d69cca476d26072ad358
Instruction ID: 4b2f8e96e26469a9137e16e01ffd6277a58e8f574c129976464ba93a410a0759
Opcode Fuzzy Hash: 179c0bb19fa0e0eb09f19558a3c2f6784e9049ed7313d69cca476d26072ad358
Instruction Fuzzy Hash: 45115814E28A8346FE1876B16CB62BD11824FB9350F4C143CF54DF62C3AE3EA8864263

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF62E5D2BA0 Relevance: 62.1, APIs: 21, Strings: 14, Instructions: 884windowCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF62E5D2C04
GetLastError.KERNEL32 ref: 00007FF62E5D2C14
GetEnvironmentVariableW.KERNEL32 ref: 00007FF62E5D2C6D
_wtoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF62E5D2CB9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D2DC2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D2E8B
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF62E5D3020
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF62E5D305E
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF62E5D31A6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D3469
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D3470
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF62E5D34E5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D377C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D3783
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D381E
MessageBoxW.USER32 ref: 00007FF62E5D39CD
ShellExecuteW.SHELL32 ref: 00007FF62E5D3A02
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D3A43
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D3A9C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D3AF5
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5D3B31

Strings

framework resolution:, xrefs: 00007FF62E5D388D
&gui=true, xrefs: 00007FF62E5D394E, 00007FF62E5D3969
https://aka.ms/dotnet/app-launch-failed, xrefs: 00007FF62E5D38E2, 00007FF62E5D38FD
&apphost_version=, xrefs: 00007FF62E5D36D8, 00007FF62E5D36F3
Failed to read environment variable [%s], HRESULT: 0x%X, xrefs: 00007FF62E5D2C3B
Would you like to download it now?Learn about , xrefs: 00007FF62E5D385D, 00007FF62E5D3878
Showing error dialog for application: '%s' - error code: 0x%x - url: '%s' - dialog message: %s, xrefs: 00007FF62E5D39A8
6.0.26, xrefs: 00007FF62E5D3744, 00007FF62E5D3762
Bundle header version compatibility check failed., xrefs: 00007FF62E5D34DE
runtime installation:, xrefs: 00007FF62E5D3894
(, xrefs: 00007FF62E5D38F4
You must install or update .NET to run this application., xrefs: 00007FF62E5D2EB5
DOTNET_DISABLE_GUI_ERRORS, xrefs: 00007FF62E5D2BFD, 00007FF62E5D2C34, 00007FF62E5D2C66
open, xrefs: 00007FF62E5D39F9

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$wcsncmp$EnvironmentVariable$Concurrency::cancel_current_taskErrorExecuteLastMessageShell_wtoi
String ID: https://aka.ms/dotnet/app-launch-failed$&apphost_version=$&gui=true$($6.0.26$Bundle header version compatibility check failed.$DOTNET_DISABLE_GUI_ERRORS$Failed to read environment variable [%s], HRESULT: 0x%X$Showing error dialog for application: '%s' - error code: 0x%x - url: '%s' - dialog message: %s$Would you like to download it now?Learn about $You must install or update .NET to run this application.$framework resolution:$open$runtime installation:
API String ID: 2183938501-3084740795
Opcode ID: a3fe6fedfa3e2b978aed788e891d11d6aee9162becca560793c00ac4bcd4ca28
Instruction ID: 4de81d8e2298dcaba7b503d56cdb7e3b0c4e7e1ea1c82a364e85871746188e7d
Opcode Fuzzy Hash: a3fe6fedfa3e2b978aed788e891d11d6aee9162becca560793c00ac4bcd4ca28
Instruction Fuzzy Hash: D2929E66A24B8285EF20CF24DC643EC2361FB64798F40523AFA5D97AD9DF79E185C301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5DEFF0 Relevance: 45.8, APIs: 13, Strings: 13, Instructions: 272
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF62E5DF073
GetLastError.KERNEL32 ref: 00007FF62E5DF083
RegOpenKeyExW.ADVAPI32 ref: 00007FF62E5DF100
GetEnvironmentVariableW.KERNEL32 ref: 00007FF62E5DF145
RegGetValueW.ADVAPI32 ref: 00007FF62E5DF1C5
RegGetValueW.ADVAPI32 ref: 00007FF62E5DF289
RegCloseKey.ADVAPI32 ref: 00007FF62E5DF2A5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5DF304

Part of subcall function 00007FF62E5E3718: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62E5D1C4D), ref: 00007FF62E5E3732

RegCloseKey.ADVAPI32 ref: 00007FF62E5DF327
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5DF366
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5DF3BA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5DF3F1

Strings

HKCU\, xrefs: 00007FF62E5DECB0
x64, xrefs: 00007FF62E5DEA37, 00007FF62E5DEA58
InstallLocation, xrefs: 00007FF62E5DEB76
Failed to read environment variable [%s], HRESULT: 0x%X, xrefs: 00007FF62E5DE4D3, 00007FF62E5DE540, 00007FF62E5DF0A6
Can't open the SDK installed location registry key, result: 0x%X, xrefs: 00007FF62E5DF110
_DOTNET_TEST_GLOBALLY_REGISTERED_PATH, xrefs: 00007FF62E5DF06C, 00007FF62E5DF09F, 00007FF62E5DF13E
\Setup\InstalledVersions\, xrefs: 00007FF62E5DE9B7
Can't get the size of the SDK location registry value or it's empty, result: 0x%X, xrefs: 00007FF62E5DF317
SOFTWARE\dotnet, xrefs: 00007FF62E5DE450
Can't get the value of the SDK location registry value, result: 0x%X, xrefs: 00007FF62E5DF295
_DOTNET_TEST_REGISTRY_PATH, xrefs: 00007FF62E5DE499, 00007FF62E5DE4CC, 00007FF62E5DE508, 00007FF62E5DE539
HKEY_CURRENT_USER\, xrefs: 00007FF62E5DE58F
HKLM\, xrefs: 00007FF62E5DECB7, 00007FF62E5DEFFE

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseEnvironmentValueVariable$Concurrency::cancel_current_taskErrorLastOpenmalloc
String ID: Can't get the size of the SDK location registry value or it's empty, result: 0x%X$Can't get the value of the SDK location registry value, result: 0x%X$Can't open the SDK installed location registry key, result: 0x%X$Failed to read environment variable [%s], HRESULT: 0x%X$HKCU\$HKEY_CURRENT_USER\$HKLM\$InstallLocation$SOFTWARE\dotnet$\Setup\InstalledVersions\$_DOTNET_TEST_GLOBALLY_REGISTERED_PATH$_DOTNET_TEST_REGISTRY_PATH$x64
API String ID: 1906321200-3907257641
Opcode ID: a7b7202842ca20de65efdfe0564e3f21e84a96a5e03aa9aee9432afd4b7e57a8
Instruction ID: 32956823ac6d5de4133695ae18bcd6638b1ae14aea4706a4dd96d76301bf0eaa
Opcode Fuzzy Hash: a7b7202842ca20de65efdfe0564e3f21e84a96a5e03aa9aee9432afd4b7e57a8
Instruction Fuzzy Hash: DCB1C426F28A0285EF10CB62EC602BD23A1EB54798F444239EE5DA7BD9DF3ED145C341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D6750 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF62E5D67B7
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62E5D67C3
GetEnvironmentVariableW.KERNEL32 ref: 00007FF62E5D67F2
GetLastError.KERNEL32 ref: 00007FF62E5D680A
GetEnvironmentVariableW.KERNEL32 ref: 00007FF62E5D68EF
GetEnvironmentVariableW.KERNEL32 ref: 00007FF62E5D6920
GetLastError.KERNEL32 ref: 00007FF62E5D692A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D69D6
LeaveCriticalSection.KERNEL32 ref: 00007FF62E5D69F6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D6A54

Strings

Unable to open COREHOST_TRACEFILE=%s for writing, xrefs: 00007FF62E5D6A0F
Failed to read environment variable [%s], HRESULT: 0x%X, xrefs: 00007FF62E5D6831, 00007FF62E5D694D
COREHOST_TRACE_VERBOSITY, xrefs: 00007FF62E5D68E8, 00007FF62E5D6919, 00007FF62E5D6946
COREHOST_TRACEFILE, xrefs: 00007FF62E5D67EB, 00007FF62E5D682A, 00007FF62E5D685F

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: EnvironmentVariable$CriticalErrorLastSection_invalid_parameter_noinfo_noreturn$EnterLeave__acrt_iob_func
String ID: COREHOST_TRACEFILE$COREHOST_TRACE_VERBOSITY$Failed to read environment variable [%s], HRESULT: 0x%X$Unable to open COREHOST_TRACEFILE=%s for writing
API String ID: 3064537429-1641920025
Opcode ID: 88771679a748c143c17eb09de76398be2fb1bdf63250da61755db2bf8c3aaaac
Instruction ID: ee92d452e201e3ee8055f5bec34b6527fe36f8109a9cd4b689f7816053ce5dc6
Opcode Fuzzy Hash: 88771679a748c143c17eb09de76398be2fb1bdf63250da61755db2bf8c3aaaac
Instruction Fuzzy Hash: 2B918D25F24A0284FF00CB65EC642BD23A1BB65798F581139ED5EE36A5DF7EE4458302

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D9C20 Relevance: 30.5, APIs: 13, Strings: 4, Instructions: 757COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D9D2C
wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF62E5D9D54
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D9DAE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D9ED2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5DA0AF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5DA1C4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5DA450
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5DA61C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5DA6D1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5DA727
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5DA73B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5DA741

Part of subcall function 00007FF62E5E3718: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62E5D1C4D), ref: 00007FF62E5E3732

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5DA76D

Strings

stoul argument out of range, xrefs: 00007FF62E5DA754
,, xrefs: 00007FF62E5DA16F
invalid stoul argument, xrefs: 00007FF62E5DA747
., xrefs: 00007FF62E5D9995

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$_errnomallocwcstoul
String ID: ,$.$invalid stoul argument$stoul argument out of range
API String ID: 1031985940-164841169
Opcode ID: 7ef8e38316318c0ff259c727d84d1475dcce39112a0cffbc2f186418e9e429bb
Instruction ID: 9653d80019e22637dc2bd30fee833b4c636b22a808eaaba79e6181e548534938
Opcode Fuzzy Hash: 7ef8e38316318c0ff259c727d84d1475dcce39112a0cffbc2f186418e9e429bb
Instruction Fuzzy Hash: 8F62E736B28B4281EE109B14D96437E6361EB557E4F504239FA6DA3BE9DF7EE080C301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5DF400 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF62E5DF473
GetProcAddress.KERNEL32 ref: 00007FF62E5DF48C

Strings

ntdll.dll, xrefs: 00007FF62E5DF46C
win7, xrefs: 00007FF62E5DF4FC
RtlGetVersion, xrefs: 00007FF62E5DF482
win, xrefs: 00007FF62E5DF516
win81, xrefs: 00007FF62E5DF4DA
win8, xrefs: 00007FF62E5DF4EB

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll$win$win7$win8$win81
API String ID: 2574300362-238241336
Opcode ID: 1c347d411ba30a8b4a3fe03b3f85ecdf011b61d078eaca487c314b95127a5920
Instruction ID: 6ac84d6bce7894f591c7424ce7c182ff8ac1155ee2b64a09c0e3be9c9da88b35
Opcode Fuzzy Hash: 1c347d411ba30a8b4a3fe03b3f85ecdf011b61d078eaca487c314b95127a5920
Instruction Fuzzy Hash: 0151D675A2CB8286EE10DF25E8603AA7361FBA4790F844139F64D93B94DF7EE400C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5DFB00 Relevance: 13.9, APIs: 9, Instructions: 406fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF62E5DFE12
FindNextFileW.KERNEL32 ref: 00007FF62E5E0038
FindClose.KERNEL32 ref: 00007FF62E5E0049
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E0089
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E0090
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E0097
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E00EF
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5E0125
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5E012B

Part of subcall function 00007FF62E5E3718: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62E5D1C4D), ref: 00007FF62E5E3732

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Find$Concurrency::cancel_current_taskFile$CloseFirstNextmalloc
String ID:
API String ID: 2417148112-0
Opcode ID: 4de97b4dcda384b496e58fa6990f5ce76aeaeb5985e9e0e4492b687040ff640b
Instruction ID: b8ffd63439f4d85cf1204edfd96209b664ab7ec5511de14f6441926581ac3d87
Opcode Fuzzy Hash: 4de97b4dcda384b496e58fa6990f5ce76aeaeb5985e9e0e4492b687040ff640b
Instruction Fuzzy Hash: 85F10922B28A8280EE108B25EC643B96391EF657E4F544239FE5DA36E4DF7DD581C311

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5E4120 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF62E5E413C
RtlCaptureContext.KERNEL32 ref: 00007FF62E5E4169
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF62E5E4183
RtlVirtualUnwind.KERNEL32 ref: 00007FF62E5E41C4
IsDebuggerPresent.KERNEL32 ref: 00007FF62E5E4218
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF62E5E4239
UnhandledExceptionFilter.KERNEL32 ref: 00007FF62E5E4244

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 98f326408a43c49323143dc62a80fd424c8c6b2329f9185471fd778eda5b9060
Instruction ID: 8c72534989c6e855d8136a032e88f5f17b8f4c8bbb130bb74778a2b8b00560af
Opcode Fuzzy Hash: 98f326408a43c49323143dc62a80fd424c8c6b2329f9185471fd778eda5b9060
Instruction Fuzzy Hash: D9315A72618E818AEF648F60E8603ED2361FBA8744F48443AEA4E97A95DF39C548C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5E42C8 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c15ffedba99abd84fb0b0588364e65f2de8faf221ed5ba893e7e25a6afcfbef
Instruction ID: 35daf539607f74af101b5744eda4509307c87ca9aa65e8144f3c183bdeb61f69
Opcode Fuzzy Hash: 4c15ffedba99abd84fb0b0588364e65f2de8faf221ed5ba893e7e25a6afcfbef
Instruction Fuzzy Hash: 01A00126928C12D0EE4A8B20AC600242220AB65340B885439F00DA50A19F3EA8818206

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5E1120 Relevance: 44.2, APIs: 9, Strings: 16, Instructions: 427
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E11FE

Part of subcall function 00007FF62E5D6FC0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D7113
Part of subcall function 00007FF62E5D6FC0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D7184

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E1493

Part of subcall function 00007FF62E5DEFF0: GetEnvironmentVariableW.KERNEL32 ref: 00007FF62E5DF073
Part of subcall function 00007FF62E5DEFF0: GetLastError.KERNEL32 ref: 00007FF62E5DF083
Part of subcall function 00007FF62E5DEFF0: RegOpenKeyExW.ADVAPI32 ref: 00007FF62E5DF100
Part of subcall function 00007FF62E5DEFF0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5DF366

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E15D0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E1616

Part of subcall function 00007FF62E5DE160: GetEnvironmentVariableW.KERNEL32 ref: 00007FF62E5DE1BD
Part of subcall function 00007FF62E5DE160: GetLastError.KERNEL32 ref: 00007FF62E5DE1C9
Part of subcall function 00007FF62E5DE160: GetCurrentProcess.KERNEL32 ref: 00007FF62E5DE1FD
Part of subcall function 00007FF62E5DE160: IsWow64Process.KERNEL32 ref: 00007FF62E5DE20B
Part of subcall function 00007FF62E5DE160: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5DE3B6

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E166D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E16E4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E1738
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E178D

Part of subcall function 00007FF62E5D6BB0: EnterCriticalSection.KERNEL32(?,?,0000000100000004,00000000,00000000,00000000,00000000,00000007,FFFFFFFF,00007FF62E5D6A1B), ref: 00007FF62E5D6BE2
Part of subcall function 00007FF62E5D6BB0: __stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6C1B
Part of subcall function 00007FF62E5D6BB0: __stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6CEB
Part of subcall function 00007FF62E5D6BB0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D0E
Part of subcall function 00007FF62E5D6BB0: fputws.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D1A
Part of subcall function 00007FF62E5D6BB0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D25
Part of subcall function 00007FF62E5D6BB0: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D33
Part of subcall function 00007FF62E5D6BB0: OutputDebugStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D47
Part of subcall function 00007FF62E5D6BB0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D5B

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5E17A1

Strings

You must install .NET to run this application.App: %sArchitecture: %sApp host version: %s.NET location: Not foundLearn abou, xrefs: 00007FF62E5E158C
x64, xrefs: 00007FF62E5E1585
Resolved fxr [%s]..., xrefs: 00007FF62E5E0EBA, 00007FF62E5E121C
host, xrefs: 00007FF62E5E1352
6.0.26, xrefs: 00007FF62E5E1574
fxr, xrefs: 00007FF62E5E1362
A fatal error occurred, the folder [%s] does not contain any version-numbered child folders, xrefs: 00007FF62E5E0B65
A fatal error occurred, the required library %s could not be found in [%s], xrefs: 00007FF62E5E1012
Considering fxr version=[%s]..., xrefs: 00007FF62E5E093A
Reading fx resolver directory=[%s], xrefs: 00007FF62E5E086F
Detected latest fxr version=[%s]..., xrefs: 00007FF62E5E0E10
The required library %s could not be found. Searched with root path [%s], environment variable [%s], default install location [%s], xrefs: 00007FF62E5E151E
hostfxr.dll, xrefs: 00007FF62E5E0E3A, 00007FF62E5E100B, 00007FF62E5E1185, 00007FF62E5E1517
Using global installation location [%s] as runtime location., xrefs: 00007FF62E5E1313
Using environment variable %s=[%s] as runtime location., xrefs: 00007FF62E5E12C6
A fatal error occurred, the default install location cannot be obtained., xrefs: 00007FF62E5E12F0

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__acrt_iob_func$EnvironmentErrorLastProcessVariable__stdio_common_vswprintf$Concurrency::cancel_current_taskCriticalCurrentDebugEnterOpenOutputSectionStringWow64fputwcfputws
String ID: 6.0.26$A fatal error occurred, the default install location cannot be obtained.$A fatal error occurred, the folder [%s] does not contain any version-numbered child folders$A fatal error occurred, the required library %s could not be found in [%s]$Considering fxr version=[%s]...$Detected latest fxr version=[%s]...$Reading fx resolver directory=[%s]$Resolved fxr [%s]...$The required library %s could not be found. Searched with root path [%s], environment variable [%s], default install location [%s]$Using environment variable %s=[%s] as runtime location.$Using global installation location [%s] as runtime location.$You must install .NET to run this application.App: %sArchitecture: %sApp host version: %s.NET location: Not foundLearn abou$fxr$host$hostfxr.dll$x64
API String ID: 2036119248-3898005199
Opcode ID: fd15f0103e346f8351e56e5115226750c286214b22c1d53048c53747ed92fd86
Instruction ID: c1cc981fd867785bbceb62b26ddb4f3fe2bb01ecf00f7c7af280e99134d3ba07
Opcode Fuzzy Hash: fd15f0103e346f8351e56e5115226750c286214b22c1d53048c53747ed92fd86
Instruction Fuzzy Hash: 1812D662F28F4280EF04DB64E9643AD2361EB543A8F440239FA5DA7AE9DF7DD485C311

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5DE160 Relevance: 36.9, APIs: 11, Strings: 10, Instructions: 158
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF62E5DE1BD
GetLastError.KERNEL32 ref: 00007FF62E5DE1C9
GetCurrentProcess.KERNEL32 ref: 00007FF62E5DE1FD
IsWow64Process.KERNEL32 ref: 00007FF62E5DE20B
GetEnvironmentVariableW.KERNEL32 ref: 00007FF62E5DE26C
LoadLibraryExW.KERNEL32 ref: 00007FF62E5DE2F1
GetLastError.KERNEL32 ref: 00007FF62E5DE2FC
GetProcAddress.KERNEL32 ref: 00007FF62E5DE31C
GetCurrentProcess.KERNEL32 ref: 00007FF62E5DE32A
GetLastError.KERNEL32 ref: 00007FF62E5DE34A

Part of subcall function 00007FF62E5D71B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D726B

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5DE3B6

Strings

ProgramFiles, xrefs: 00007FF62E5DE223
Call to IsWow64Process2 failed: %u, xrefs: 00007FF62E5DE352
ProgramFiles(x86), xrefs: 00007FF62E5DE21A
Could not load 'kernel32.dll': %u, xrefs: 00007FF62E5DE304
x64, xrefs: 00007FF62E5DE36C
_DOTNET_TEST_DEFAULT_INSTALL_PATH, xrefs: 00007FF62E5DE1B6, 00007FF62E5DE1E5, 00007FF62E5DE265
kernel32.dll, xrefs: 00007FF62E5DE2EA
Failed to read environment variable [%s], HRESULT: 0x%X, xrefs: 00007FF62E5DE1EC
IsWow64Process2, xrefs: 00007FF62E5DE312
dotnet, xrefs: 00007FF62E5DE2D3

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: ErrorLastProcess$CurrentEnvironmentVariable_invalid_parameter_noinfo_noreturn$AddressLibraryLoadProcWow64
String ID: Call to IsWow64Process2 failed: %u$Could not load 'kernel32.dll': %u$Failed to read environment variable [%s], HRESULT: 0x%X$IsWow64Process2$ProgramFiles$ProgramFiles(x86)$_DOTNET_TEST_DEFAULT_INSTALL_PATH$dotnet$kernel32.dll$x64
API String ID: 2279001996-1892901996
Opcode ID: 185217d042381de5a9c557a0287e59a933322b4926c4a7fff026822e0fdb4640
Instruction ID: 4fccde6f7778936e3eff67417d5c475f4661577ac129064051567f389e4a9f70
Opcode Fuzzy Hash: 185217d042381de5a9c557a0287e59a933322b4926c4a7fff026822e0fdb4640
Instruction Fuzzy Hash: 8E61A025F2CA0281FE109B21EC642B933A1FFA5790F480139F95DE2695DF3EE945C342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D64E0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF62E5D6537
GetLastError.KERNEL32 ref: 00007FF62E5D6543
GetEnvironmentVariableW.KERNEL32 ref: 00007FF62E5D65A6
_wtoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF62E5D65E4
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF62E5D6601
_gmtime64_s.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF62E5D6628
wcsftime.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF62E5D6643
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D66D1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D6717

Strings

COREHOST_TRACE, xrefs: 00007FF62E5D6530, 00007FF62E5D6563, 00007FF62E5D659F
Failed to read environment variable [%s], HRESULT: 0x%X, xrefs: 00007FF62E5D656A
Tracing enabled @ %s, xrefs: 00007FF62E5D668C
%c GMT, xrefs: 00007FF62E5D6633

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: EnvironmentVariable_invalid_parameter_noinfo_noreturn$ErrorLast_gmtime64_s_time64_wtoiwcsftime
String ID: %c GMT$COREHOST_TRACE$Failed to read environment variable [%s], HRESULT: 0x%X$Tracing enabled @ %s
API String ID: 29591814-1875902258
Opcode ID: b9b73a2a91235428ad1dbece82736edbb4fd0da49cd5566e20efd095bbedb76e
Instruction ID: 80a14d836f2b7509f8a9fc874c77c7b442f4e44f1172a86c7e1c743d5ce03338
Opcode Fuzzy Hash: b9b73a2a91235428ad1dbece82736edbb4fd0da49cd5566e20efd095bbedb76e
Instruction Fuzzy Hash: 6161F872A28B4681EF108B24EC6036D23A1FBA4794F540239F65DE36E4DF7EE485C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D1C10 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_Getwctype.LIBCPMT ref: 00007FF62E5D1DE1

Part of subcall function 00007FF62E5E3718: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62E5D1C4D), ref: 00007FF62E5E3732

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF62E5D1C79
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF62E5D1CC4
_Getctype.LIBCPMT ref: 00007FF62E5D1CDC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5D1D2D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5D1D40
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5D1D53
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5D1D66
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5D1D79
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5D1D8C
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF62E5D1D9A

Strings

bad locale name, xrefs: 00007FF62E5D1DBD

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: free$std::_$Lockit$GetctypeGetwctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_malloc
String ID: bad locale name
API String ID: 3869375685-1405518554
Opcode ID: ee6288f85be6d1be3f4980db941b8ce6f7c73a40d33900b2f2e388a4fe95c86c
Instruction ID: bfa39c916eb6b095ea58b6abfb1c0c5fa448c763b4f5567152d2bc470ef4041c
Opcode Fuzzy Hash: ee6288f85be6d1be3f4980db941b8ce6f7c73a40d33900b2f2e388a4fe95c86c
Instruction Fuzzy Hash: 8B517B26F19B418AEF15DBB0D9602AC33B4AF68744B080139EE4DB3A65CF39A466C351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5DD6E0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF62E5DD719

Part of subcall function 00007FF62E5E3460: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FF62E5D1CF9), ref: 00007FF62E5E3480
Part of subcall function 00007FF62E5E3460: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FF62E5D1CF9), ref: 00007FF62E5E348F
Part of subcall function 00007FF62E5E3460: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FF62E5D1CF9), ref: 00007FF62E5E34AA

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5DD796
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5DD818
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5DD8C8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5DD9DC
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5DD9E2
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5DD9E8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5DDA02
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5DDA0C

Strings

false, xrefs: 00007FF62E5DD7BF
true, xrefs: 00007FF62E5DD87A

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: Concurrency::cancel_current_taskcalloc$free$___lc_codepage_func___lc_locale_name_func__pctype_funclocaleconv
String ID: false$true
API String ID: 2692559698-2658103896
Opcode ID: 3917893eaca84c61b31c9444f81e8c2d23554261cef87bda6cd7c48a81861222
Instruction ID: cc1bf5f2c6069d27e23cd4e4bf66b1c3c1f6701b07b02423a4b5624e8d815046
Opcode Fuzzy Hash: 3917893eaca84c61b31c9444f81e8c2d23554261cef87bda6cd7c48a81861222
Instruction Fuzzy Hash: 8DA1C126B29B4685EB10CF70D8102AD33B5FB59B98F050239EE4CA7B59EF3AD516C341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5DA900 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF62E5DA9BE
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF62E5DA9E6
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF62E5DAA13
std::_Facet_Register.LIBCPMT ref: 00007FF62E5DAA89
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF62E5DAAAA

Strings

ios_base::failbit set, xrefs: 00007FF62E5DABDD
ios_base::eofbit set, xrefs: 00007FF62E5DABE4
ios_base::badbit set, xrefs: 00007FF62E5DABD1

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 459529453-1866435925
Opcode ID: 1ed02d35e11ea6a30be12da75785a1c50de9abd0665852f5b43d4e1d766091c8
Instruction ID: 2b4c22c078feb77225a6667fda423890e548ab9e6f30f1b8bf5197d826615809
Opcode Fuzzy Hash: 1ed02d35e11ea6a30be12da75785a1c50de9abd0665852f5b43d4e1d766091c8
Instruction Fuzzy Hash: D8B17126618B8581EF10CB15E9643BAA360FFA4B94F04413AFE4DA37A5DF3ED445C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5DD3C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF62E5E3718: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62E5D1C4D), ref: 00007FF62E5E3732

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF62E5DD42E
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF62E5DD476
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF62E5DD4B6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF62E5DD4C9
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF62E5DD4DC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF62E5DD4EF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF62E5DD502
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF62E5DD515
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF62E5DD523

Strings

bad locale name, xrefs: 00007FF62E5DD546

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: free$std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_malloc
String ID: bad locale name
API String ID: 2125654041-1405518554
Opcode ID: 27aaee594dc21d4a569ffc6f82f316202a40387fcd697ca08dce96372995476d
Instruction ID: 42f06a0e3721d01dba2a7fdc0d629bcc7b8ecf08614b4eb7acb023c63efef5c0
Opcode Fuzzy Hash: 27aaee594dc21d4a569ffc6f82f316202a40387fcd697ca08dce96372995476d
Instruction Fuzzy Hash: 88416A36A5AB418AEF11CF70D8A02AC33A4EF65708F080538EE0DB2A59CF3AD515D356

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5DD560 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF62E5E3718: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62E5D1C4D), ref: 00007FF62E5E3732

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF62E5DD5C9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF62E5DD614
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5DD63D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5DD650
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5DD663
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5DD676
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5DD689
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5DD69C
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF62E5DD6AA

Strings

bad locale name, xrefs: 00007FF62E5DD6CD

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: free$std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_malloc
String ID: bad locale name
API String ID: 2125654041-1405518554
Opcode ID: ec59430a67cc044530dfa984ce1c8ec2e9156a052a1223e2b090c3e470db73a3
Instruction ID: ef5298fa670d8501b9ef3cae34853b09486df4bfd9bb5337c8e4ef63345c3070
Opcode Fuzzy Hash: ec59430a67cc044530dfa984ce1c8ec2e9156a052a1223e2b090c3e470db73a3
Instruction Fuzzy Hash: 38414926A5AB4189EF10DF70D8A02AC33A4EF65748F080538EE4DB2A65CF3AD525D356

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D7780 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 198COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF62E5D77D7
GetEnvironmentVariableW.KERNEL32 ref: 00007FF62E5D780F
GetLastError.KERNEL32 ref: 00007FF62E5D781D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D7904
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D797A

Strings

DOTNET_RUNTIME_ID, xrefs: 00007FF62E5D77D0, 00007FF62E5D7808, 00007FF62E5D7839
win10, xrefs: 00007FF62E5D7933
x64, xrefs: 00007FF62E5D7A28, 00007FF62E5D7A44
Failed to read environment variable [%s], HRESULT: 0x%X, xrefs: 00007FF62E5D7840

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: EnvironmentVariable_invalid_parameter_noinfo_noreturn$ErrorLast
String ID: DOTNET_RUNTIME_ID$Failed to read environment variable [%s], HRESULT: 0x%X$win10$x64
API String ID: 1055180287-4222452407
Opcode ID: b4dd305fcbae1f409cc1e5e7405e1e890a99bb3a8150e5303c1d22e027a86964
Instruction ID: 53076acaed28c0445855f0999fdf3dea6960d6879cb3e55598b35de3e81c745f
Opcode Fuzzy Hash: b4dd305fcbae1f409cc1e5e7405e1e890a99bb3a8150e5303c1d22e027a86964
Instruction Fuzzy Hash: A091BF66F24B4184FF00CB75E8603AD2371AB647A8F545239FE5DA3A99DF39E181C301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5E17E0 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 163COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF62E5E1858
MultiByteToWideChar.KERNEL32 ref: 00007FF62E5E189A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E19D8

Part of subcall function 00007FF62E5D6BB0: EnterCriticalSection.KERNEL32(?,?,0000000100000004,00000000,00000000,00000000,00000000,00000007,FFFFFFFF,00007FF62E5D6A1B), ref: 00007FF62E5D6BE2
Part of subcall function 00007FF62E5D6BB0: __stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6C1B
Part of subcall function 00007FF62E5D6BB0: __stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6CEB
Part of subcall function 00007FF62E5D6BB0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D0E
Part of subcall function 00007FF62E5D6BB0: fputws.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D1A
Part of subcall function 00007FF62E5D6BB0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D25
Part of subcall function 00007FF62E5D6BB0: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D33
Part of subcall function 00007FF62E5D6BB0: OutputDebugStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D47
Part of subcall function 00007FF62E5D6BB0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D5B

Strings

74e592c2fa383d4a3960714caef0c4f2, xrefs: 00007FF62E5E1960
c3ab8ff13720e8ad9047dd39466b3c89, xrefs: 00007FF62E5E191A
The managed DLL bound to this executable could not be retrieved from the executable image., xrefs: 00007FF62E5E19EC
WinUI.dll, xrefs: 00007FF62E5E180A
This executable is not bound to a managed DLL to execute. The binding value is: '%s', xrefs: 00007FF62E5E1982
The managed DLL bound to this executable is: '%s', xrefs: 00007FF62E5E199F

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: __acrt_iob_func$ByteCharMultiWide__stdio_common_vswprintf$CriticalDebugEnterOutputSectionString_invalid_parameter_noinfo_noreturnfputwcfputws
String ID: 74e592c2fa383d4a3960714caef0c4f2$The managed DLL bound to this executable could not be retrieved from the executable image.$The managed DLL bound to this executable is: '%s'$This executable is not bound to a managed DLL to execute. The binding value is: '%s'$WinUI.dll$c3ab8ff13720e8ad9047dd39466b3c89
API String ID: 1778511166-3694144917
Opcode ID: 7ed54c74e417ad20565162e4993666ac240e9b321e91315c463d338e00064cdd
Instruction ID: 009cfc7ce1df788711108565361ecc865b11aed92f0ba4830e59aead12f2f979
Opcode Fuzzy Hash: 7ed54c74e417ad20565162e4993666ac240e9b321e91315c463d338e00064cdd
Instruction Fuzzy Hash: A151D221B28E8185EF149F25ED602B96391FF64BD0F485539FA9DA3B99CF3ED4418302

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5DDF10 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 149libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF62E5DDFDA
GetLastError.KERNEL32 ref: 00007FF62E5DDFE8
GetModuleHandleExW.KERNEL32 ref: 00007FF62E5DE035
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5DE0E8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5DE12D

Strings

Failed to load the dll from [%s], HRESULT: 0x%X, xrefs: 00007FF62E5DE00B
Failed to pin library [%s] in [%s], xrefs: 00007FF62E5DE054
Loaded library from %s, xrefs: 00007FF62E5DE0A4
pal::load_library, xrefs: 00007FF62E5DE04D

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorHandleLastLibraryLoadModule
String ID: Failed to load the dll from [%s], HRESULT: 0x%X$Failed to pin library [%s] in [%s]$Loaded library from %s$pal::load_library
API String ID: 2518456378-4234151505
Opcode ID: 44a55972f72e8af0b1df553a19f44d7be126c3ce0afd211a4839dd5edd71754d
Instruction ID: d3634af3a7b67c3aab738247dcf4b261d1938ebedec293d98b754040ab514771
Opcode Fuzzy Hash: 44a55972f72e8af0b1df553a19f44d7be126c3ce0afd211a4839dd5edd71754d
Instruction Fuzzy Hash: FC51A366F24A4288FF00DBA5DC642FC27B1AF65798F944139EE0DA2699DF3DD485C302

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5E6224 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 316COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF62E5E63C2
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF62E5E66E5
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E66FB
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E6713
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E6719

Strings

csm, xrefs: 00007FF62E5E63E9
csm, xrefs: 00007FF62E5E636B
csm, xrefs: 00007FF62E5E6309

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 695522112-393685449
Opcode ID: 837d083d201cbc3135c20fa32617bf00e06923f4267a5697540ee33bd5b85c85
Instruction ID: 1130d3499c0a44706092c9c73ccb50fce955c224c3290e36fd3f8ee2c3dce7d5
Opcode Fuzzy Hash: 837d083d201cbc3135c20fa32617bf00e06923f4267a5697540ee33bd5b85c85
Instruction Fuzzy Hash: D1E1C872928B818AEF109F25D8602AD37E1FB64788F190139EB4DA7796CF79E441C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D7E70 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

toupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF62E5D7F23
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D7FD7
GetCurrentProcess.KERNEL32 ref: 00007FF62E5D8001
IsWow64Process.KERNEL32 ref: 00007FF62E5D800F

Strings

x64, xrefs: 00007FF62E5D7ECB
DOTNET_ROOT(x86), xrefs: 00007FF62E5D8026
DOTNET_ROOT_, xrefs: 00007FF62E5D7EA1
DOTNET_ROOT, xrefs: 00007FF62E5D8054

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: Process$CurrentWow64_invalid_parameter_noinfo_noreturntoupper
String ID: DOTNET_ROOT$DOTNET_ROOT(x86)$DOTNET_ROOT_$x64
API String ID: 1386953757-2049366658
Opcode ID: 0ff3c2f889b2d1f5aacf6e1c9933f2f9b731244532a6ff88bf6ad3c6d4344934
Instruction ID: b4c6b86a487b4ff14dc5a69acfc200a52333d8a2b76b7870d06203e58bfb4eb4
Opcode Fuzzy Hash: 0ff3c2f889b2d1f5aacf6e1c9933f2f9b731244532a6ff88bf6ad3c6d4344934
Instruction Fuzzy Hash: E251F766728A8281EE108B11EC642BE7361FB94BD4F445039FA4EA7BA4CF7DE191C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5DF680 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 272COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32 ref: 00007FF62E5DF6F5
GetFullPathNameW.KERNEL32 ref: 00007FF62E5DF71C
GetFullPathNameW.KERNEL32 ref: 00007FF62E5DF834
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5DF8A6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5DFA78
GetFileAttributesExW.KERNEL32 ref: 00007FF62E5DFAA7

Strings

Error resolving full path [%s], xrefs: 00007FF62E5DF73A, 00007FF62E5DF852

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: AttributesFileFullNamePath_invalid_parameter_noinfo_noreturn
String ID: Error resolving full path [%s]
API String ID: 2208424437-1390578158
Opcode ID: 20d65c18bfe167a0d608a7a4ad3ffa716a6aa52231606fd0e64a7edd228aea07
Instruction ID: 816589c9bc4aff786b8e1f06e6d5e2c647797ad6c83103560a96e7b80db695ba
Opcode Fuzzy Hash: 20d65c18bfe167a0d608a7a4ad3ffa716a6aa52231606fd0e64a7edd228aea07
Instruction Fuzzy Hash: BEC10726B38A8281EE10CB16EC642BD6361FFA1B94F541139FA4DA7A98DF3ED444C351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5E7D0C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF62E5E7FBE,?,?,?,00007FF62E5E7C3C,?,?,?,?,00007FF62E5E5971), ref: 00007FF62E5E7D91
GetLastError.KERNEL32(?,?,?,00007FF62E5E7FBE,?,?,?,00007FF62E5E7C3C,?,?,?,?,00007FF62E5E5971), ref: 00007FF62E5E7D9F
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF62E5E7FBE,?,?,?,00007FF62E5E7C3C,?,?,?,?,00007FF62E5E5971), ref: 00007FF62E5E7DB8
LoadLibraryExW.KERNEL32(?,?,?,00007FF62E5E7FBE,?,?,?,00007FF62E5E7C3C,?,?,?,?,00007FF62E5E5971), ref: 00007FF62E5E7DC9
FreeLibrary.KERNEL32(?,?,?,00007FF62E5E7FBE,?,?,?,00007FF62E5E7C3C,?,?,?,?,00007FF62E5E5971), ref: 00007FF62E5E7E0F
GetProcAddress.KERNEL32(?,?,?,00007FF62E5E7FBE,?,?,?,00007FF62E5E7C3C,?,?,?,?,00007FF62E5E5971), ref: 00007FF62E5E7E1B

Strings

api-ms-, xrefs: 00007FF62E5E7DB1

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
String ID: api-ms-
API String ID: 916704608-2084034818
Opcode ID: edc5afeb0e9154ea8fd17a2d4ffbc2fcd00ce1b2753e376130add8ac6e37622c
Instruction ID: 2eca50d72c3d8d2399545be44f9d64c446930dde7116a12a1d7b6c3a9b64db56
Opcode Fuzzy Hash: edc5afeb0e9154ea8fd17a2d4ffbc2fcd00ce1b2753e376130add8ac6e37622c
Instruction Fuzzy Hash: B231C521A3AE4291EE21DB229C206756395FF24B64F5D053CFE1DAB391DF3DE4848342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D80A0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 175COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D8335

Strings

&arch=, xrefs: 00007FF62E5D8196, 00007FF62E5D81B2
x64, xrefs: 00007FF62E5D81F8, 00007FF62E5D8214
missing_runtime=true, xrefs: 00007FF62E5D8134, 00007FF62E5D8150
https://aka.ms/dotnet-core-applaunch?, xrefs: 00007FF62E5D80EE
&rid=, xrefs: 00007FF62E5D8265, 00007FF62E5D8281

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: &arch=$&rid=$https://aka.ms/dotnet-core-applaunch?$missing_runtime=true$x64
API String ID: 3668304517-1194784717
Opcode ID: 9a00aeff54e0026a918295eec5e5a41f703b08e553a679b81d35de23c14eb78b
Instruction ID: f9247e48be08c63ef76a2473b432ca98038b0fcd835a6c8cb03c4f0813b4977e
Opcode Fuzzy Hash: 9a00aeff54e0026a918295eec5e5a41f703b08e553a679b81d35de23c14eb78b
Instruction Fuzzy Hash: A681CD6AA28B4181EF04CF25E92436D2322FB55FC4F94113AEA5DA3798DF3EE115C342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D7AC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF62E5D7B1D
GetLastError.KERNEL32 ref: 00007FF62E5D7B2A
GetEnvironmentVariableW.KERNEL32 ref: 00007FF62E5D7B85

Part of subcall function 00007FF62E5D6A90: EnterCriticalSection.KERNEL32 ref: 00007FF62E5D6AC2
Part of subcall function 00007FF62E5D6A90: __stdio_common_vfwprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62E5D6AEC
Part of subcall function 00007FF62E5D6A90: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62E5D6AFA
Part of subcall function 00007FF62E5D6A90: LeaveCriticalSection.KERNEL32 ref: 00007FF62E5D6B07

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D7C49

Strings

Did not find [%s] directory [%s], xrefs: 00007FF62E5D7C02
Failed to read environment variable [%s], HRESULT: 0x%X, xrefs: 00007FF62E5D7B4D

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: CriticalEnvironmentSectionVariable$EnterErrorLastLeave__stdio_common_vfwprintf_invalid_parameter_noinfo_noreturnfputwc
String ID: Did not find [%s] directory [%s]$Failed to read environment variable [%s], HRESULT: 0x%X
API String ID: 2627214341-4112875940
Opcode ID: 4d719651c97b153f0903a8f940c09f2524a1f95568e493827c104dbccfed473d
Instruction ID: 519d485235856ade0bdb68e2581dc904351365a6734ac683611eb4fbf56b746a
Opcode Fuzzy Hash: 4d719651c97b153f0903a8f940c09f2524a1f95568e493827c104dbccfed473d
Instruction Fuzzy Hash: 2C41F626628A8185EF109B25EC6427A6361FBA97D0F440239FE9ED37E5DF3ED440C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D8AE0 Relevance: 9.2, APIs: 6, Instructions: 210COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D8CFF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D8D67
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D8DA6
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5D8DE9
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5D8DEF

Part of subcall function 00007FF62E5E3718: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62E5D1C4D), ref: 00007FF62E5E3732

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$malloc
String ID:
API String ID: 2122263803-0
Opcode ID: a5c4a0fc3434579eda36cf7026211656f4616b042b1062987e4aaccf45fcf020
Instruction ID: 20f738f8f1a4c73b9312d10fde4415e04000dab5e91bbf3fd05c955f9ac216c8
Opcode Fuzzy Hash: a5c4a0fc3434579eda36cf7026211656f4616b042b1062987e4aaccf45fcf020
Instruction Fuzzy Hash: 5181EE66A29B4185EE10DB15E82476933A5FB24BA0F590739EABD53BD4DF3EE080C301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D8E00 Relevance: 9.2, APIs: 6, Instructions: 199COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D9016
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D907E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D90BD
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5D9100
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5D9106

Part of subcall function 00007FF62E5E3718: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62E5D1C4D), ref: 00007FF62E5E3732

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$malloc
String ID:
API String ID: 2122263803-0
Opcode ID: 2fcf3f1e5a61e990528957049766d6061e05b4cb5307b079f334507ac4678a3d
Instruction ID: 19ab0f8d1b20b73f46fb1ac6b2808a4b73aaeb652d8b6e3e48a79d14a8785458
Opcode Fuzzy Hash: 2fcf3f1e5a61e990528957049766d6061e05b4cb5307b079f334507ac4678a3d
Instruction Fuzzy Hash: 3581A376A28B4281EE109B25E81426973A5FB55BB0F500739FABD63BD9DF7ED480C301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D5B20 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF62E5D5B36
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF62E5D5B5B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF62E5D5B85
std::_Facet_Register.LIBCPMT ref: 00007FF62E5D5BF4
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF62E5D5C15
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5D5C2A

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 850ea38bf2c17fbf03df8ec111c7b3874e4e60588dc40c4f730379ad143cf9f9
Instruction ID: f8166ceb42556fb3d48905160ab0f15601b6d1e456fd2be0e8bf85bb8a8030c5
Opcode Fuzzy Hash: 850ea38bf2c17fbf03df8ec111c7b3874e4e60588dc40c4f730379ad143cf9f9
Instruction Fuzzy Hash: 9231D325A2DA42C1FE149B25EC201786360FFA4B94F480139FA4EA37E5CF3EE8418302

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5DCF30 Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF62E5DCF46
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF62E5DCF6B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF62E5DCF95
std::_Facet_Register.LIBCPMT ref: 00007FF62E5DD004
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF62E5DD025
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5DD03A

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: ab8ab814ba3511984cf5ed3c351e9091b53e5478ee9693207cdca9b44a573017
Instruction ID: dfe94140d610fcd0dadcc9c5b8344e2e84a822b629053222bd37fe312b53dc9e
Opcode Fuzzy Hash: ab8ab814ba3511984cf5ed3c351e9091b53e5478ee9693207cdca9b44a573017
Instruction Fuzzy Hash: 9C31B825A28B4281EF159B15EC201F96760FFA5B94F584139FA4DA37D9DF3EE841C302

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D6EA0 Relevance: 9.0, APIs: 6, Instructions: 16COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF62E5D6EAB
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62E5D6EB8
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62E5D6EC3
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62E5D6ECC
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62E5D6ED7
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62E5D6EE0

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: fflush$__acrt_iob_func$CriticalEnterSection
String ID:
API String ID: 3544201161-0
Opcode ID: 2731d0a9e04ccc719c57056ea5c75d87e175fb7864308c06b590a7371e3cb08a
Instruction ID: 585886ea9f224e195fed548841af3186ee159e3137402bcbaec4bf0b6d82752a
Opcode Fuzzy Hash: 2731d0a9e04ccc719c57056ea5c75d87e175fb7864308c06b590a7371e3cb08a
Instruction Fuzzy Hash: 75E05024D29F42C1EF149B65FC791342321AF69B56F48003DF94EA2662DE3E648D9712

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5E6720 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 190COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF62E5E6790

Part of subcall function 00007FF62E5E5C00: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF62E5E4C0A), ref: 00007FF62E5E5C13

_CallSETranslator.LIBVCRUNTIME ref: 00007FF62E5E67DB
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E6A09

Strings

MOC, xrefs: 00007FF62E5E67A4
RCC, xrefs: 00007FF62E5E67AC

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 20d7d184b0056a24742401391fcd3fff5d75678a03bc000d322554d621dbccaf
Instruction ID: b19329a5b2310ba8630c483236399bdd7310ff46b94f90b62bbd78474d8c3803
Opcode Fuzzy Hash: 20d7d184b0056a24742401391fcd3fff5d75678a03bc000d322554d621dbccaf
Instruction Fuzzy Hash: FF91B073A18B818AEB108B65E8502AD7BE0FB18788F18413AEF8DA7755DF39D195C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5E2ECC Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF62E5E2EE9
std::locale::_Setgloballocale.LIBCPMT ref: 00007FF62E5E2F0C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62E5D56BA), ref: 00007FF62E5E2F2D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62E5D56BA), ref: 00007FF62E5E2F4B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF62E5E2FA7

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_Setgloballocalefreemallocstd::locale::_
String ID:
API String ID: 2400387105-0
Opcode ID: 592eadc93bcfca70ad94dbef6ec65dcf479535f9c9af674e3813221da5b35de5
Instruction ID: 77cb9be380a9a69ccd3cf4ba4e55ff234638cb06b3c61ab105d69b4a063488ce
Opcode Fuzzy Hash: 592eadc93bcfca70ad94dbef6ec65dcf479535f9c9af674e3813221da5b35de5
Instruction Fuzzy Hash: 7C217E25A28F4684EF189B22DC6127827A0EF69F84F5D4039EA4DA3769CF3DE481C301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D1B00 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF62E5E30AC: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FF62E5D1D24), ref: 00007FF62E5E30BB

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5D1B1B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5D1B30
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5D1B43
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5D1B56
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5D1B69
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62E5D1B7C

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: free$setlocale
String ID:
API String ID: 294139027-0
Opcode ID: 2200f7a366044af2d41774760eacd117e585667a85d04f6b9eb66cfca57ad71f
Instruction ID: bd7b8d5eb899a1c13725e26f07d84467858bcecfa79f5152ad0726d1a15c2e6f
Opcode Fuzzy Hash: 2200f7a366044af2d41774760eacd117e585667a85d04f6b9eb66cfca57ad71f
Instruction Fuzzy Hash: 3411F179A16B4184FF548F61EDA013C63A4EF78F54B180139EA4EA3665DE3ED890C292

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5E6C94 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF62E5E6CBE
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E6F22

Strings

csm, xrefs: 00007FF62E5E6CE3
csm, xrefs: 00007FF62E5E6E52

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: __except_validate_context_recordabort
String ID: csm$csm
API String ID: 746414643-3733052814
Opcode ID: 8d2ec9922b7b23e57f2c68368143aadfdf182c5b97ee631e391647a8024cbedb
Instruction ID: 899d21cb89189c73f38640aec83fb657d8c8cadcf911e2c974981369d59aeb4c
Opcode Fuzzy Hash: 8d2ec9922b7b23e57f2c68368143aadfdf182c5b97ee631e391647a8024cbedb
Instruction Fuzzy Hash: BB71D172918A8186DF648F21D9606797BE1FB14BC4F488139FB8CA7A8ACF7DD451C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5E70E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF62E5E5C00: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF62E5E4C0A), ref: 00007FF62E5E5C13

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF62E5E718A
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF62E5E71B6

Strings

csm, xrefs: 00007FF62E5E72B6

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_recordabort
String ID: csm
API String ID: 2466640111-1018135373
Opcode ID: 6256cfcd7fe2c0f316825f703e49b5cf51986b157c45fc6cb264a57f17627ef3
Instruction ID: 87909c500ed3b5f69002d885fb4b984bfb672ec48121363deef4270c8fd9cd70
Opcode Fuzzy Hash: 6256cfcd7fe2c0f316825f703e49b5cf51986b157c45fc6cb264a57f17627ef3
Instruction Fuzzy Hash: 5B517233628B4286DA20EF16E85126E77A4F798B90F581139FB8DA7B55CF3DD450CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D7DD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D7DF9
wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF62E5D7E20

Strings

stoul argument out of range, xrefs: 00007FF62E5D7E53
invalid stoul argument, xrefs: 00007FF62E5D7E60

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: _errnowcstoul
String ID: invalid stoul argument$stoul argument out of range
API String ID: 4037081904-1365241121
Opcode ID: 4c3c19e3ebd639f358a1cd85e994aaa7d926f5baf9736b011a4fe081f52624fe
Instruction ID: a2025feeb41ca4193376952ad425a5689592758dd249355049976eca99614a20
Opcode Fuzzy Hash: 4c3c19e3ebd639f358a1cd85e994aaa7d926f5baf9736b011a4fe081f52624fe
Instruction Fuzzy Hash: 26110625A28A0181EF548B31E8902A82360EF69764F4C0535F72D97AD5CF3ED881C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5E1A30 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF62E5D6BB0: EnterCriticalSection.KERNEL32(?,?,0000000100000004,00000000,00000000,00000000,00000000,00000007,FFFFFFFF,00007FF62E5D6A1B), ref: 00007FF62E5D6BE2
Part of subcall function 00007FF62E5D6BB0: __stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6C1B
Part of subcall function 00007FF62E5D6BB0: __stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6CEB
Part of subcall function 00007FF62E5D6BB0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D0E
Part of subcall function 00007FF62E5D6BB0: fputws.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D1A
Part of subcall function 00007FF62E5D6BB0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D25
Part of subcall function 00007FF62E5D6BB0: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D33
Part of subcall function 00007FF62E5D6BB0: OutputDebugStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D47
Part of subcall function 00007FF62E5D6BB0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D5B

Part of subcall function 00007FF62E5D6BB0: __stdio_common_vfwprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D89
Part of subcall function 00007FF62E5D6BB0: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6D97
Part of subcall function 00007FF62E5D6BB0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6DCE
Part of subcall function 00007FF62E5D6BB0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF62E5D6DE1

Part of subcall function 00007FF62E5D6BB0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5D6DF7

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E1AC4

Strings

- %s&apphost_version=%s, xrefs: 00007FF62E5E1A7E
_ To run this application, you need to install a newer version of .NET Core., xrefs: 00007FF62E5E1A4E
6.0.26, xrefs: 00007FF62E5E1A77

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: __acrt_iob_func$CriticalSection__stdio_common_vswprintf_invalid_parameter_noinfo_noreturnfputwc$Concurrency::cancel_current_taskDebugEnterLeaveOutputString__stdio_common_vfwprintffputws
String ID: - %s&apphost_version=%s$ _ To run this application, you need to install a newer version of .NET Core.$6.0.26
API String ID: 2481621342-2173233827
Opcode ID: eef8a8882754751be4453aa21360eea06e2765eb80e56675baead4a7a8354280
Instruction ID: 789a5f24a892634170aad7dbef7ba03fd94f566674f34da92ca99dd384426416
Opcode Fuzzy Hash: eef8a8882754751be4453aa21360eea06e2765eb80e56675baead4a7a8354280
Instruction Fuzzy Hash: 8711E961A38E8281FD10EB24EC7517D2361FFA5394F844239F59DA26E9DF3EE5008701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5E4D58 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E4DB8

Strings

MOC, xrefs: 00007FF62E5E4D70
csm, xrefs: 00007FF62E5E4D78
RCC, xrefs: 00007FF62E5E4D68

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: terminate
String ID: MOC$RCC$csm
API String ID: 1821763600-2671469338
Opcode ID: 27b3dcaf4902910b04bd84fc37f66beb2ee0c18d4cc4257ad07ad9c558b915ec
Instruction ID: ee10e7618e8a25b9c424c5768864e61cbb97c391934bff58d0728302c9917e57
Opcode Fuzzy Hash: 27b3dcaf4902910b04bd84fc37f66beb2ee0c18d4cc4257ad07ad9c558b915ec
Instruction Fuzzy Hash: A9F0AF36928A4681EB645F519A6217C3764EF5C744F4D5079F70CA7292CF3DE490CA03

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D15B0 Relevance: 6.2, APIs: 4, Instructions: 200COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D175E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D1806
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5D1846
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF62E5D186D

Part of subcall function 00007FF62E5E3718: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62E5D1C4D), ref: 00007FF62E5E3732

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task__std_exception_destroymalloc
String ID:
API String ID: 2647511316-0
Opcode ID: 683cb786968fecde9701aba5b8263c40390043bffc0bf2035cb7af8afbb4040c
Instruction ID: d8346df7aac9e0252c7a897528de455ad4ff63801361196a9985fd4ca05082a9
Opcode Fuzzy Hash: 683cb786968fecde9701aba5b8263c40390043bffc0bf2035cb7af8afbb4040c
Instruction Fuzzy Hash: E181B322F24B4589FF10CBA4D9143EC3372AB687A8F544639EE5C63B96EF399095C341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5E8F60 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E8FC6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E9036
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E90A6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5E9116

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 0d662af9008669fd0ec613a5e6eb2e43aa9fb312ac22bff1e5e07aebafdb1987
Instruction ID: b54accc9c175e8020b4dea0b01d7632fe68beaca62416d412d5024b3dd9ada4b
Opcode Fuzzy Hash: 0d662af9008669fd0ec613a5e6eb2e43aa9fb312ac22bff1e5e07aebafdb1987
Instruction Fuzzy Hash: BE417670E39A8680EE18D725ECA83382362BF51B85F84043DE50DEB565EF7FA5848302

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D6E10 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00007FF62E5D784C), ref: 00007FF62E5D6E42
__stdio_common_vfwprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF62E5D784C), ref: 00007FF62E5D6E6C
fputwc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF62E5D784C), ref: 00007FF62E5D6E7A
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00007FF62E5D784C), ref: 00007FF62E5D6E87

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: CriticalSection$EnterLeave__stdio_common_vfwprintffputwc
String ID:
API String ID: 4070124032-0
Opcode ID: d7db584e16a6be461f25d04910dd0c79693fc68d95b54cb3a6b668042161430c
Instruction ID: 0ac5f7d3b0913c9a0d0baf4f3ef8d17a1f0faa247fb6d288703e37b3b9aef92b
Opcode Fuzzy Hash: d7db584e16a6be461f25d04910dd0c79693fc68d95b54cb3a6b668042161430c
Instruction Fuzzy Hash: 5F011E31A18B82C2DF109B10FC6406AB7A5FBA9785F444139FA8D93B29CF3DD459C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D6A90 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF62E5D6AC2
__stdio_common_vfwprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62E5D6AEC
fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62E5D6AFA
LeaveCriticalSection.KERNEL32 ref: 00007FF62E5D6B07

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: CriticalSection$EnterLeave__stdio_common_vfwprintffputwc
String ID:
API String ID: 4070124032-0
Opcode ID: 80726567e331f5c969f38b0ee50634b30822c4dc1fd06a43ae5c44f76b935747
Instruction ID: a7ade3594d3f78bbd47da25fae9e90fc02c0762d7559e4d3e6beb5d0e1b62dc6
Opcode Fuzzy Hash: 80726567e331f5c969f38b0ee50634b30822c4dc1fd06a43ae5c44f76b935747
Instruction Fuzzy Hash: 96010C35A18B8282DE109B10FC6406AB7A1FBA9785F444139FA8D93A29CF3DD455C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D6B20 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF62E5D6B52
__stdio_common_vfwprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62E5D6B7C
fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62E5D6B8A
LeaveCriticalSection.KERNEL32 ref: 00007FF62E5D6B97

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: CriticalSection$EnterLeave__stdio_common_vfwprintffputwc
String ID:
API String ID: 4070124032-0
Opcode ID: c380a47fe0081dcf7cf49a38ed320f8d2506f5651096cae879bc4988e8b5fbd8
Instruction ID: 5814ef3e4364c17d0e4e87bce1fc9e85bb13c7db2448cf98ffe1e1c2f2e10d1d
Opcode Fuzzy Hash: c380a47fe0081dcf7cf49a38ed320f8d2506f5651096cae879bc4988e8b5fbd8
Instruction Fuzzy Hash: 84010C35A18B8282DF109B10FC6406AB7A1FBA9789F544139FA8D93A29CF7DD455C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D5990 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,\\?\,?,?,00007FF62E5D5595), ref: 00007FF62E5D5AC4
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62E5D5B11

Strings

\\?\, xrefs: 00007FF62E5D5993

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: \\?\
API String ID: 73155330-4282027825
Opcode ID: de7a16d0764b1f9efac0cebd142e35439489550fc91339ec0e6b383edbfcbe21
Instruction ID: 4bbbc8166497ab1c5194a22a9f9e4c76f2997f17f4fc3da0fe17c8f72aaa88aa
Opcode Fuzzy Hash: de7a16d0764b1f9efac0cebd142e35439489550fc91339ec0e6b383edbfcbe21
Instruction Fuzzy Hash: 83414666729B82C5EE109B12E8542ADA356FB18BD1F880639FF6D9B7C5CE7DE0408301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5D8A20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62E5D8AD2

Strings

stoul argument out of range, xrefs: 00007FF62E5D97B5, 00007FF62E5D97CF
invalid stoul argument, xrefs: 00007FF62E5D97C2, 00007FF62E5D97DC

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: invalid stoul argument$stoul argument out of range
API String ID: 3668304517-1365241121
Opcode ID: 330c5a34b0a8f9ab6b1a2709ea9f8d80fb9a75f6c2688c4bbcf4dc4e51440ad9
Instruction ID: 74076488d3fe23e37b0b005ff3fd679778360e1340467d6e6143b76e55e164f7
Opcode Fuzzy Hash: 330c5a34b0a8f9ab6b1a2709ea9f8d80fb9a75f6c2688c4bbcf4dc4e51440ad9
Instruction Fuzzy Hash: 601160B2724A8581EF048B29E45836D6326FB54FD8F54503ADA4C57659EF7ED880C304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5E4EDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF62E5E2CE2), ref: 00007FF62E5E4F20
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF62E5E2CE2), ref: 00007FF62E5E4F66

Strings

csm, xrefs: 00007FF62E5E4F53

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 6a4b09854641f9778161c1b8d0185bf144bae762e0ab30c7f7dec4ec9b494210
Instruction ID: 93b9c9de95504fc622bd97417dca1a7d8e6e86a05aeaf0647a4959e320b54162
Opcode Fuzzy Hash: 6a4b09854641f9778161c1b8d0185bf144bae762e0ab30c7f7dec4ec9b494210
Instruction Fuzzy Hash: 6C116A32A28B8182EF248F25E85026977A0FB98B84F5C4238EE8C57B65DF3DC4518B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62E5E5C1C Relevance: 5.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF62E5E5C09,?,?,?,?,00007FF62E5E4C0A), ref: 00007FF62E5E5C3B
SetLastError.KERNEL32(?,?,?,00007FF62E5E5C09,?,?,?,?,00007FF62E5E4C0A), ref: 00007FF62E5E5CC2

Memory Dump Source

Source File: 00000000.00000002.1629949001.00007FF62E5D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62E5D0000, based on PE: true

Associated: 00000000.00000002.1629932546.00007FF62E5D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629970983.00007FF62E5EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1629991501.00007FF62E5F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630012306.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62e5d0000_WinUI.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 5e6e74bf33f2ba030fc1ee03060395f846af5e39ad28ff1cab3f2eb74033dd11
Instruction ID: 9b793d0a3d67f9b59abb221b40528b58afa6cb1185c564dca070bd950947c4b1
Opcode Fuzzy Hash: 5e6e74bf33f2ba030fc1ee03060395f846af5e39ad28ff1cab3f2eb74033dd11
Instruction Fuzzy Hash: 0B117230E39A4281FE549B31AC711392251AF647A0F0C4A3CFA2EA73D5DE3EF8418746

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WinUI.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: WinUI.exePID: 5956, Parent PID: 2580

General

Chronological Activities

Disassembly

Analysis Process: WinUI.exePID: 5956, Parent PID: 2580COMMON

Execution Graph

Graph

Executed Functions

Function 00007FF62E5E1AF0 Relevance: 88.2, APIs: 26, Strings: 24, Instructions: 675COMMON

Function 00007FF62E5D6BB0 Relevance: 21.2, APIs: 14, Instructions: 167COMMON

Control-flow Graph

Windows Analysis Report
WinUI.exe

Function 00007FF62E5D6BB0 Relevance: 21.2, APIs: 14, Instructions: 167
COMMON

Function 00007FF62E5E2690 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 61
COMMON

Function 00007FF62E5D2480 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 239
registryCOMMON

Function 00007FF62E5E3ADC Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Function 00007FF62E5D3C40 Relevance: 7.9, APIs: 5, Instructions: 361
COMMON

Function 00007FF62E5E39F0 Relevance: 4.6, APIs: 3, Instructions: 63
COMMON

Function 00007FF62E5DEFF0 Relevance: 45.8, APIs: 13, Strings: 13, Instructions: 272
registryCOMMON

Function 00007FF62E5D6750 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 207
COMMON

Function 00007FF62E5E1120 Relevance: 44.2, APIs: 9, Strings: 16, Instructions: 427
COMMON

Function 00007FF62E5DE160 Relevance: 36.9, APIs: 11, Strings: 10, Instructions: 158
libraryloaderCOMMON

Function 00007FF62E5D64E0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 143
COMMON

Function 00007FF62E5D1C10 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 133
COMMON

Function 00007FF62E5DD6E0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 229
COMMON

Function 00007FF62E5DA900 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 243
COMMON

Function 00007FF62E5DD3C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120
COMMON