Edit tour

Windows Analysis Report
createdump.exe

Overview

General Information

Sample name:	createdump.exe
Analysis ID:	1427814
MD5:	688a16f9e8568486cf917be2edcddc09
SHA1:	ce3ad3daf096e89487493b68d14d4e4d77aacfc6
SHA256:	f5785f7d354173ef61b1264538433c34b02459227337ef6aff863787baf5fa6c
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Found large amount of non-executed APIs

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

createdump.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\createdump.exe" MD5: 688A16F9E8568486CF917BE2EDCDDC09)

conhost.exe (PID: 7332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: createdump.exe

Static PE information: certificate valid

Source: createdump.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe

Source: createdump.exe	Binary or memory string: OriginalFilename vs createdump.exe
Source: createdump.exe, 00000000.00000002.1649988427.00007FF68D62D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFX_VER_INTERNALNAME_STR@ vs createdump.exe
Source: createdump.exe	Binary or memory string: OriginalFilenameFX_VER_INTERNALNAME_STR@ vs createdump.exe

Source: classification engine

Classification label: clean3.winEXE@2/1@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7332:120:WilError_03

Source: createdump.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\createdump.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\createdump.exe "C:\Users\user\Desktop\createdump.exe"
Source: C:\Users\user\Desktop\createdump.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\createdump.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\createdump.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\createdump.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\createdump.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: createdump.exe

Static PE information: certificate valid

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Source: createdump.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: createdump.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: createdump.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: createdump.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: createdump.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: createdump.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: createdump.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: createdump.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: createdump.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe

Source: createdump.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: createdump.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: createdump.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: createdump.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: createdump.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: createdump.exe

Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\createdump.exe

API coverage: 8.2 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\createdump.exe

Code function: 0_2_00007FF68D622ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF68D622ECC

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\createdump.exe	Code function: 0_2_00007FF68D623074 SetUnhandledExceptionFilter,	0_2_00007FF68D623074
Source: C:\Users\user\Desktop\createdump.exe	Code function: 0_2_00007FF68D622ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF68D622ECC
Source: C:\Users\user\Desktop\createdump.exe	Code function: 0_2_00007FF68D622984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF68D622984

Source: C:\Users\user\Desktop\createdump.exe

Code function: 0_2_00007FF68D622DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF68D622DA0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
createdump.exe	0%	ReversingLabs
createdump.exe	0%	Virustotal		Browse

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427814
Start date and time:	2024-04-18 08:19:36 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	createdump.exe
Detection:	CLEAN
Classification:	clean3.winEXE@2/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information

Process:	C:\Users\user\Desktop\createdump.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	638
Entropy (8bit):	4.751962275036146
Encrypted:	false
SSDEEP:	12:ku/L92WF4gx9l+jsPczo/CdaD0gwiSrlEX6OPkRVdoaQLeU4wv:ku/h5F4Bs0oCdalwisCkRVKVeU4wv
MD5:	15CA959638E74EEC47E0830B90D0696E
SHA1:	E836936738DCB6C551B6B76054F834CFB8CC53E5
SHA-256:	57F2C730C98D62D6C84B693294F6191FD2BEC7D7563AD9963A96AE87ABEBF9EE
SHA-512:	101390C5D2FA93162804B589376CF1E4A1A3DD4BDF4B6FE26D807AFC3FF80DA26EE3BAEB731D297A482165DE7CA48508D6EAA69A5509168E9CEF20B4A88A49FD
Malicious:	false
Reputation:	low
Preview:	[createdump] createdump [options] pid..-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values:.. %p PID of dumped process... %e The process executable filename... %h Hostname return by gethostname()... %t Time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC)...-n, --normal - create minidump...-h, --withheap - create minidump with heap (default)...-t, --triage - create triage minidump...-u, --full - create full core dump...-d, --diag - enable diagnostic messages...-v, --verbose - enable verbose diagnostic messages...

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.353826566596602
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	createdump.exe
File size:	57'576 bytes
MD5:	688a16f9e8568486cf917be2edcddc09
SHA1:	ce3ad3daf096e89487493b68d14d4e4d77aacfc6
SHA256:	f5785f7d354173ef61b1264538433c34b02459227337ef6aff863787baf5fa6c
SHA512:	1159cfc85e5133db0c05c2a0a8b2911ae1aba8d83b442f49402b7a0038366a31267d472440ba4e43d5f0dfc9bdccce7b8be7ea67618d1928085af09eb2e96f8b
SSDEEP:	768:qQ6XULhGj8TzwsoeZwVAsuEIBh8v6Y3eQdDU/i1Q9zS:oCVbTGkiLx0iSzS
TLSH:	41436D0A67B940E6E46B81B4C5E25A47FD79F512231192CF0FBDC2161F637C09E3AB29
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............uU......x.......x.......x.......................x.......x9......x......Rich............PE..d...5joe.........."

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140002970
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x656F6A35 [Tue Dec 5 18:21:41 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	a59809c5c0d26ef15e2540ac3993c6e2

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	11/05/2023 20:03:32 08/05/2024 20:03:32
Subject Chain	CN=.NET, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	97762F82B14E28F4E97F0A97D81F280B
Thumbprint SHA-1:	50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D
Thumbprint SHA-256:	C5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C
Serial:	330000037CC9F6BCED0759AE0800000000037C

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F4B1D1A188Ch
dec eax
add esp, 28h
jmp 00007F4B1D1A12CFh
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [00005743h]
dec eax
mov ecx, ebx
call dword ptr [00005742h]
call dword ptr [0000572Ch]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00005710h]
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call dword ptr [000056ECh]
test eax, eax
je 00007F4B1D1A1469h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [0000981Ah]
call 00007F4B1D1A150Eh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [00009901h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [00009891h], eax
dec eax
mov eax, dword ptr [000098EAh]
dec eax
mov dword ptr [0000975Bh], eax
dec eax
mov eax, dword ptr [esp+40h]
dec eax
mov dword ptr [0000985Fh], eax
mov dword ptr [00009735h], C0000409h
mov dword ptr [0000972Fh], 00000001h
mov dword ptr [00000039h], 00000000h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaca4	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf000	0x68c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xd000	0x750	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0xb800	0x28e8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0x164	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9984	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x99e0	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2c0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x65c0	0x6600	2a90b47289c6e39476feb06a8f0e0479	False	0.5633425245098039	data	6.406845564004421	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x36ce	0x3800	6233dc4dbf7928b128dcd5b234c69c54	False	0.3701171875	data	4.398078476866589	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x8d8	0x200	2dd473d608761c084f9e65bd09cf2870	False	0.294921875	data	2.9727405049128794	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xd000	0x750	0x800	b9cdc1398dbaa98d5b4f9dfc2695c41a	False	0.458984375	PEX Binary Archive	4.091188184154214	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0xe000	0xfc	0x200	ad51145aa785560b23186d128c549018	False	0.296875	data	1.9964173903557825	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xf000	0x68c	0x800	1bda74fde532a8d4da1201e8ddafd293	False	0.35546875	data	4.521186346065648	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0x164	0x200	c186ca82fafbc91f1037459acee31137	False	0.556640625	data	4.12571512797523	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xf0a0	0x490	data	English	United States	0.4203767123287671
RT_MANIFEST	0xf530	0x15a	ASCII text, with CRLF line terminators	English	United States	0.5491329479768786

Imports

DLL	Import
KERNEL32.dll	GetTempPathA, GetLastError, OpenProcess, CreateFileA, CloseHandle, K32GetModuleBaseNameA, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, EncodePointer, SetLastError, RaiseException, RtlPcToFileHeader, RtlUnwindEx, GetModuleHandleW, IsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, GetProcAddress, LoadLibraryExW, FreeLibrary
dbghelp.dll	MiniDumpWriteDump
WS2_32.dll	WSAGetLastError, gethostname, WSAStartup
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vfprintf, _set_fmode, fflush, __p__commode, __acrt_iob_func
api-ms-win-crt-convert-l1-1-0.dll	atoi
api-ms-win-crt-string-l1-1-0.dll	wcsncmp, strcpy_s, strcat_s, strcmp
api-ms-win-crt-time-l1-1-0.dll	_time64
api-ms-win-crt-runtime-l1-1-0.dll	__p___argv, _initialize_onexit_table, _cexit, _c_exit, _exit, exit, _register_onexit_function, _initterm, _get_initial_narrow_environment, _initialize_narrow_environment, _configure_narrow_argv, _register_thread_local_exe_atexit_callback, _set_app_type, _seh_filter_exe, terminate, _invalid_parameter_noinfo_noreturn, abort, _crt_atexit, __p___argc, _initterm_e
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, malloc, free, _callnewh, calloc
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	08:20:24
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\createdump.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\createdump.exe"
Imagebase:	0x7ff68d620000
File size:	57'576 bytes
MD5 hash:	688A16F9E8568486CF917BE2EDCDDC09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:20:24
Start date:	18/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.7%
Total number of Nodes:	700
Total number of Limit Nodes:	1

Executed Functions

Function 00007FF68D621060 Relevance: 65.0, APIs: 13, Strings: 24, Instructions: 214
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF68D62112F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF68D62115B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF68D621187
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF68D621230
atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF68D62123C
GetTempPathA.KERNEL32 ref: 00007FF68D6212C1
GetLastError.KERNEL32 ref: 00007FF68D6212CB
GetLastError.KERNEL32 ref: 00007FF68D6212DF
strcat_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF68D6212F8
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D621350
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D621359
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D621364
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D62136D

Strings

-, xrefs: 00007FF68D621194
--normal, xrefs: 00007FF68D621125
--name, xrefs: 00007FF68D6210B8
-, xrefs: 00007FF68D621110
createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn, xrefs: 00007FF68D621386
minidump with heap, xrefs: 00007FF68D62107C, 00007FF68D6210BF
-, xrefs: 00007FF68D6211D7
--verbose, xrefs: 00007FF68D621226
GetTempPath failed (0x%08x), xrefs: 00007FF68D6212D3
strcat_s failed (%d), xrefs: 00007FF68D621306
full dump, xrefs: 00007FF68D6211C3
minidump, xrefs: 00007FF68D621267
--triage, xrefs: 00007FF68D62117D
--diag, xrefs: 00007FF68D6211EF
--withheap, xrefs: 00007FF68D621151
-, xrefs: 00007FF68D621168
v, xrefs: 00007FF68D62121A
-, xrefs: 00007FF68D6210DC
Dump successfully written, xrefs: 00007FF68D621338
triage minidump, xrefs: 00007FF68D621247
dump.%p.dmp, xrefs: 00007FF68D6212E9
-, xrefs: 00007FF68D62113C
-, xrefs: 00007FF68D621215
--full, xrefs: 00007FF68D6211A8

Memory Dump Source

Source File: 00000000.00000002.1649947094.00007FF68D621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68D620000, based on PE: true

Associated: 00000000.00000002.1649935794.00007FF68D620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649962124.00007FF68D628000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649976357.00007FF68D62C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649988427.00007FF68D62D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68d620000_createdump.jbxd

Similarity

API ID: strcmp$ErrorLast__acrt_iob_funcfflush$PathTempatoistrcat_s
String ID: -$-$-$-$-$-$-$--diag$--full$--name$--normal$--triage$--verbose$--withheap$Dump successfully written$GetTempPath failed (0x%08x)$createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn$dump.%p.dmp$full dump$minidump$minidump with heap$strcat_s failed (%d)$triage minidump$v
API String ID: 2647627392-2367407095
Opcode ID: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
Instruction ID: 422f4f4dd16e3cc89b1fbc0356baa7bf626563202deaa246fa9b8f526d289b1d
Opcode Fuzzy Hash: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
Instruction Fuzzy Hash: 56A19062D4C68AD1FB618F20A4042B927A4BF4E75CF08413AD94EC6695FE3CE4CCE320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF68D6227EC Relevance: 13.6, APIs: 9, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF68D622800

Part of subcall function 00007FF68D622B8C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF68D622BAE

__scrt_release_startup_lock.LIBCMT ref: 00007FF68D622883
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D6228D1
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D6228D6
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D6228DE
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D6228E6
__scrt_is_managed_app.LIBCMT ref: 00007FF68D6228FA
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D622908
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D622962

Memory Dump Source

Source File: 00000000.00000002.1649947094.00007FF68D621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68D620000, based on PE: true

Associated: 00000000.00000002.1649935794.00007FF68D620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649962124.00007FF68D628000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649976357.00007FF68D62C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649988427.00007FF68D62D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68d620000_createdump.jbxd

Similarity

API ID: __p___argc__p___argv__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 2308368977-0
Opcode ID: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
Instruction ID: a9148991be512e24a98630447b737cbfc8de061dc7c5b296a1bbda13da08b513
Opcode Fuzzy Hash: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
Instruction Fuzzy Hash: 2B310B21E8824BC1EA14AB2194513BD2251BF5D78CF44503DD56DCB2A7EE2DE9CCE270

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF68D621450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D621475
fprintf.MSPDB140-MSVCRT ref: 00007FF68D621485

Part of subcall function 00007FF68D621010: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D621047

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D621494
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D6214B3
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D6214BE
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D6214C7

Strings

[createdump] , xrefs: 00007FF68D62147E

Memory Dump Source

Source File: 00000000.00000002.1649947094.00007FF68D621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68D620000, based on PE: true

Associated: 00000000.00000002.1649935794.00007FF68D620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649962124.00007FF68D628000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649976357.00007FF68D62C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649988427.00007FF68D62D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68d620000_createdump.jbxd

Similarity

API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
String ID: [createdump]
API String ID: 3735572767-2657508301
Opcode ID: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
Instruction ID: 7397e6e9dd91c9c0343afb538b17830f9be40da9a899d905dfa91f6971399d46
Opcode Fuzzy Hash: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
Instruction Fuzzy Hash: 80014B21E09B96C2E600DB50F80556AA364FF88BE9F004539EA8D83769EF3CD499D750

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF68D622ECC Relevance: 10.6, APIs: 7, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF68D622EE8
RtlCaptureContext.KERNEL32 ref: 00007FF68D622F15
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF68D622F2F
RtlVirtualUnwind.KERNEL32 ref: 00007FF68D622F70
IsDebuggerPresent.KERNEL32 ref: 00007FF68D622FC4
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF68D622FE5
UnhandledExceptionFilter.KERNEL32 ref: 00007FF68D622FF0

Memory Dump Source

Source File: 00000000.00000002.1649947094.00007FF68D621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68D620000, based on PE: true

Associated: 00000000.00000002.1649935794.00007FF68D620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649962124.00007FF68D628000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649976357.00007FF68D62C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649988427.00007FF68D62D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68d620000_createdump.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
Instruction ID: 7165d58efd951d6b242a3f5ed6d1a2ab6eb099de05c32bbcfb76e13224425637
Opcode Fuzzy Hash: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
Instruction Fuzzy Hash: 89316F72A09A85C6EB608F60E8403EE7361FF58758F40403DDA4E87A98EF38D58CD724

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF68D623074 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649947094.00007FF68D621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68D620000, based on PE: true

Associated: 00000000.00000002.1649935794.00007FF68D620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649962124.00007FF68D628000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649976357.00007FF68D62C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649988427.00007FF68D62D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68d620000_createdump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
Instruction ID: 2faf0e5035b4d32ee41e73e66e5f0fcda88ba9c0d81f6dea78699e30f76c8b59
Opcode Fuzzy Hash: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
Instruction Fuzzy Hash: 75A00121D0C80AD0E6448B10A8545252320FF58B18F404439D00D810A0EF3CA488E224

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF68D6223C0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF68D62242D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF68D62243B

Part of subcall function 00007FF68D621450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D621475
Part of subcall function 00007FF68D621450: fprintf.MSPDB140-MSVCRT ref: 00007FF68D621485
Part of subcall function 00007FF68D621450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D621494
Part of subcall function 00007FF68D621450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D6214B3
Part of subcall function 00007FF68D621450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D6214BE
Part of subcall function 00007FF68D621450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D6214C7

K32GetModuleBaseNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF68D622466
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF68D622470
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF68D622487
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF68D6225F3

Strings

Writing %s to file %s, xrefs: 00007FF68D6224C3
Invalid process id '%d' error %d, xrefs: 00007FF68D622447
Invalid dump path '%s' error %d, xrefs: 00007FF68D62252C
Write dump FAILED 0x%08x, xrefs: 00007FF68D62258E
Get process name FAILED %d, xrefs: 00007FF68D622478

Memory Dump Source

Source File: 00000000.00000002.1649947094.00007FF68D621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68D620000, based on PE: true

Associated: 00000000.00000002.1649935794.00007FF68D620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649962124.00007FF68D628000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649976357.00007FF68D62C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649988427.00007FF68D62D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68d620000_createdump.jbxd

Similarity

API ID: __acrt_iob_func$ErrorLast$BaseCloseHandleModuleNameOpenProcess__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnfflushfprintf
String ID: Get process name FAILED %d$Invalid dump path '%s' error %d$Invalid process id '%d' error %d$Write dump FAILED 0x%08x$Writing %s to file %s
API String ID: 3971781330-1292085346
Opcode ID: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
Instruction ID: fabf372df4b2ab5dfefb49ef5e333ec670e3d0bc4e7c7a921a938e3369e941e7
Opcode Fuzzy Hash: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
Instruction Fuzzy Hash: 71618431E08A45C1E6109B15E85067A7761FF8D7A8F504138EEAD83AA9EF3CE4C9E750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF68D6249A4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 316
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF68D624B42
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF68D624E65
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D624E7B
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D624E93
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D624E99

Strings

csm, xrefs: 00007FF68D624B69
csm, xrefs: 00007FF68D624A89
csm, xrefs: 00007FF68D624AEB

Memory Dump Source

Source File: 00000000.00000002.1649947094.00007FF68D621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68D620000, based on PE: true

Associated: 00000000.00000002.1649935794.00007FF68D620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649962124.00007FF68D628000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649976357.00007FF68D62C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649988427.00007FF68D62D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68d620000_createdump.jbxd

Similarity

API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 695522112-393685449
Opcode ID: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
Instruction ID: ce098630ab923f46a2e9381368767b83fe84b55effeeb3655adbce58bf4dfa51
Opcode Fuzzy Hash: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
Instruction Fuzzy Hash: 1FE17072E0868ACAE7209F25D4803AD77A0FF6875CF144139DA8D87696EF38E5C9D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF68D6213C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D6213E5
fprintf.MSPDB140-MSVCRT ref: 00007FF68D6213F5

Part of subcall function 00007FF68D621010: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D621047

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D621404
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D621423
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D62142E
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D621437

Strings

[createdump] , xrefs: 00007FF68D6213EE

Memory Dump Source

Source File: 00000000.00000002.1649947094.00007FF68D621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68D620000, based on PE: true

Associated: 00000000.00000002.1649935794.00007FF68D620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649962124.00007FF68D628000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649976357.00007FF68D62C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649988427.00007FF68D62D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68d620000_createdump.jbxd

Similarity

API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
String ID: [createdump]
API String ID: 3735572767-2657508301
Opcode ID: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
Instruction ID: 38609c689cffe1994c0bee94e5606065d006499437cb01a7ef6065eee9a19223
Opcode Fuzzy Hash: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
Instruction Fuzzy Hash: 61012C31E09B86C2E7009B50F8145AAA360FF88BE9F004539DA8D43765EF7CD4D9D750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF68D621800 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00007FF68D62186C

Part of subcall function 00007FF68D621450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D621475
Part of subcall function 00007FF68D621450: fprintf.MSPDB140-MSVCRT ref: 00007FF68D621485
Part of subcall function 00007FF68D621450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D621494
Part of subcall function 00007FF68D621450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D6214B3
Part of subcall function 00007FF68D621450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D6214BE
Part of subcall function 00007FF68D621450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D6214C7

Strings

%%%%%%%%, xrefs: 00007FF68D621890
Pipe syntax in dump name not supported, xrefs: 00007FF68D621850
--name, xrefs: 00007FF68D62180A
%%%%%%%%, xrefs: 00007FF68D621D5C
Invalid dump name format char '%c', xrefs: 00007FF68D621DD0

Memory Dump Source

Source File: 00000000.00000002.1649947094.00007FF68D621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68D620000, based on PE: true

Associated: 00000000.00000002.1649935794.00007FF68D620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649962124.00007FF68D628000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649976357.00007FF68D62C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649988427.00007FF68D62D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68d620000_createdump.jbxd

Similarity

API ID: __acrt_iob_func$Startup__stdio_common_vfprintffflushfprintf
String ID: %%%%%%%%$%%%%%%%%$--name$Invalid dump name format char '%c'$Pipe syntax in dump name not supported
API String ID: 3378602911-3973674938
Opcode ID: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
Instruction ID: 14b05bb425bf380ff5a69c1325e10cdf7ff32224b4d78e46172d2a244a9c9af9
Opcode Fuzzy Hash: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
Instruction Fuzzy Hash: 8F31E062E0CA89D6E7598F1598947F92762BF4D788F44043ADE4D472D1EE3CE18DE320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF68D626498 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,?,00000000,00007FF68D62669F,?,?,?,00007FF68D62441E,?,?,?,00007FF68D6243D9), ref: 00007FF68D62651D
GetLastError.KERNEL32(?,00000000,00007FF68D62669F,?,?,?,00007FF68D62441E,?,?,?,00007FF68D6243D9,?,?,?,?,00007FF68D623524), ref: 00007FF68D62652B
LoadLibraryExW.KERNEL32(?,00000000,00007FF68D62669F,?,?,?,00007FF68D62441E,?,?,?,00007FF68D6243D9,?,?,?,?,00007FF68D623524), ref: 00007FF68D626555
FreeLibrary.KERNEL32(?,00000000,00007FF68D62669F,?,?,?,00007FF68D62441E,?,?,?,00007FF68D6243D9,?,?,?,?,00007FF68D623524), ref: 00007FF68D62659B
GetProcAddress.KERNEL32(?,00000000,00007FF68D62669F,?,?,?,00007FF68D62441E,?,?,?,00007FF68D6243D9,?,?,?,?,00007FF68D623524), ref: 00007FF68D6265A7

Strings

api-ms-, xrefs: 00007FF68D62653D

Memory Dump Source

Source File: 00000000.00000002.1649947094.00007FF68D621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68D620000, based on PE: true

Associated: 00000000.00000002.1649935794.00007FF68D620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649962124.00007FF68D628000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649976357.00007FF68D62C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649988427.00007FF68D62D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68d620000_createdump.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
Instruction ID: 6148c598ad12b669283e6dc271fb410faba13aa0d1a720ebbe694c8df34b43f7
Opcode Fuzzy Hash: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
Instruction Fuzzy Hash: E231B021E1A60AC1FE219B4298009792394FF4CBA9F194638DD1D9A398FF3CE4C8D320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF68D621B18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF68D621B1D

Strings

Could not get the host name for dump name: %d, xrefs: 00007FF68D621DB2
%%%%%%%%, xrefs: 00007FF68D621D5C

Memory Dump Source

Source File: 00000000.00000002.1649947094.00007FF68D621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68D620000, based on PE: true

Associated: 00000000.00000002.1649935794.00007FF68D620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649962124.00007FF68D628000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649976357.00007FF68D62C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649988427.00007FF68D62D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68d620000_createdump.jbxd

Similarity

API ID: _time64
String ID: %%%%%%%%$Could not get the host name for dump name: %d
API String ID: 1670930206-4114407318
Opcode ID: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
Instruction ID: ec2bd4c815a85976125a9caeb3ccaaab96c031d3276af1caea963c181881c411
Opcode Fuzzy Hash: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
Instruction Fuzzy Hash: 0751E562E18B89C6EB00CB28D4403AA6761FF497D8F400139DA5D57BE9EF3CD089E350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF68D624EA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EncodePointer.KERNEL32 ref: 00007FF68D624F10
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D625189

Strings

RCC, xrefs: 00007FF68D624F2C
MOC, xrefs: 00007FF68D624F24

Memory Dump Source

Source File: 00000000.00000002.1649947094.00007FF68D621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68D620000, based on PE: true

Associated: 00000000.00000002.1649935794.00007FF68D620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649962124.00007FF68D628000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649976357.00007FF68D62C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649988427.00007FF68D62D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68d620000_createdump.jbxd

Similarity

API ID: EncodePointerabort
String ID: MOC$RCC
API String ID: 1188231555-2084237596
Opcode ID: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
Instruction ID: af416642cca3e6fb705644aadb2ee8dc315cecee70e6b2cc252e18604db7f150
Opcode Fuzzy Hash: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
Instruction Fuzzy Hash: EE919273E08B8ACAE710CB65D8802AD77A0FB4878CF144129EA8D97755EF38D199DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF68D625414 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF68D62543E
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D6256A2

Strings

csm, xrefs: 00007FF68D625463
csm, xrefs: 00007FF68D6255D2

Memory Dump Source

Source File: 00000000.00000002.1649947094.00007FF68D621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68D620000, based on PE: true

Associated: 00000000.00000002.1649935794.00007FF68D620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649962124.00007FF68D628000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649976357.00007FF68D62C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649988427.00007FF68D62D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68d620000_createdump.jbxd

Similarity

API ID: __except_validate_context_recordabort
String ID: csm$csm
API String ID: 746414643-3733052814
Opcode ID: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
Instruction ID: 013f6a070965ee3ae48e4d9b72580730a518e214a6d2def018c3ab4e472bdd99
Opcode Fuzzy Hash: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
Instruction Fuzzy Hash: D871D032A08686CAD7308F21945467A7BA1FF08BDDF048139DE8C87A95EF3CD498D751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF68D62195F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Could not get the host name for dump name: %d, xrefs: 00007FF68D621DB2
%%%%%%%%, xrefs: 00007FF68D621D5C

Memory Dump Source

Source File: 00000000.00000002.1649947094.00007FF68D621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68D620000, based on PE: true

Associated: 00000000.00000002.1649935794.00007FF68D620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649962124.00007FF68D628000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649976357.00007FF68D62C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649988427.00007FF68D62D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68d620000_createdump.jbxd

Similarity

API ID:
String ID: %%%%%%%%$Could not get the host name for dump name: %d
API String ID: 0-4114407318
Opcode ID: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
Instruction ID: e307dc13598711c8a0546449a52ff3d063777d029ea708295f01cdededfdf8a0
Opcode Fuzzy Hash: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
Instruction Fuzzy Hash: A551D422E18B8986E700CB29E4407AA6761FF997D4F400139EA9D47B99DF3DD089E750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF68D625860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF68D62590A
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF68D625936

Strings

csm, xrefs: 00007FF68D625A36

Memory Dump Source

Source File: 00000000.00000002.1649947094.00007FF68D621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68D620000, based on PE: true

Associated: 00000000.00000002.1649935794.00007FF68D620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649962124.00007FF68D628000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649976357.00007FF68D62C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649988427.00007FF68D62D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68d620000_createdump.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
Instruction ID: 8aa57cb3bff687bd6a8a2b1763fdf00071dfeeb8e51c89b1566c1b71f65b33d3
Opcode Fuzzy Hash: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
Instruction Fuzzy Hash: 00516132A1874AC6D6209B16E44126E77B4FF9CBA8F140138DB8D87B55EF7CE4A4DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF68D6217E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59networkCOMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00007FF68D6217EB
WSAStartup.WS2_32 ref: 00007FF68D62186C

Part of subcall function 00007FF68D621450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D621475
Part of subcall function 00007FF68D621450: fprintf.MSPDB140-MSVCRT ref: 00007FF68D621485
Part of subcall function 00007FF68D621450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D621494
Part of subcall function 00007FF68D621450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D6214B3
Part of subcall function 00007FF68D621450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D6214BE
Part of subcall function 00007FF68D621450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D6214C7

Strings

Pipe syntax in dump name not supported, xrefs: 00007FF68D621850
--name, xrefs: 00007FF68D62180A
string too long, xrefs: 00007FF68D6217E4

Memory Dump Source

Source File: 00000000.00000002.1649947094.00007FF68D621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68D620000, based on PE: true

Associated: 00000000.00000002.1649935794.00007FF68D620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649962124.00007FF68D628000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649976357.00007FF68D62C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649988427.00007FF68D62D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68d620000_createdump.jbxd

Similarity

API ID: __acrt_iob_func$StartupXinvalid_argument__stdio_common_vfprintffflushfprintfstd::_
String ID: --name$Pipe syntax in dump name not supported$string too long
API String ID: 1412700758-3183687674
Opcode ID: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
Instruction ID: 78c70193783c419802effd1067ad34c71884f38ff8fb602f316635776ef7f19b
Opcode Fuzzy Hash: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
Instruction Fuzzy Hash: 5301B122E18989E5F7619F12EC817BA6350BF8C79CF44003AEE4D46651EE3CD4CAD710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF68D621CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32 ref: 00007FF68D621CFA
WSAGetLastError.WS2_32 ref: 00007FF68D621DA9

Strings

Could not get the host name for dump name: %d, xrefs: 00007FF68D621DB2
%%%%%%%%, xrefs: 00007FF68D621D5C

Memory Dump Source

Source File: 00000000.00000002.1649947094.00007FF68D621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68D620000, based on PE: true

Associated: 00000000.00000002.1649935794.00007FF68D620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649962124.00007FF68D628000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649976357.00007FF68D62C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649988427.00007FF68D62D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68d620000_createdump.jbxd

Similarity

API ID: ErrorLastgethostname
String ID: %%%%%%%%$Could not get the host name for dump name: %d
API String ID: 3782448640-4114407318
Opcode ID: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
Instruction ID: 9f1a312d07b75c6920cec35188a5e7b0a86fb3250f87ed8fccbe8dc6b442efcc
Opcode Fuzzy Hash: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
Instruction Fuzzy Hash: 1811C411E4C14AC6E6489B21A8507BB2340BF8E7B8F001639D96F976D6ED3CD0CEE360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF68D624158 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D6241B8

Strings

RCC, xrefs: 00007FF68D624168
csm, xrefs: 00007FF68D624178
MOC, xrefs: 00007FF68D624170

Memory Dump Source

Source File: 00000000.00000002.1649947094.00007FF68D621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68D620000, based on PE: true

Associated: 00000000.00000002.1649935794.00007FF68D620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649962124.00007FF68D628000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649976357.00007FF68D62C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649988427.00007FF68D62D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68d620000_createdump.jbxd

Similarity

API ID: terminate
String ID: MOC$RCC$csm
API String ID: 1821763600-2671469338
Opcode ID: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
Instruction ID: a0965e0427bfb7cc4d3cd0f5746e9d617dc842fb680e5591354944c52c6567a3
Opcode Fuzzy Hash: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
Instruction Fuzzy Hash: 1EF08136D0824EC1E3285B51A14607C3264FF6CB4CF185039D7088A252EF7CF5E8EA12

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF68D6220C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(-3333333333333333,?,00000000,00007FF68D6218EE), ref: 00007FF68D6221E0
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68D62221E

Strings

Invalid process id '%d' error %d, xrefs: 00007FF68D622447

Memory Dump Source

Source File: 00000000.00000002.1649947094.00007FF68D621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68D620000, based on PE: true

Associated: 00000000.00000002.1649935794.00007FF68D620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649962124.00007FF68D628000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649976357.00007FF68D62C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649988427.00007FF68D62D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68d620000_createdump.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: Invalid process id '%d' error %d
API String ID: 73155330-4244389950
Opcode ID: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
Instruction ID: 910ed1e5ce139f779244dcbea4cb1007f005fd3bccc5b8508c4cf447f8116bef
Opcode Fuzzy Hash: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
Instruction Fuzzy Hash: 6E310522F49789C5EA148F1195482A963A1BF0DBD8F040639DF6D47BD5EE7CE0D8E320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF68D623F84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF68D62173F), ref: 00007FF68D623FC8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF68D62173F), ref: 00007FF68D62400E

Strings

csm, xrefs: 00007FF68D623FFB

Memory Dump Source

Source File: 00000000.00000002.1649947094.00007FF68D621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68D620000, based on PE: true

Associated: 00000000.00000002.1649935794.00007FF68D620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649962124.00007FF68D628000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649976357.00007FF68D62C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649988427.00007FF68D62D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68d620000_createdump.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
Instruction ID: d86a01e53bd59eb5990ff582b3a0d4627fbcf8c71cfb66f45492edd3daa7c711
Opcode Fuzzy Hash: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
Instruction Fuzzy Hash: 73113D32A18B46C2EB108B15F44026977A0FF88B98F184238EF8D47B58EF3DD599C700

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report createdump.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: createdump.exePID: 7324, Parent PID: 2580

General

Chronological Activities

Analysis Process: conhost.exePID: 7332, Parent PID: 7324

General

Chronological Activities

Disassembly

Analysis Process: createdump.exePID: 7324, Parent PID: 2580COMMON

Execution Graph

Graph

Executed Functions

Function 00007FF68D621060 Relevance: 65.0, APIs: 13, Strings: 24, Instructions: 214stringCOMMON

Control-flow Graph

Windows Analysis Report
createdump.exe

Function 00007FF68D621060 Relevance: 65.0, APIs: 13, Strings: 24, Instructions: 214
stringCOMMON

Function 00007FF68D6227EC Relevance: 13.6, APIs: 9, Instructions: 102
COMMON

Function 00007FF68D621450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34
COMMON

Function 00007FF68D622ECC Relevance: 10.6, APIs: 7, Instructions: 72
COMMON

Function 00007FF68D6223C0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 157
COMMON

Function 00007FF68D6249A4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 316
COMMONLIBRARYCODE

Function 00007FF68D6213C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34
COMMON

Function 00007FF68D621800 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92
networkCOMMON

Function 00007FF68D626498 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Function 00007FF68D621B18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149
COMMON

Function 00007FF68D624EA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190
COMMONLIBRARYCODE

Function 00007FF68D625414 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163
COMMONLIBRARYCODE

Function 00007FF68D62195F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146
COMMON

Function 00007FF68D625860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117
COMMON