Edit tour

Windows Analysis Report
decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe

Overview

General Information

Sample name:	decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe
Analysis ID:	1429068
MD5:	1466c4a796b2123560d147b59535bca9
SHA1:	3dcd8cbd63bf03ec5293a0a9e42ce3517803fa45
SHA256:	67b51ab7cda724261b5f5098955d23e7d72617f7cc742d670d1ff5d9314407e8
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

PE file contains sections with non-standard names

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe (PID: 7304 cmdline: "C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe" MD5: 1466C4A796B2123560D147B59535BCA9)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742A7644 wnsprintfW,FindFirstFileExW,lstrcmpW,lstrcmpW,wnsprintfW,lstrcmpiW,StrStrW,lstrlenW,lstrlenW,PostQueuedCompletionStatus,FindNextFileW,FindClose,wnsprintfW,DeleteFileW,		0_2_00007FF6742A7644
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742CB0F4 FindFirstFileExW,		0_2_00007FF6742CB0F4

Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2125721502.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1928326890.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2705936843.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1741218243.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2649918515.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1927691335.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2124732912.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000002.2900602838.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2721846738.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2714004512.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2538383323.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2366647197.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1955627293.000001591C320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2125721502.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1928326890.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2705936843.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1741218243.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2649918515.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1927691335.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2124732912.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000002.2900602838.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2721846738.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2714004512.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2538383323.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2366647197.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1955627293.000001591C320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirm

Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742A7EE4	0_2_00007FF6742A7EE4
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742A7BC8	0_2_00007FF6742A7BC8
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742A9D50	0_2_00007FF6742A9D50
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742A8550	0_2_00007FF6742A8550
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742C3540	0_2_00007FF6742C3540
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742D0D88	0_2_00007FF6742D0D88
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742B1DE0	0_2_00007FF6742B1DE0
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742B5DC0	0_2_00007FF6742B5DC0
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742C7E1C	0_2_00007FF6742C7E1C
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742CE668	0_2_00007FF6742CE668
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742AFE50	0_2_00007FF6742AFE50
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742B2E40	0_2_00007FF6742B2E40
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742BEEAC	0_2_00007FF6742BEEAC
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742BF6CC	0_2_00007FF6742BF6CC
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742B0730	0_2_00007FF6742B0730
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742ABF60	0_2_00007FF6742ABF60
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742C5790	0_2_00007FF6742C5790
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742C0F80	0_2_00007FF6742C0F80
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742CCFC8	0_2_00007FF6742CCFC8
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742A9830	0_2_00007FF6742A9830
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742AAF50	0_2_00007FF6742AAF50
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742AA010	0_2_00007FF6742AA010
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742AA012	0_2_00007FF6742AA012
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742B0860	0_2_00007FF6742B0860
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742C988C	0_2_00007FF6742C988C
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742B20F0	0_2_00007FF6742B20F0
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742CB0F4	0_2_00007FF6742CB0F4
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742BF0B8	0_2_00007FF6742BF0B8
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742AAF60	0_2_00007FF6742AAF60
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742AD1A0	0_2_00007FF6742AD1A0
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742A9190	0_2_00007FF6742A9190
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742C7988	0_2_00007FF6742C7988
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742B1180	0_2_00007FF6742B1180
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742C01E8	0_2_00007FF6742C01E8
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742AAB50	0_2_00007FF6742AAB50
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742ACA10	0_2_00007FF6742ACA10
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742A11FC	0_2_00007FF6742A11FC
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742AE2B0	0_2_00007FF6742AE2B0
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742B0AE0	0_2_00007FF6742B0AE0
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742C62C0	0_2_00007FF6742C62C0
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742BF2BC	0_2_00007FF6742BF2BC
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742AAB30	0_2_00007FF6742AAB30
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742D030C	0_2_00007FF6742D030C
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742A8B00	0_2_00007FF6742A8B00
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742C42FC	0_2_00007FF6742C42FC
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742A9B40	0_2_00007FF6742A9B40
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742A9B42	0_2_00007FF6742A9B42
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742C5B3C	0_2_00007FF6742C5B3C
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742A93B0	0_2_00007FF6742A93B0
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742C0B7C	0_2_00007FF6742C0B7C
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742B4C10	0_2_00007FF6742B4C10
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742ABC10	0_2_00007FF6742ABC10
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742B3410	0_2_00007FF6742B3410
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742A8C70	0_2_00007FF6742A8C70
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742A3C6C	0_2_00007FF6742A3C6C
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742BECA8	0_2_00007FF6742BECA8
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742C849C	0_2_00007FF6742C849C
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742BF4C8	0_2_00007FF6742BF4C8
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742AB520	0_2_00007FF6742AB520

Source: classification engine

Classification label: clean2.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe

Code function: 0_2_00007FF6742B5DC0 AllocateAndInitializeSid,AllocateAndInitializeSid,SetEntriesInAclW,SetNamedSecurityInfoW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,SetNamedSecurityInfoW,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,SetNamedSecurityInfoW,FreeSid,FreeSid,LocalFree,CloseHandle,

0_2_00007FF6742B5DC0

Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: networkexplorer.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: playtodevice.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: ehstorshell.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: devdispitemprovider.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: portabledeviceapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Section loaded: ehstorapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AE054212-3535-4430-83ED-D501AA6680E6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Automated click: OK
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Automated click: OK
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Automated click: OK
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Automated click: OK
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Automated click: OK
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Automated click: OK
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Automated click: OK
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Automated click: OK
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Automated click: OK
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Automated click: OK
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe

Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe

Code function: 0_2_00007FF6742D4D38 push rsp; retf 0000h

0_2_00007FF6742D4D39

Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742A7644 wnsprintfW,FindFirstFileExW,lstrcmpW,lstrcmpW,wnsprintfW,lstrcmpiW,StrStrW,lstrlenW,lstrlenW,PostQueuedCompletionStatus,FindNextFileW,FindClose,wnsprintfW,DeleteFileW,		0_2_00007FF6742A7644
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742CB0F4 FindFirstFileExW,		0_2_00007FF6742CB0F4

Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe

Code function: 0_2_00007FF6742B5820 GetSystemInfo,

0_2_00007FF6742B5820

Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2880997297.000001598AAC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2125679431.000001598AAC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1714872135.000001598AAD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0cu
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1714872135.000001598AAD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}HD
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2538468341.000001598AAF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:F(T4
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000002.2970536993.000001598AB0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000002.2970536993.000001598AAC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2705869837.000001598AAC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}\x
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2880997297.000001598AAC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}H
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1714872135.000001598AAD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2124630046.000001598AAC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\%
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1928251290.000001598AAD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_`
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1928251290.000001598AAD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2124630046.000001598AAC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2721846738.000001591C2F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}efb8b}
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2705869837.000001598AAC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:['Y5\
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1714872135.000001598AAD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1928251290.000001598AAD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2649845674.000001598AAC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}\
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2880997297.000001598AAC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}\WD
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2476459044.000001598AAD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6.
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000002.2970536993.000001598AAC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2125679431.000001598AAC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\4
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2125679431.000001598AAC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y^
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1714872135.000001598AAD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9507e
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2366804061.000001598AAC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f66.
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2124630046.000001598AAC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\WD
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1928251290.000001598AAD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b};
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2476459044.000001598AAD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}i
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2125679431.000001598AAC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}x
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2476459044.000001598AAD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\H
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2649845674.000001598AAC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}lD
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1741494792.000001598AAC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}_
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2649845674.000001598AAC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2880997297.000001598AAC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1741494792.000001598AAC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}x
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2748543110.000001598AAD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}%
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1714872135.000001598AAD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2125679431.000001598AAC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b};
Source: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2748543110.000001598AAD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}i

Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe

Code function: 0_2_00007FF6742B6C28 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6742B6C28

Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe

Code function: 0_2_00007FF6742CC5F0 GetProcessHeap,

0_2_00007FF6742CC5F0

Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742B6E08 SetUnhandledExceptionFilter,	0_2_00007FF6742B6E08
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742B677C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6742B677C
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742B6C28 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6742B6C28
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: 0_2_00007FF6742C244C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6742C244C

Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe

0_2_00007FF6742B5DC0

Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe

Code function: 0_2_00007FF6742A8230 cpuid

0_2_00007FF6742A8230

Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF6742CF640
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6742CEF54
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6742C9F44
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6742CF024
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF6742CF0BC
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: GetLocaleInfoW,	0_2_00007FF6742CA2D8
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: GetLocaleInfoW,	0_2_00007FF6742CF304
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FF6742CEBF8
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF6742CF45C
Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe	Code function: GetLocaleInfoW,	0_2_00007FF6742CF50C

Source: C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe

Code function: 0_2_00007FF6742B6E74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6742B6E74

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Access Token Manipulation	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/Vh5j3k	decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2125721502.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1928326890.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2705936843.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1741218243.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2649918515.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1927691335.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2124732912.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000002.2900602838.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2721846738.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2714004512.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2538383323.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2366647197.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1955627293.000001591C320000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/odirm	decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2125721502.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1928326890.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2705936843.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1741218243.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2649918515.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1927691335.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2124732912.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000002.2900602838.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2721846738.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2714004512.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2538383323.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.2366647197.000001591C320000.00000004.00000020.00020000.00000000.sdmp, decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe, 00000000.00000003.1955627293.000001591C320000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1429068
Start date and time:	2024-04-20 15:42:44 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe
Detection:	CLEAN
Classification:	clean2.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 17 Number of non-executed functions: 113
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.349985765810734
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe
File size:	339'456 bytes
MD5:	1466c4a796b2123560d147b59535bca9
SHA1:	3dcd8cbd63bf03ec5293a0a9e42ce3517803fa45
SHA256:	67b51ab7cda724261b5f5098955d23e7d72617f7cc742d670d1ff5d9314407e8
SHA512:	517462633eb145fadf9791e6ee8fe8230726503ee1f448ccca7043d5a8f9228e5d6b1c8d9a21afe08407a36abee227e9ede2362f2dab6c8f8321e6cc37f96680
SSDEEP:	6144:8Iv011wseW6yapk5X3tB83bKVzUCUXifYrh:8d4PpyapkR3X8LGzUCbch
TLSH:	B5749E49F3A508F9E9B7823CC9924A06E7B3BC250760D78F17A446263F276D09D3EB51
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............@...@...@..fC...@..fE.9.@..fD...@...@...@...E...@...D...@...C...@..fA...@...A...@...I...@.......@.......@...B...@.Rich..@

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140016768
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6622F625 [Fri Apr 19 22:54:29 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b63c3eae6bb67eb1bc563c7815b24f1c

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FF824DA9008h
dec eax
add esp, 28h
jmp 00007FF824DA877Fh
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [00021AB3h]
dec eax
mov ecx, ebx
call dword ptr [00021AA2h]
call dword ptr [000219A4h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00021A98h]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call dword ptr [00021A8Ch]
test eax, eax
je 00007FF824DA8909h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [00039EAAh]
call 00007FF824DA8ACEh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [00039F91h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [00039F21h], eax
dec eax
mov eax, dword ptr [00039F7Ah]
dec eax
mov dword ptr [00039DEBh], eax
dec eax
mov eax, dword ptr [esp+40h]
dec eax
mov dword ptr [00039EEFh], eax
mov dword ptr [00039DC5h], C0000409h
mov dword ptr [00039DBFh], 00000001h
mov dword ptr [00039DC9h], 00000001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4dc94	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x58000	0x3d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x54000	0x2af0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x59000	0xc6c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x48fb0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x49180	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x48e70	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x38000	0x448	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x367b4	0x36800	de952bd15c18a2d323355fe7c11c96dd	False	0.521148401662844	data	6.549326770259768	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x38000	0x16b44	0x16c00	e59ec728a9717cdc5091586b1e92a48a	False	0.44355254120879123	OpenPGP Public Key Version 4	5.112604007748252	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4f000	0x4efc	0x1600	2c5836b6dfa053a1e052e612fa57cbc0	False	0.19158380681818182	data	3.284607138040175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x54000	0x2af0	0x2c00	2a4068776bfbdadc75c1a15fe8447e01	False	0.4715021306818182	data	5.445755091983923	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x57000	0x1f4	0x200	d2d406b428498ccf71218558593ae1c5	False	0.5390625	data	4.221886472893551	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x58000	0x3d0	0x400	a7da3961d5e198a1e884629356d6247d	False	0.4814453125	data	4.25013372944763	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x59000	0xc6c	0xe00	cf4b89043259dcbe8c1e28f28455690c	False	0.42857142857142855	data	5.223146363849965	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x58240	0x2	data	English	United States	5.0
RT_DIALOG	0x58110	0x12a	data	English	United States	0.5469798657718121
RT_MANIFEST	0x58248	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
KERNEL32.dll	CloseHandle, CreateThread, CreateIoCompletionPort, GetLogicalDrives, FindFirstFileExW, FindNextFileW, lstrlenW, SetErrorMode, FindClose, WaitForSingleObject, Sleep, GetLastError, SetEvent, DeleteFileW, GetCurrentDirectoryW, CreateEventA, lstrcmpiW, lstrcmpW, GetDriveTypeW, GetSystemTimeAsFileTime, ReadFile, GetFileSizeEx, WriteFile, PostQueuedCompletionStatus, CreateFileW, SetFileAttributesW, SetFilePointerEx, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, WakeConditionVariable, GetCurrentProcess, LocalFree, GetSystemInfo, GlobalMemoryStatusEx, WriteConsoleW, HeapSize, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, HeapReAlloc, SetStdHandle, GetProcessHeap, GetQueuedCompletionStatus, InitializeConditionVariable, WakeAllConditionVariable, SleepConditionVariableCS, MoveFileW, SetEndOfFile, OutputDebugStringW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, SleepConditionVariableSRW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, MultiByteToWideChar, GetStringTypeW, WideCharToMultiByte, InitializeCriticalSectionEx, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, RtlUnwindEx, RtlPcToFileHeader, RaiseException, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, GetStdHandle, HeapAlloc, HeapFree, GetFileType, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, IsValidCodePage
USER32.dll	MessageBoxW, EndDialog, MessageBoxA, SetDlgItemTextA, GetDlgItem, DialogBoxParamW, EnableWindow, SendDlgItemMessageW, SendMessageW
ADVAPI32.dll	AdjustTokenPrivileges, AllocateAndInitializeSid, SetEntriesInAclW, SetNamedSecurityInfoW, OpenProcessToken, FreeSid, LookupPrivilegeValueW
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc
SHLWAPI.dll	wnsprintfW, StrStrW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	15:43:31
Start date:	20/04/2024
Path:	C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe"
Imagebase:	0x7ff6742a0000
File size:	339'456 bytes
MD5 hash:	1466C4A796B2123560D147B59535BCA9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.9%
Total number of Nodes:	651
Total number of Limit Nodes:	17

Executed Functions

Function 00007FF6742A7BC8 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 176
windowthreadsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF6742A7C3F
CloseHandle.KERNEL32 ref: 00007FF6742A7C50
SendDlgItemMessageW.USER32 ref: 00007FF6742A7C6D
CreateThread.KERNEL32 ref: 00007FF6742A7C8C
MessageBoxW.USER32 ref: 00007FF6742A7CB0
CreateThread.KERNEL32 ref: 00007FF6742A7CD4
CreateThread.KERNEL32 ref: 00007FF6742A7CFA
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6742A7D0E
SHBrowseForFolderW.SHELL32 ref: 00007FF6742A7D52
SHGetPathFromIDListW.SHELL32 ref: 00007FF6742A7D80
WaitForSingleObject.KERNEL32 ref: 00007FF6742A7D94
CloseHandle.KERNEL32 ref: 00007FF6742A7DA5
SendDlgItemMessageW.USER32 ref: 00007FF6742A7DC2
CreateThread.KERNELBASE ref: 00007FF6742A7DE1
SHGetMalloc.SHELL32 ref: 00007FF6742A7E4F
MessageBoxA.USER32 ref: 00007FF6742A7EA5
EndDialog.USER32 ref: 00007FF6742A7EAF

Strings

Wait please, xrefs: 00007FF6742A7DF0
Warning, xrefs: 00007FF6742A7E95
Select folder to decrypt, xrefs: 00007FF6742A7D24
Still working..., xrefs: 00007FF6742A7CA3
Please wait until decription is finished !, xrefs: 00007FF6742A7E9C

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: CreateMessageThread$CloseHandleItemObjectSendSingleWait$BrowseCurrentDialogDirectoryFolderFromListMallocPath
String ID: Please wait until decription is finished !$Select folder to decrypt$Still working...$Wait please$Warning
API String ID: 97136676-1041364994
Opcode ID: 63292eee6d911390607a34ec2214ca6fb8dbcd37aac15d35b7c5c0d5ea573862
Instruction ID: 9f63f124244135e5f0dc0ee39657c35332311303565e971edc04cae7f9d8f8af
Opcode Fuzzy Hash: 63292eee6d911390607a34ec2214ca6fb8dbcd37aac15d35b7c5c0d5ea573862
Instruction Fuzzy Hash: CA915E33B28A42C2F7259B21EA9C37963A1FF84785F504135DD6E86694DF3EE528CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A7644 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 162
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wnsprintfW.SHLWAPI ref: 00007FF6742A76A3
FindFirstFileExW.KERNELBASE ref: 00007FF6742A76C3
lstrcmpW.KERNEL32 ref: 00007FF6742A7722
lstrcmpW.KERNEL32 ref: 00007FF6742A773C
wnsprintfW.SHLWAPI ref: 00007FF6742A7766
lstrcmpiW.KERNEL32 ref: 00007FF6742A778A

Strings

%s\%s, xrefs: 00007FF6742A7752, 00007FF6742A78B8
.rmallox, xrefs: 00007FF6742A77B9, 00007FF6742A77DD
%s\*, xrefs: 00007FF6742A7694
HOW TO BACK FILES.txt, xrefs: 00007FF6742A78AE

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: lstrcmpwnsprintf$FileFindFirstlstrcmpi
String ID: %s\%s$%s\*$.rmallox$HOW TO BACK FILES.txt
API String ID: 3900436177-2559241139
Opcode ID: 02a7e59e4ebb2b68bb609cab7c9a8c129e587d7e4b17da78d855da38d86d046e
Instruction ID: 7b781f6e90a615e50d9821e45ea23c6518474e6e4d5998c2bf46e0dd4997fde9
Opcode Fuzzy Hash: 02a7e59e4ebb2b68bb609cab7c9a8c129e587d7e4b17da78d855da38d86d046e
Instruction Fuzzy Hash: 3F617223B28A42C5EB54AB21AADC27A6390FF84B84F444131DD7D83794EF3DE465C705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A7EE4 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 121
windowsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF6742A7F2C
CreateIoCompletionPort.KERNEL32 ref: 00007FF6742A7F3E
InitializeConditionVariable.KERNEL32 ref: 00007FF6742A7F69
CreateThread.KERNELBASE ref: 00007FF6742A7FC9
CreateEventA.KERNEL32 ref: 00007FF6742A8012
MessageBoxA.USER32 ref: 00007FF6742A8033

Part of subcall function 00007FF6742B5820: GetSystemInfo.KERNELBASE ref: 00007FF6742B5843

WaitForSingleObject.KERNEL32 ref: 00007FF6742A8045
SetEvent.KERNEL32 ref: 00007FF6742A805B
SetErrorMode.KERNELBASE ref: 00007FF6742A8066
DialogBoxParamW.USER32 ref: 00007FF6742A8082
MessageBoxW.USER32 ref: 00007FF6742A809D

Strings

Another copy of decryptor is running, please wait for it to finish !, xrefs: 00007FF6742A804F
Error, xrefs: 00007FF6742A8027
Cant initialize., xrefs: 00007FF6742A8094
DecryptSyncEvent, xrefs: 00007FF6742A8005
Can't find a sync event, please try again !, xrefs: 00007FF6742A8020
Error, xrefs: 00007FF6742A808D

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: Create$EventInitializeMessage$CompletionConditionCriticalDialogErrorInfoModeObjectParamPortSectionSingleSystemThreadVariableWait
String ID: Another copy of decryptor is running, please wait for it to finish !$Can't find a sync event, please try again !$Cant initialize.$DecryptSyncEvent$Error$Error
API String ID: 907637314-1071730626
Opcode ID: 51ac4e9aada35e456844ea8742e50ac0e2d5f1e25b4bc52e8d76492177b4d511
Instruction ID: 945a47cd9c615eccaeb2af5847cab7b38aba37c6d20bd1ac018d282b65e9d01a
Opcode Fuzzy Hash: 51ac4e9aada35e456844ea8742e50ac0e2d5f1e25b4bc52e8d76492177b4d511
Instruction Fuzzy Hash: D5519E33A28B42C2E7549F21EA885797360FF88B94F544035DE6E87694DF3EE465CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B5820 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 00007FF6742B5843

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 083b9c254e89bb3c70a8b04786382b54bec3b506744ed1bf555f7f4ceb7eb783
Instruction ID: ccd16eea7d9e5a0b089e66b5e4415ee6e399c8ae57a4770c35fa0e393b36d2f6
Opcode Fuzzy Hash: 083b9c254e89bb3c70a8b04786382b54bec3b506744ed1bf555f7f4ceb7eb783
Instruction Fuzzy Hash: 8AF01D33A28545C6F710CB25D59912973E0FB58B48F550434D6ADCB755EF2EE890CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A79FC Relevance: 40.3, APIs: 17, Strings: 6, Instructions: 76
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32 ref: 00007FF6742A7A1D
GetDlgItem.USER32 ref: 00007FF6742A7A2E
EnableWindow.USER32 ref: 00007FF6742A7A3C
EnableWindow.USER32 ref: 00007FF6742A7A47
SetDlgItemTextA.USER32 ref: 00007FF6742A7A6F
SleepEx.KERNEL32 ref: 00007FF6742A7A78
SetDlgItemTextA.USER32 ref: 00007FF6742A7A8A
SleepEx.KERNEL32 ref: 00007FF6742A7A93
SetDlgItemTextA.USER32 ref: 00007FF6742A7AA5
Sleep.KERNEL32 ref: 00007FF6742A7AAE
SetDlgItemTextA.USER32 ref: 00007FF6742A7AC0
SleepEx.KERNEL32 ref: 00007FF6742A7AC9
SetDlgItemTextA.USER32 ref: 00007FF6742A7ADB
Sleep.KERNEL32 ref: 00007FF6742A7AE4
SetDlgItemTextA.USER32 ref: 00007FF6742A7B03
EnableWindow.USER32 ref: 00007FF6742A7B13
EnableWindow.USER32 ref: 00007FF6742A7B1E

Strings

Decryption is finished !, xrefs: 00007FF6742A7AF7
Decryption in progress, please wait...., xrefs: 00007FF6742A7ACF
Decryption in progress, please wait..., xrefs: 00007FF6742A7AB4
Decryption in progress, please wait.., xrefs: 00007FF6742A7A99
Decryption in progress, please wait., xrefs: 00007FF6742A7A7E
Decryption in progress, please wait, xrefs: 00007FF6742A7A63

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: Item$Text$Sleep$EnableWindow
String ID: Decryption in progress, please wait$Decryption in progress, please wait.$Decryption in progress, please wait..$Decryption in progress, please wait...$Decryption in progress, please wait....$Decryption is finished !
API String ID: 1351353523-3071648663
Opcode ID: 78c17431d0d3e909ac26d8ac4148053a31ac35c1896ec04d405b2c1cbd031c7a
Instruction ID: 84571d2eb6bec79912ec0fc8be11ef220ecee0b45f5aa9cfbe1b40d66fa618cf
Opcode Fuzzy Hash: 78c17431d0d3e909ac26d8ac4148053a31ac35c1896ec04d405b2c1cbd031c7a
Instruction Fuzzy Hash: 17314226B28B42C2E7049F22AA9C1797361FF88F51F549035C93E93764CE3EE5698B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B5BB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6742B61E8: AcquireSRWLockExclusive.KERNEL32 ref: 00007FF6742B61F8

InitializeCriticalSection.KERNEL32 ref: 00007FF6742B5C1A
InitializeConditionVariable.KERNEL32 ref: 00007FF6742B5C25
GetSystemInfo.KERNELBASE ref: 00007FF6742B5C37
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF6742B5C6E

Strings

@, xrefs: 00007FF6742B5C61

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: Initialize$AcquireConditionCriticalExclusiveGlobalInfoLockMemorySectionStatusSystemVariable
String ID: @
API String ID: 712509733-2766056989
Opcode ID: 85b902ddf7136a5840f71e0c4d20fa5ebd1bea17a92606bf888aef8a248106ae
Instruction ID: be9460bb1796de8f484e3054e3081512fbad899ca0c3784be67fec165ca34e3d
Opcode Fuzzy Hash: 85b902ddf7136a5840f71e0c4d20fa5ebd1bea17a92606bf888aef8a248106ae
Instruction Fuzzy Hash: 49418133A28B46C6EB129B20E6993357391EF44784F504231D56ED7395EF3EE8A5CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A7B44 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 20
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FF6742A7B5E

Part of subcall function 00007FF6742A7924: GetLogicalDrives.KERNEL32 ref: 00007FF6742A7942
Part of subcall function 00007FF6742A7924: wnsprintfW.SHLWAPI ref: 00007FF6742A796C
Part of subcall function 00007FF6742A7924: GetDriveTypeW.KERNEL32 ref: 00007FF6742A7977
Part of subcall function 00007FF6742A7924: wnsprintfW.SHLWAPI ref: 00007FF6742A7999

Strings

C:\HOW TO RECOVER !!.TXT, xrefs: 00007FF6742A7B57
Finished!, xrefs: 00007FF6742A7B8C
Success, xrefs: 00007FF6742A7B7F

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: wnsprintf$DeleteDriveDrivesFileLogicalType
String ID: C:\HOW TO RECOVER !!.TXT$Finished!$Success
API String ID: 3866960233-1351793509
Opcode ID: 465bb390bc0b08d4f2416a07f7246847fb181e49e71b0b8316188c95a595fd1e
Instruction ID: fe56e136666a1908d37df5d54040cc1ad42b04a359b037d8e537883c1c833a6b
Opcode Fuzzy Hash: 465bb390bc0b08d4f2416a07f7246847fb181e49e71b0b8316188c95a595fd1e
Instruction Fuzzy Hash: D0F03062F3D542C1F718AB11ABDE3B413509F54704F841436CD3DD61A09E3EA4698B59

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B65F4 Relevance: 4.6, APIs: 3, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6742B6618
__scrt_release_startup_lock.LIBCMT ref: 00007FF6742B6686
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6742B66D9

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 1152625263-0
Opcode ID: cc6678997af802b068c0c995b5d1ad8e36810678febf03d7ea80e217a9419a53
Instruction ID: a45f2e5f6a3997368692780d8e7f303847dc1c2c1ccbcc125ce0eacce1822522
Opcode Fuzzy Hash: cc6678997af802b068c0c995b5d1ad8e36810678febf03d7ea80e217a9419a53
Instruction Fuzzy Hash: E5316D23E2C143C6FA14AB6596DD3B92291AF41744F440434E93DC72D7EE6FF824C61A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B5B00 Relevance: 4.5, APIs: 3, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00007FF6742A7192), ref: 00007FF6742B5B2C
SleepConditionVariableCS.KERNEL32(?,?,?,?,?,?,?,00007FF6742A7192), ref: 00007FF6742B5B4D
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00007FF6742A7192), ref: 00007FF6742B5B89

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveSleepVariable
String ID:
API String ID: 327268319-0
Opcode ID: da4ce017de0a67b578491a65cbf7e56a5c8ac102cc465cc981d2b3c6d4404aad
Instruction ID: 1dab4047730d86c70e4b73782d17ef13ead77f51351626857f714c5f80c61fc3
Opcode Fuzzy Hash: da4ce017de0a67b578491a65cbf7e56a5c8ac102cc465cc981d2b3c6d4404aad
Instruction Fuzzy Hash: 1F119333214A41D7D715DF16E98441AB3A0FB48BA4B148134DFAD97654DF39E4B2CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A70C4 Relevance: 4.5, APIs: 3, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32 ref: 00007FF6742A70D0
DeleteCriticalSection.KERNEL32 ref: 00007FF6742A70DA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6742A712F

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: CloseCriticalDeleteHandleSection_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2431723983-0
Opcode ID: e2c45476c9f35fc129be3a3f4548e5625161a20518ced27d78c89fdd85a8bfb5
Instruction ID: e4bfbb364d2cf16f69a793a6f121dcdd22b045015c5777ec45e1988e237505ea
Opcode Fuzzy Hash: e2c45476c9f35fc129be3a3f4548e5625161a20518ced27d78c89fdd85a8bfb5
Instruction Fuzzy Hash: 420184A3B21545C1EF18AB75C58D3781260EF58B69F600730CE3C8B5C5CF2DD4A88644

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A7148 Relevance: 3.1, APIs: 2, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6742B5BB0: InitializeCriticalSection.KERNEL32 ref: 00007FF6742B5C1A
Part of subcall function 00007FF6742B5BB0: InitializeConditionVariable.KERNEL32 ref: 00007FF6742B5C25
Part of subcall function 00007FF6742B5BB0: GetSystemInfo.KERNELBASE ref: 00007FF6742B5C37
Part of subcall function 00007FF6742B5BB0: GlobalMemoryStatusEx.KERNELBASE ref: 00007FF6742B5C6E

Part of subcall function 00007FF6742B5B00: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00007FF6742A7192), ref: 00007FF6742B5B2C
Part of subcall function 00007FF6742B5B00: SleepConditionVariableCS.KERNEL32(?,?,?,?,?,?,?,00007FF6742A7192), ref: 00007FF6742B5B4D
Part of subcall function 00007FF6742B5B00: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00007FF6742A7192), ref: 00007FF6742B5B89

GetQueuedCompletionStatus.KERNEL32 ref: 00007FF6742A71AE

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: CriticalSection$ConditionInitializeStatusVariable$CompletionEnterGlobalInfoLeaveMemoryQueuedSleepSystem
String ID:
API String ID: 2644265417-0
Opcode ID: ba04315971da4209e9bb776f7859b5d9d43853ae886ff48ac9eb5442a54ecbb0
Instruction ID: 64d0277d36eea8db982448369da31fdbfe153ca381206949ba580aa6b21a5f17
Opcode Fuzzy Hash: ba04315971da4209e9bb776f7859b5d9d43853ae886ff48ac9eb5442a54ecbb0
Instruction Fuzzy Hash: 81515B23B28A82C5EB20DB60D9883FD23A0FF94748F544536DE6D87A59EF39D294C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B59A0 Relevance: 3.1, APIs: 2, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6742B5ADC
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6742B5AE8

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: ddf4d54e44e2535de9938aa77f59c43f1d34d7fd4d75e061bb24d3760207480f
Instruction ID: 24148b142f76252da62c9e99c3bf11cea5300cf8ee7a3c614f8a489e527e69de
Opcode Fuzzy Hash: ddf4d54e44e2535de9938aa77f59c43f1d34d7fd4d75e061bb24d3760207480f
Instruction Fuzzy Hash: 2031A33372AA85C1EA249F61E28827DA350FB44BD4F554631DBBD9B785EF3DE4A1C200

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B6260 Relevance: 3.0, APIs: 2, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6742B6290

Part of subcall function 00007FF6742B6A38: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6742B6A41

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6742B6296

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: a5d4f30997dc7593dde97a0d00e26123d896649ffac24255136b9a7c7c546519
Instruction ID: 4a76f93f673f8d91bdf484f5e054ba19356a31ecf08b62c0dd955ce4b9ce63c7
Opcode Fuzzy Hash: a5d4f30997dc7593dde97a0d00e26123d896649ffac24255136b9a7c7c546519
Instruction Fuzzy Hash: B9E0B602E29107C1FD6821A11B9E1B401404F493B4E185730E93D842C2BD1EA871866A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742CCC74 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6742CCC9F

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 23922c328af0c9d5ff75e067a39c3dbc4d9fe9a67b667d539f0b5036c34c75de
Instruction ID: 9485ae0f0db5174fad378eb2d6939e2b947b722f3ccfebe7e35ac9decc753f3d
Opcode Fuzzy Hash: 23922c328af0c9d5ff75e067a39c3dbc4d9fe9a67b667d539f0b5036c34c75de
Instruction Fuzzy Hash: E8119A33A29642C2F3109B45A6C817962A5EF80380F951635EA6DC77A2CF3EE8709B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C779C Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF6742C903E,?,?,00008E472D18676E,00007FF6742C5655,?,?,?,?,00007FF6742D08D6,?,?,00000000), ref: 00007FF6742C77F1

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2557bd7c4669c4f0e37f7712305dee0af3d60beabb4b345b225e21d1d28b1a71
Instruction ID: ce7e2746e1e1e70ea04abd54b53612436513ba1f609948006b8174907865ab15
Opcode Fuzzy Hash: 2557bd7c4669c4f0e37f7712305dee0af3d60beabb4b345b225e21d1d28b1a71
Instruction Fuzzy Hash: 1AF0CD17B6920BC1FF64A6625B882B502841F88B80F6C4630CD2EC63D1EE2FE4A48220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C7850 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF6742D08BD,?,?,00000000,00007FF6742CC5B7,?,?,?,00007FF6742C35F7,?,?,?,00007FF6742C34ED), ref: 00007FF6742C788E

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c3bac971026377c70658c9995a3bc1ff76c84f279341a31a96ad29f450c50a88
Instruction ID: 5560988d7835c3764d2f83bec3b3402b76ab2b3e1f970ca0f2798a9cf5482be0
Opcode Fuzzy Hash: c3bac971026377c70658c9995a3bc1ff76c84f279341a31a96ad29f450c50a88
Instruction Fuzzy Hash: C4F0FE13F39203C5FB5466625BCD27516805FC4BA0F584734EE3EC62C1DE2EE461D520

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A7BA4 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00007FF6742A7BB8

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cdc9ec23403e3a3360d6aa42e966eec57bf23b3416d2a552fb46d59602ce9a1a
Instruction ID: 11b90b158de72755e8e5d72999632d8296f079502264fc0337db57f8bf3aca9f
Opcode Fuzzy Hash: cdc9ec23403e3a3360d6aa42e966eec57bf23b3416d2a552fb46d59602ce9a1a
Instruction Fuzzy Hash: 12C02B41F35001C1F720239299C831840804FC9302FF04830C92889744CC2F80E60B12

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF6742B5DC0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 193memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 00007FF6742B5E3E
AllocateAndInitializeSid.ADVAPI32 ref: 00007FF6742B5E7E
SetEntriesInAclW.ADVAPI32 ref: 00007FF6742B5EFA
SetNamedSecurityInfoW.ADVAPI32 ref: 00007FF6742B5F37
GetCurrentProcess.KERNEL32 ref: 00007FF6742B5F52
OpenProcessToken.ADVAPI32 ref: 00007FF6742B5F65
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6742B5F8D
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6742B5FC7
GetLastError.KERNEL32 ref: 00007FF6742B5FD5
SetNamedSecurityInfoW.ADVAPI32 ref: 00007FF6742B6003
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6742B6023
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6742B6055
GetLastError.KERNEL32 ref: 00007FF6742B605F
SetNamedSecurityInfoW.ADVAPI32 ref: 00007FF6742B608D
FreeSid.ADVAPI32 ref: 00007FF6742B60BB
FreeSid.ADVAPI32 ref: 00007FF6742B60CB
LocalFree.KERNEL32 ref: 00007FF6742B60DB
CloseHandle.KERNEL32 ref: 00007FF6742B60EB

Strings

SeTakeOwnershipPrivilege, xrefs: 00007FF6742B5F84, 00007FF6742B601A

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: FreeInfoNamedSecurityToken$AdjustAllocateErrorInitializeLastLookupPrivilegePrivilegesProcessValue$CloseCurrentEntriesHandleLocalOpen
String ID: SeTakeOwnershipPrivilege
API String ID: 1600708669-3375656754
Opcode ID: 78066a6e3b0ffaad0684c671ab55134b2ce746945efcaa45dedf80d082fccb5e
Instruction ID: c613572ce81867438240abd761c6ee815f055131d8447b8e53d0f9c0bf24a1f5
Opcode Fuzzy Hash: 78066a6e3b0ffaad0684c671ab55134b2ce746945efcaa45dedf80d082fccb5e
Instruction Fuzzy Hash: 4DA13D33A28B81C6E7208F66E9843AD77B4FB88788F544139DA9D97A58DF3DD154CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B4C10 Relevance: 26.6, APIs: 9, Strings: 6, Instructions: 375sleepfileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6742A72FC), ref: 00007FF6742B4D9A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6742A72FC), ref: 00007FF6742B4DA3
Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6742A72FC), ref: 00007FF6742B4DD6
WriteFile.KERNEL32 ref: 00007FF6742B4F7A
GetLastError.KERNEL32 ref: 00007FF6742B4F87
Sleep.KERNEL32 ref: 00007FF6742B4FB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6742B519F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6742B51A5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6742B51AB

Part of subcall function 00007FF6742B56C0: SetFilePointerEx.KERNEL32 ref: 00007FF6742B5720
Part of subcall function 00007FF6742B56C0: GetLastError.KERNEL32 ref: 00007FF6742B572C
Part of subcall function 00007FF6742B56C0: Sleep.KERNEL32 ref: 00007FF6742B575A

Strings

chunk_temp lower than ..., xrefs: 00007FF6742B4EA4
%s: WriteFile code: %lu, xrefs: 00007FF6742B4FA1
%s: ReadFile code: %lu, xrefs: 00007FF6742B4DC2
Read Error: %s, xrefs: 00007FF6742B5126
Set pos error: %s, xrefs: 00007FF6742B50BA
Write error: %s, xrefs: 00007FF6742B504A

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: ErrorFileLastSleep_invalid_parameter_noinfo_noreturn$PointerReadWrite
String ID: %s: ReadFile code: %lu$%s: WriteFile code: %lu$Read Error: %s$Set pos error: %s$Write error: %s$chunk_temp lower than ...
API String ID: 307714751-660172818
Opcode ID: 8ff17aba8571b596b71c61eca1f68f95fa79aae34e26ed8da767cfe02ddc884c
Instruction ID: 3a0bad86ae819085e16206d556a1651bf203fd3be0b0efee4adf4b3eee573cda
Opcode Fuzzy Hash: 8ff17aba8571b596b71c61eca1f68f95fa79aae34e26ed8da767cfe02ddc884c
Instruction Fuzzy Hash: 96E1E1A3B24A92C5EB00DB65E2887AD23A1FB457CCF415531DE2D97B85EF3AD865C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742D0D88 Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF6742D0DD6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6742D1442
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6742D15B8
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6742D1876
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6742D1A96
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6742D1CD3
memcpy_s.LIBCPMT ref: 00007FF6742D1DAE
memcpy_s.LIBCPMT ref: 00007FF6742D1E59
memcpy_s.LIBCPMT ref: 00007FF6742D1F28

Strings

1#INF, xrefs: 00007FF6742D0EFF
1#SNAN, xrefs: 00007FF6742D0EE6
1#IND, xrefs: 00007FF6742D0EC3
1#QNAN, xrefs: 00007FF6742D0EEF

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 70cc4fd567b73fb8bf3b056e7c9f07d57cb541c072de653126725481d6934a1a
Instruction ID: 6074dd6ec62000af0c84c18a024ac41836b7a9f4b16b77ff764a28a792f63135
Opcode Fuzzy Hash: 70cc4fd567b73fb8bf3b056e7c9f07d57cb541c072de653126725481d6934a1a
Instruction Fuzzy Hash: 0FB2C573B28292CAE7648E74D6887F937A1FF54348F605135DA2997E84DF3AA910CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742CEBF8 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6742C8E64: GetLastError.KERNEL32 ref: 00007FF6742C8E73
Part of subcall function 00007FF6742C8E64: FlsGetValue.KERNEL32 ref: 00007FF6742C8E88
Part of subcall function 00007FF6742C8E64: SetLastError.KERNEL32 ref: 00007FF6742C8F13

TranslateName.LIBCMT ref: 00007FF6742CEC62
TranslateName.LIBCMT ref: 00007FF6742CEC9D
GetACP.KERNEL32(?,?,?,00000000,00000092,00007FF6742C44B4), ref: 00007FF6742CECE4
IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FF6742C44B4), ref: 00007FF6742CED1C
GetLocaleInfoW.KERNEL32 ref: 00007FF6742CEED9

Strings

utf8, xrefs: 00007FF6742CEE00

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
String ID: utf8
API String ID: 3069159798-905460609
Opcode ID: 1d490082e306580fd8623a09715d75781349c1d5c93aa240376253c9436d04cc
Instruction ID: 5ba5a52bb99a038cfe8e34bae851de08a36a8eccae344f8bcec8c6409fcd66a6
Opcode Fuzzy Hash: 1d490082e306580fd8623a09715d75781349c1d5c93aa240376253c9436d04cc
Instruction Fuzzy Hash: EB91D233A28782D5EB649F21D6882B923A4FF44B80F444231DA6DC7796DF3EE961D700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742CF640 Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6742C8E64: GetLastError.KERNEL32 ref: 00007FF6742C8E73
Part of subcall function 00007FF6742C8E64: FlsGetValue.KERNEL32 ref: 00007FF6742C8E88
Part of subcall function 00007FF6742C8E64: SetLastError.KERNEL32 ref: 00007FF6742C8F13

Part of subcall function 00007FF6742C8E64: FlsSetValue.KERNEL32 ref: 00007FF6742C8EA9

GetUserDefaultLCID.KERNEL32(?,00000000,00000092,?), ref: 00007FF6742CF7B0

Part of subcall function 00007FF6742C8E64: FlsSetValue.KERNEL32 ref: 00007FF6742C8ED6
Part of subcall function 00007FF6742C8E64: FlsSetValue.KERNEL32 ref: 00007FF6742C8EE7
Part of subcall function 00007FF6742C8E64: FlsSetValue.KERNEL32 ref: 00007FF6742C8EF8

EnumSystemLocalesW.KERNEL32(?,00000000,00000092,?,?,00000000,?,00007FF6742C44AD), ref: 00007FF6742CF797
ProcessCodePage.LIBCMT ref: 00007FF6742CF7DA
IsValidCodePage.KERNEL32 ref: 00007FF6742CF7EC
IsValidLocale.KERNEL32 ref: 00007FF6742CF802
GetLocaleInfoW.KERNEL32 ref: 00007FF6742CF85E
GetLocaleInfoW.KERNEL32 ref: 00007FF6742CF87A

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 2591520935-0
Opcode ID: 23f6e4cf76c35f806863010f25958cb4f32e3b5fa2040ca2053a6af6827cab33
Instruction ID: 370ae5e215972291b6f78f4c75e9800961af0d8df574961131685b07204c77fc
Opcode Fuzzy Hash: 23f6e4cf76c35f806863010f25958cb4f32e3b5fa2040ca2053a6af6827cab33
Instruction Fuzzy Hash: 29715C23B24602C9FB509B60DAA86B833A0BF44744F554635CA3D936D5EF3EE465C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B6C28 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6742B6C44
RtlCaptureContext.KERNEL32 ref: 00007FF6742B6C71
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6742B6C8B
RtlVirtualUnwind.KERNEL32 ref: 00007FF6742B6CCC
IsDebuggerPresent.KERNEL32 ref: 00007FF6742B6D20
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6742B6D3D
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6742B6D48

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 84e68ae59cf7163888860e0c5a186ad712cc4d4e62cf99c4a6f7c53775a592d5
Instruction ID: 0c01c9a0228305bf58c299e800994fa7aa92ef3546e06e50651677642fba0a74
Opcode Fuzzy Hash: 84e68ae59cf7163888860e0c5a186ad712cc4d4e62cf99c4a6f7c53775a592d5
Instruction Fuzzy Hash: 07316D73618B81C6EB608F60E8983EE3360FB84744F44443ADA5D87B95EF39C158CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C244C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6742C24C5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6742C24DD
RtlVirtualUnwind.KERNEL32 ref: 00007FF6742C2518
IsDebuggerPresent.KERNEL32 ref: 00007FF6742C2551
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6742C255B
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6742C2566

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 3312c0988a8bcfbdfe18924e916b3429786889b73280f94826e7862e477fb667
Instruction ID: 47d0bb46822676a66b0fdb3463be3e12fc5c47ec906a6410697e7054ba94889b
Opcode Fuzzy Hash: 3312c0988a8bcfbdfe18924e916b3429786889b73280f94826e7862e477fb667
Instruction Fuzzy Hash: F1315133628F81C6DB608F25E9982AE73A4FB88794F540135EAAD83B54EF39C155CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A3C6C Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 371COMMON

Download Yara Rule

Strings

%, xrefs: 00007FF6742A409D
+, xrefs: 00007FF6742A40B6

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID: %$+
API String ID: 0-2626897407
Opcode ID: 396aacdfebceeb62c2af7e04697d2a30af4523d0343dbbba7f5d3c897fb6d5a2
Instruction ID: c2f4f9e0701992b0ab5b9a53e4c5956eac604ce43f682e53331d6ddf15898777
Opcode Fuzzy Hash: 396aacdfebceeb62c2af7e04697d2a30af4523d0343dbbba7f5d3c897fb6d5a2
Instruction Fuzzy Hash: 01E11423B28A80CAF710CB64D5843ED63A1EF59798F404235EE6DA7B89EE3DE455C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B6E74 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6742B6EA0
GetCurrentThreadId.KERNEL32 ref: 00007FF6742B6EAE
GetCurrentProcessId.KERNEL32 ref: 00007FF6742B6EBA
QueryPerformanceCounter.KERNEL32 ref: 00007FF6742B6ECA

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 79c9b0f9dadbbc5242965cc80fc39ea2149d6ea32da4473382a5cb91d67129c6
Instruction ID: 2e637fc4f6e544a9a1709fd61000e0f597473047a848bd443faecc23ce8f6e08
Opcode Fuzzy Hash: 79c9b0f9dadbbc5242965cc80fc39ea2149d6ea32da4473382a5cb91d67129c6
Instruction Fuzzy Hash: C0111C22B24F01CAEB008F71E9982B833A4FB59758F440E31DA7D867A4DF79D1648740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C62C0 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF6742C6326
memcpy_s.LIBCPMT ref: 00007FF6742C6351

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 8101bab96facb9530bfb020494a0e1e968264cdbe7156957248635d7c5768935
Instruction ID: d1df2e4def7a6c207b347bb136e6318896949a8ef9ce265692c16810ae9756f8
Opcode Fuzzy Hash: 8101bab96facb9530bfb020494a0e1e968264cdbe7156957248635d7c5768935
Instruction Fuzzy Hash: 56C11573B28685C7E7348F15A28866AB791F794B84F448234DB5E83B44DF3EE815CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742CF0BC Relevance: 4.7, APIs: 3, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6742C8E64: GetLastError.KERNEL32 ref: 00007FF6742C8E73
Part of subcall function 00007FF6742C8E64: FlsGetValue.KERNEL32 ref: 00007FF6742C8E88
Part of subcall function 00007FF6742C8E64: SetLastError.KERNEL32 ref: 00007FF6742C8F13

Part of subcall function 00007FF6742C8E64: FlsSetValue.KERNEL32 ref: 00007FF6742C8EA9

GetLocaleInfoW.KERNEL32 ref: 00007FF6742CF128

Part of subcall function 00007FF6742D09DC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6742D09F9

GetLocaleInfoW.KERNEL32 ref: 00007FF6742CF171

Part of subcall function 00007FF6742D09DC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6742D0A52

GetLocaleInfoW.KERNEL32 ref: 00007FF6742CF239

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
String ID:
API String ID: 1791019856-0
Opcode ID: d461efe0fe1f513d216daf5176c78dc439ee3c054b6e09a311d5172e4bb09b81
Instruction ID: 1100c6e94bb3cae6f144f0ea860bbadb6234f267dbaad4903c421c906def3f30
Opcode Fuzzy Hash: d461efe0fe1f513d216daf5176c78dc439ee3c054b6e09a311d5172e4bb09b81
Instruction Fuzzy Hash: 0E616D33A28642CAEB648F11D6982B973A0FB44744F118236DBAED36D5DF3EE561C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742CA2D8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,00007FF6742C4686), ref: 00007FF6742CA34C

Strings

GetLocaleInfoEx, xrefs: 00007FF6742CA2F4, 00007FF6742CA305

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 5a1b2d5ed05dfb9b62552447e977e29e13ea927aadda18441a17208230425ce9
Instruction ID: 893aec7b151b8172e275037ac1544a9a704b341004b380e59a98e36e539d06d6
Opcode Fuzzy Hash: 5a1b2d5ed05dfb9b62552447e977e29e13ea927aadda18441a17208230425ce9
Instruction Fuzzy Hash: 4901F722B28A41C6EB409B46B6881AAA360BF85BC0FA84131DF7D93769CE3DD4218740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C988C Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF6742C9ADB
RaiseException.KERNEL32 ref: 00007FF6742C9AEC

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 5812ffbef43ebe859d62aac9788af41783c98377070f65411d8d0bc06007879a
Instruction ID: 802a08a78b401015254a83ce490247ab0761b4ce3061da25fd293b6272c7ec73
Opcode Fuzzy Hash: 5812ffbef43ebe859d62aac9788af41783c98377070f65411d8d0bc06007879a
Instruction Fuzzy Hash: FDB13C73614B85CBEB19CF29C98A36C77A0F745B48F258A21DA6D837A4DF3AD461C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C0F80 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6742C1330
, xrefs: 00007FF6742C10EE

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: dae217727878cdb9d063eb669f0c43cb88bda073a20ff5c18db5ef06657e1012
Instruction ID: b11755db3f6451576f3abc0b58918139afa828490629a83f2680a1f78bc48fde
Opcode Fuzzy Hash: dae217727878cdb9d063eb669f0c43cb88bda073a20ff5c18db5ef06657e1012
Instruction Fuzzy Hash: EDE19137B28652C1EB688E25829A13D73A0FF45B48F145335DE6E87794DF2BE861CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C7E1C Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF6742C7FA6
e+000, xrefs: 00007FF6742C7F29

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 8c3438ccbad307ded63125fc4a6b823cab797d1787c1556cd9d3d0aea9bd53de
Instruction ID: 95a3c11278c45d2a8c938907e8e5bc7d534de61c0b5b28d69f8e130876e01c34
Opcode Fuzzy Hash: 8c3438ccbad307ded63125fc4a6b823cab797d1787c1556cd9d3d0aea9bd53de
Instruction Fuzzy Hash: B4515B23B286C6C6E7258E359A89769BB91E784B94F088331CB7C87AD5CF7ED454C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C5B3C Relevance: 1.9, APIs: 1, Instructions: 373COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FF6742C5C84

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 4a0edbaba669729d42e9f645f137cd90ab924802c5efdff376890079922acf7b
Instruction ID: 17810c0b364164fdd6479d62cb8086dbf048beaa98c03c01a8b0b11070164386
Opcode Fuzzy Hash: 4a0edbaba669729d42e9f645f137cd90ab924802c5efdff376890079922acf7b
Instruction Fuzzy Hash: 0F128B23A18BC1C6E751CF2895882F977A4FB58748F059335EBAD82692DF3AE1D5C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742CCFC8 Relevance: 1.8, APIs: 1, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce88f363b336b5ad30f2b9ed4f514f1d76a83bf433fa07912be89098a61c10a
Instruction ID: ce73ac12cbbcccc0cff6fc049bece9df7a05b0060284e0bdea7709ceb9f889f8
Opcode Fuzzy Hash: 1ce88f363b336b5ad30f2b9ed4f514f1d76a83bf433fa07912be89098a61c10a
Instruction Fuzzy Hash: 85E16D23A14B81C6E720DB61E5846EE67A4FB94788F004631DBAD93B96EF3DE255C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742CB0F4 Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0b905269a57122a833617a20a68b377d545aeb4f64221e2ea1447ea964d5b1
Instruction ID: d0b88ee602ae7c79883897b2963d70365b7c33ef46487ad8d27a53e5e1e48078
Opcode Fuzzy Hash: 3a0b905269a57122a833617a20a68b377d545aeb4f64221e2ea1447ea964d5b1
Instruction Fuzzy Hash: CE51F623B18681C5FB209B72B9886BE7BA5FB44794F144234EE6CA7B99CE3DD411C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742CF304 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6742C8E64: GetLastError.KERNEL32 ref: 00007FF6742C8E73
Part of subcall function 00007FF6742C8E64: FlsGetValue.KERNEL32 ref: 00007FF6742C8E88
Part of subcall function 00007FF6742C8E64: SetLastError.KERNEL32 ref: 00007FF6742C8F13

Part of subcall function 00007FF6742C8E64: FlsSetValue.KERNEL32 ref: 00007FF6742C8EA9

GetLocaleInfoW.KERNEL32 ref: 00007FF6742CF36C

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: ErrorLastValue$InfoLocale
String ID:
API String ID: 673564084-0
Opcode ID: cc68c748ae957abc1edaf4846f94482a336f9d3437e949dee5c092cbc8d24836
Instruction ID: 5eea1f48f830155c178a1f80534d90935cb9e31fb79ffa93505f223931d1eb2b
Opcode Fuzzy Hash: cc68c748ae957abc1edaf4846f94482a336f9d3437e949dee5c092cbc8d24836
Instruction Fuzzy Hash: ED31A733A28682C6EB64CB21D6953A9B390FB44744F018235DB6DC3685DF3DE421C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742CEF54 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6742C8E64: GetLastError.KERNEL32 ref: 00007FF6742C8E73
Part of subcall function 00007FF6742C8E64: FlsGetValue.KERNEL32 ref: 00007FF6742C8E88
Part of subcall function 00007FF6742C8E64: SetLastError.KERNEL32 ref: 00007FF6742C8F13

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF6742CF743,?,00000000,00000092,?,?,00000000,?,00007FF6742C44AD), ref: 00007FF6742CEFF2

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 286ba92e4ed492cd8040735803c178d796cebc7ed09023b100df4be7ab7e4527
Instruction ID: daee5ca117a8950046e86d72da3ad93a34aaec0d658779389721d1810f510611
Opcode Fuzzy Hash: 286ba92e4ed492cd8040735803c178d796cebc7ed09023b100df4be7ab7e4527
Instruction Fuzzy Hash: EF112463A28645CAEB148F16D1846AC7BA0FB90FA0F448235D639833C0DE79DAE1C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742CF50C Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6742C8E64: GetLastError.KERNEL32 ref: 00007FF6742C8E73
Part of subcall function 00007FF6742C8E64: FlsGetValue.KERNEL32 ref: 00007FF6742C8E88
Part of subcall function 00007FF6742C8E64: SetLastError.KERNEL32 ref: 00007FF6742C8F13

GetLocaleInfoW.KERNEL32(?,?,?,00007FF6742CF2B6), ref: 00007FF6742CF543

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: ErrorLast$InfoLocaleValue
String ID:
API String ID: 3796814847-0
Opcode ID: 49358c4ce1c07a025baae78e35b4d9daadecdf4c918272c29e531d36072cbcd7
Instruction ID: bf32ba0a0bbb21101c30da772fe4aac19f1226d0a0ae2f0e02da7f81a8104e49
Opcode Fuzzy Hash: 49358c4ce1c07a025baae78e35b4d9daadecdf4c918272c29e531d36072cbcd7
Instruction Fuzzy Hash: 14112733F28652C3E7749B25A298A7E62A1EF447E4F158331DB3D876C4DE2BD8618704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742CF024 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6742C8E64: GetLastError.KERNEL32 ref: 00007FF6742C8E73
Part of subcall function 00007FF6742C8E64: FlsGetValue.KERNEL32 ref: 00007FF6742C8E88
Part of subcall function 00007FF6742C8E64: SetLastError.KERNEL32 ref: 00007FF6742C8F13

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF6742CF6FF,?,00000000,00000092,?,?,00000000,?,00007FF6742C44AD), ref: 00007FF6742CF0A2

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: e51575e694956f531ce4708d1c77677f33b849bb2291ae8e07572d3af8d3c4e1
Instruction ID: 71642978efa009ee002fec2cb9bedb2aa3cd04e24fdee388e59322bbe0ebc9b6
Opcode Fuzzy Hash: e51575e694956f531ce4708d1c77677f33b849bb2291ae8e07572d3af8d3c4e1
Instruction Fuzzy Hash: 0401F563E28281C6E7105B15E6947B976A1EF40FA5F468331D778872C9CF3ED8A08700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C9F44 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF6742CA2A7,?,?,?,?,?,?,?,?,00000000,00007FF6742CE5A4), ref: 00007FF6742C9F93

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: d2ea729cd01a94652441c2046644d81e5ecd1273ae8bfc3d93655d5be856da6d
Instruction ID: 74a76c4cdfd2854cc7ff8bf7178d59880ee84774768d879e79b7402b637b1336
Opcode Fuzzy Hash: d2ea729cd01a94652441c2046644d81e5ecd1273ae8bfc3d93655d5be856da6d
Instruction Fuzzy Hash: C2F06D72728A41C3E700CB25E9D81B93365EB98780F949135DA2DC3368CE3DD9A0C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C7988 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF6742C7CCA

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: 99caf2232c02577947a66c4a7578ce2fd4ee368dfa2a2867abe0d0b1514b6803
Instruction ID: 5ffe8639284e8e4812202b0e23702d7392f3ad7d5c47595e544dc3fb544037ee
Opcode Fuzzy Hash: 99caf2232c02577947a66c4a7578ce2fd4ee368dfa2a2867abe0d0b1514b6803
Instruction Fuzzy Hash: 8EA13763B187C786EB21DF29A1847AD7791EBA0784F048231DE6D87785DE3ED511C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C01E8 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6742C03C4

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 587d874626e6d47024e124445b9827978a74faaef00526dbfa77e774f16517e2
Instruction ID: 464564f65013d7e91e6502d7988c7139c827554b549d5b95f9e351a24fdfa417
Opcode Fuzzy Hash: 587d874626e6d47024e124445b9827978a74faaef00526dbfa77e774f16517e2
Instruction Fuzzy Hash: F9B1AE73928B45CAEB658F69C19827D3BA0F749B48F240235CB5D87396CF3AD861C744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742D030C Relevance: 1.4, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6742D03B1

Part of subcall function 00007FF6742C779C: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF6742C903E,?,?,00008E472D18676E,00007FF6742C5655,?,?,?,?,00007FF6742D08D6,?,?,00000000), ref: 00007FF6742C77F1

Part of subcall function 00007FF6742C7814: HeapFree.KERNEL32(?,?,02E0E02583480000,00007FF6742CD856,?,?,?,00007FF6742CDBD3,?,?,00000000,00007FF6742CE2A1,?,?,00007FF6742C38CE,00007FF6742CE1D3), ref: 00007FF6742C782A
Part of subcall function 00007FF6742C7814: GetLastError.KERNEL32(?,?,02E0E02583480000,00007FF6742CD856,?,?,?,00007FF6742CDBD3,?,?,00000000,00007FF6742CE2A1,?,?,00007FF6742C38CE,00007FF6742CE1D3), ref: 00007FF6742C7834

Part of subcall function 00007FF6742D3820: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6742D3853

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: ErrorHeapLast$AllocateFree_invalid_parameter_noinfo
String ID:
API String ID: 3806578645-0
Opcode ID: 593324b23f3fe159bea632eaa518391d129f51ec5ada1e72ace811e51016f3f9
Instruction ID: cc24a8f252b523ebf6f545099dc80a2e88cb3962d236fcfd4096a47265ec9667
Opcode Fuzzy Hash: 593324b23f3fe159bea632eaa518391d129f51ec5ada1e72ace811e51016f3f9
Instruction Fuzzy Hash: CA41DD23F29243C1F7705E267A99BBA6380BF84784F544535DE6DC7792DE3EE4218A00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742CC5F0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6742CC5F4

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: a48301b3e8bd8336d2c4c15100959fdbedb8e0a4fe361930ffa088a6798e35fb
Instruction ID: aedf0f40ce1604e81298d0d3d27d657a1818415bac174292d6f3c06c722fba7c
Opcode Fuzzy Hash: a48301b3e8bd8336d2c4c15100959fdbedb8e0a4fe361930ffa088a6798e35fb
Instruction Fuzzy Hash: 7CB09222F27A02C2EA082B126ECA62422A57F48700FD80138C23D81320DF3E24B99B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742AD1A0 Relevance: .9, Instructions: 933COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bc102119f58a29aac4fe10151e59b3b1a90a569436f9169f09230dd2c65f9d7
Instruction ID: 37acb297e7a50f4992d32d37bada4ac9d64a09eb6e9f444327b7aef247ec5169
Opcode Fuzzy Hash: 7bc102119f58a29aac4fe10151e59b3b1a90a569436f9169f09230dd2c65f9d7
Instruction Fuzzy Hash: C682A0B77358604BE35DCA25A835D7A33A5F35E74E386210DDE038BA85ED3A6E01DB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B20F0 Relevance: .6, Instructions: 628COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 793b77aa3b9019afc03060ce48c2b4c5513af898c4d68fc16fb88d595bfae424
Instruction ID: bb52b579b4bfd9981941e9a52c3125b4ebd81e27110cbf2d8f371c665897db05
Opcode Fuzzy Hash: 793b77aa3b9019afc03060ce48c2b4c5513af898c4d68fc16fb88d595bfae424
Instruction Fuzzy Hash: 744227736281F18BE304CF2A999457D7EE0E789781F81512AEF99CB781CE3C9521DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B1180 Relevance: .6, Instructions: 595COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0bd0b37ffa1759638b6be074ea24fe253488dde7abbff6faa10bd3c270c6c1
Instruction ID: 7f15a7c8653ada0603fc51b9eef4d98b24e985037fca8c56f4fa59717bb27af6
Opcode Fuzzy Hash: bd0bd0b37ffa1759638b6be074ea24fe253488dde7abbff6faa10bd3c270c6c1
Instruction Fuzzy Hash: 7F2223933381F406A309463D2C6457E7DC1E78E24A3811669FEE6DBBD2D43DC922EB64

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742AFE50 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c205cee79caf598bf0d3a64ef5736f355e77f31d5c1e4fe251b196ca1445a2f4
Instruction ID: 7e9fddb496fabd3b6e431fb4c5da6d6573902301fce59cd222eb1fdb99c46df9
Opcode Fuzzy Hash: c205cee79caf598bf0d3a64ef5736f355e77f31d5c1e4fe251b196ca1445a2f4
Instruction Fuzzy Hash: ADE1E9A22281F407A31D862E586147F7ED1E3C72423C0A119FED7D7EC1EA3ED4229761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742ACA10 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbcdfce9c02f214f295e742ba125df1d3da478a6cab93434813367c610bae3ad
Instruction ID: 203b22772530f18d7386e014e71e454b82ccbe20f0c0cd52f1acd82e466f5f3d
Opcode Fuzzy Hash: cbcdfce9c02f214f295e742ba125df1d3da478a6cab93434813367c610bae3ad
Instruction Fuzzy Hash: 9BE1E2B77348604BE35DCA25A839D3A33A5F35E74D386611DDF038BA85ED3A6A01DB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A8550 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8435c8d679b8b2c6496efc403c24dac5fb81acea92f0bb30522464f3dbb225d
Instruction ID: 477ab1873096d1bb48c4177b06246cfa24ac164176430a835cc379fd4a8ca1c3
Opcode Fuzzy Hash: f8435c8d679b8b2c6496efc403c24dac5fb81acea92f0bb30522464f3dbb225d
Instruction Fuzzy Hash: 01D111B373568987FE44DB1A94AD6A9A3A2E748BC4F85A033EE4E5B305DE7CD404D300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B3410 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9daeaa7acd5c589b01f67b03558f190d8e85298ff6752610619d6d6ce50738e1
Instruction ID: 3bb125480530672c34a7cbbc205bd50d7213922346a0a59a1eec395d68a874e7
Opcode Fuzzy Hash: 9daeaa7acd5c589b01f67b03558f190d8e85298ff6752610619d6d6ce50738e1
Instruction Fuzzy Hash: 9DE1D6731141A087D34DCB1AA86447F7BA6FBC974BB86911AFB8717B84C63CA811DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B2E40 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 637c4008feb5109ed34639b7dbb9ff0e6a7159aa47fc7bbfa1bd558c830cde80
Instruction ID: 203e5ab441a11109d61c1d93bf415b8cf6cba8ad2ee6122b3f74613b3004bcdc
Opcode Fuzzy Hash: 637c4008feb5109ed34639b7dbb9ff0e6a7159aa47fc7bbfa1bd558c830cde80
Instruction Fuzzy Hash: 38E1F6731142A097D3098F1AA4A847F7BA1F7C978BB82911AFF8617794C63CA911DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C0B7C Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af858e9e14ac09c49983a8736e503b45199438c8200736f165088af713fffa7
Instruction ID: f43218232a4dbd0ada209b83568403a2d48a78edbb4ff5b20b5ec8259ed21b6f
Opcode Fuzzy Hash: 9af858e9e14ac09c49983a8736e503b45199438c8200736f165088af713fffa7
Instruction Fuzzy Hash: 09D1E223A28646C5EB688E69C29827D37A1EF05B48F144335CE2EC7695CF3BE961C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742AAB30 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27852327d0c58a3e26490ccc60f5124dcfd4430439b8098d8eea94a96b931de
Instruction ID: 277db04f136d8d35e0e0900b1503462f1298ee8cfb4419c344ea1ea773c42e3f
Opcode Fuzzy Hash: b27852327d0c58a3e26490ccc60f5124dcfd4430439b8098d8eea94a96b931de
Instruction Fuzzy Hash: ACD1A163B28A82C6FB04CB68D5882BD2761EF54748F904536CE6D97B85FF3AD525C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742ABF60 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef274a0ec8b1fed00ea5e9ffea506ee0999eb63d916a0f71bfd932ec968f5a5
Instruction ID: b17ea1baa33496dab0dab16f21a045fe62333b12942793114555c4c52a916067
Opcode Fuzzy Hash: bef274a0ec8b1fed00ea5e9ffea506ee0999eb63d916a0f71bfd932ec968f5a5
Instruction Fuzzy Hash: C0A131B7B34C2143E76C8519EC66FB81582E3D5388F48A23CEB2BD7FC5D86D85518A44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A8C70 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49126a069e1fc59a4475752b6d288fd782a2faec249561dc26f563f520af506b
Instruction ID: f55802fd7476c571235712544a748458bef57976c51a0fcd0ada6e872c6ee091
Opcode Fuzzy Hash: 49126a069e1fc59a4475752b6d288fd782a2faec249561dc26f563f520af506b
Instruction Fuzzy Hash: E3E1C8237186C195D7098B3596542FABFA1EB4A780F844036DFED8B687DF2DE264C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C42FC Relevance: .3, Instructions: 309COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
String ID:
API String ID: 4023145424-0
Opcode ID: b1441fb08cade6253943db9c8aaf19873f96dc4d170b385b58385afb110cfba6
Instruction ID: 39294d0397ddc20dd97c1a7add1e4196ae63953c6ba81f6575e006495f0d9a20
Opcode Fuzzy Hash: b1441fb08cade6253943db9c8aaf19873f96dc4d170b385b58385afb110cfba6
Instruction Fuzzy Hash: DEC10A27A68682C5EB609B2196943BB27A1FF94788F504231DE6DC7688DF3ED524C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A93B0 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e6497ac30adcf907d8762970d16f6537c54a69dcb5f064e17baedfe821dbee
Instruction ID: 28919781d84d4a5f4d8ba47dd8cdb45855e27a63f81a6472f47af9f5edbdd1dd
Opcode Fuzzy Hash: c3e6497ac30adcf907d8762970d16f6537c54a69dcb5f064e17baedfe821dbee
Instruction Fuzzy Hash: 71C19B33B28A41C6EB608F26DA8836963A9FF41B84F648536DE5D87788DF3DD464C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742CE668 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: ErrorLast$Value_invalid_parameter_noinfo
String ID:
API String ID: 1500699246-0
Opcode ID: 505c27c4103f5c2ed6ec658dbc5e5e276124c86468af375ee7f57686fc6e1210
Instruction ID: 76c83c14adb2325b66cdae7d7425d0e5a56e547cbdf0f0b34f564008672c413a
Opcode Fuzzy Hash: 505c27c4103f5c2ed6ec658dbc5e5e276124c86468af375ee7f57686fc6e1210
Instruction Fuzzy Hash: 6FB1E733A28646D2EB649F21D6896B93390FB54B88F004331DA6DC36C5DF3EE565D740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742AB520 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e882f33baaa76bff35b2c0386826040e2a13ca958fc2b046813857daf0d09939
Instruction ID: fe650ec811b1b98ac00624c1003cdd58df15694548b7bcd3d692f9957810c331
Opcode Fuzzy Hash: e882f33baaa76bff35b2c0386826040e2a13ca958fc2b046813857daf0d09939
Instruction Fuzzy Hash: B081AF77B205248BE358CF3E9841D8E3BD5E3C87847919639EB16C3B05E5B9D952CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C5790 Relevance: .2, Instructions: 207COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1c867ba633971ab1d31814a4d8b350a2a021105a0a322f28f192c40e8b1df6b0
Instruction ID: 49c217fdc810ddafe2621760ffd7761ea4b1b0728066f292a45ca77dbccf7fa7
Opcode Fuzzy Hash: 1c867ba633971ab1d31814a4d8b350a2a021105a0a322f28f192c40e8b1df6b0
Instruction Fuzzy Hash: C7818F33A24A51C6EB608E25C5D93792360FB44BA8F158736EE6E97794CF3AD0A1C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B1DE0 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf417966f6f196605ddd7b9209edf46ecaff30987455c5b1c9512f1aef680e8
Instruction ID: f398ccb8dd25503d6cdf656a94ee7452c31aa26513840cadb2cb6b9804a8ef6a
Opcode Fuzzy Hash: fdf417966f6f196605ddd7b9209edf46ecaff30987455c5b1c9512f1aef680e8
Instruction Fuzzy Hash: 85718C32A185E1C6E758873698A83FB7BD2F7D5345F458136EAC883B86CA3DC115CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C849C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e6d14725235eb52b77a1aa5f5aacb0fc5da9bb3a9f01f5f90a0d3b73c56456
Instruction ID: f51c986dd447442e6482cff9a6dafe615607bcbfa463e18085db5b1a58d4c78b
Opcode Fuzzy Hash: 23e6d14725235eb52b77a1aa5f5aacb0fc5da9bb3a9f01f5f90a0d3b73c56456
Instruction Fuzzy Hash: 2881E473A28781C6E774CB1996C837A6A90FB857D4F108335DAAD83B95DF3ED4108B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742AAB50 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef2ff6951fb276572e4d5b699430c20e4ea45a1454b5c198751d916a724532d
Instruction ID: 1d89b2955f6e613d35c08572576d500bc43d5d031f2f304a2b0443fd65695729
Opcode Fuzzy Hash: aef2ff6951fb276572e4d5b699430c20e4ea45a1454b5c198751d916a724532d
Instruction Fuzzy Hash: 7BA1B0336182D1CAD351CF25D598BB97BA0FB49749F458235EBA9C3249EE3EA520CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A9830 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d08d23a994eff7014c2206366e8722e878dc55d74a28426f6265a827e2d30d2
Instruction ID: e1865a14b1ed29b89cfa5f81e1d1ac0c1d9a5b5b1ca920ab7d350055a7a1295e
Opcode Fuzzy Hash: 9d08d23a994eff7014c2206366e8722e878dc55d74a28426f6265a827e2d30d2
Instruction Fuzzy Hash: DD81295681E7D19DC713A77E60020AAFE608DB744571CC387FAE471F53E20AE2C99B26

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742ABC10 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b75406b6ab88ad7fb43dc4c76f01e6c973e6bd363a480a428e05fd0a7f8024
Instruction ID: 95e0ee852402997286b12a7fdf51079a8a197e439ce24db1e7d916158833dbe9
Opcode Fuzzy Hash: 74b75406b6ab88ad7fb43dc4c76f01e6c973e6bd363a480a428e05fd0a7f8024
Instruction Fuzzy Hash: 715194B6F116588BCB548F0EB841655FAA5F79CBC4B149025EF4C97B38EA3CD942CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B0860 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae4672525ef25ba709a95ebe076e9f0e349eff9aced32971540103a6fa393c5a
Instruction ID: cb1b7f42d50eeb19cd2f821bdb39e7d4b26f15157b97fe5bed9b2dc9e4c1159d
Opcode Fuzzy Hash: ae4672525ef25ba709a95ebe076e9f0e349eff9aced32971540103a6fa393c5a
Instruction Fuzzy Hash: 975107A36345F406A3088B3A5C6452EBED1F78E6463869235FED6DB782D53DC802D724

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B0AE0 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6914f09646561f8116cc04910c61e57e44051c015771b1c6ad68be82b6e82853
Instruction ID: 07dd94c8b77fe649007a5de619c799795a2b80b59ed7cc1b363feef9ffb67d27
Opcode Fuzzy Hash: 6914f09646561f8116cc04910c61e57e44051c015771b1c6ad68be82b6e82853
Instruction Fuzzy Hash: 0C5107A36345F406A3088B3A5C6452EBED1F78E6463869235FED6DB782D53DC802D724

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742AA010 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad21ebd3ab5987f37411a6a36211fe241999f3c34834bb7fea43bcdeb57db45
Instruction ID: 9a1a7efd7bc1c6e9a586e3bbbe1b2f94817717ace54db429736f1ad0b430f59e
Opcode Fuzzy Hash: fad21ebd3ab5987f37411a6a36211fe241999f3c34834bb7fea43bcdeb57db45
Instruction Fuzzy Hash: 9B616696CABFD906F763F1371846091D6216FBB480934D323FCE675E22DB11B6D98244

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742AA012 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a497d029065a8eac1158d618db8d42fcbfa0795808e387be9b3addf34bff8e
Instruction ID: 1d2885b2355c13328b3d38778eb03d47bc31ddd3570e14adab0ae7dd862c7cd2
Opcode Fuzzy Hash: 76a497d029065a8eac1158d618db8d42fcbfa0795808e387be9b3addf34bff8e
Instruction Fuzzy Hash: CF614396CAAFD906F763F037188A091D6216FBB480934D323FDE675E22DB11B6D98244

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A9D50 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cecc4bf09cf790945126df03635be5a624bdf7884ddbd3d1cd16e7fc9dcb6b5e
Instruction ID: a22c26e75940fc9777c8bc337c3164088b07a4cc353214958fa709f3c39069c5
Opcode Fuzzy Hash: cecc4bf09cf790945126df03635be5a624bdf7884ddbd3d1cd16e7fc9dcb6b5e
Instruction Fuzzy Hash: 8F617195C4AF9842E713FA3B5886066D632AF7B540A35D327FDE935E21CB21F6C68340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A11FC Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5718ec26b9f9187bca170576e2c4ee00cb1c8e024ee4e38b141892ecb776cb1
Instruction ID: 2dd17ef63b26aa2e88c52a76ba064f2018ac4ebafa8d343036225cb60af95cb7
Opcode Fuzzy Hash: e5718ec26b9f9187bca170576e2c4ee00cb1c8e024ee4e38b141892ecb776cb1
Instruction Fuzzy Hash: 1B51F307B0C2E08EFB028BB945641FE3FB19B1A358F1964A5CFE953B47CD1A850AC760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742BEEAC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: 59c764295754febc53235d4110d82f3033184e65dfc214b90eeaeabcc4db0460
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: DC51A677A28A51C2E7248B29C18823833A0EB54F58F255131DE5D977A5EF7BE863C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742BF6CC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 12a08d2804dd7ab7ca6431cf2ce61d860b32d8b3161a8844b4860245e2c55d0c
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: B8518537A38651C2E7248B29C19822837A0EB49F58F258171CE9DD7794EF3BE863D740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742BF2BC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: 0246b444adac8e362ee9504edb03ef58493763e294dc4c8be0428bad1c9b0780
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: ED517377A28791C6E724CB29D19823873A0EB44B68F258131CA5DD7795EF3BE863C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742BF0B8 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a3dccb135ddd09f63c505db29ff29986bf9dd63497299e7c799fac6b959aa4
Instruction ID: cf487af400dc9cad722b1966fa390af97d1bcae795198d6348460a9310667333
Opcode Fuzzy Hash: f6a3dccb135ddd09f63c505db29ff29986bf9dd63497299e7c799fac6b959aa4
Instruction Fuzzy Hash: 63516377A38651C6E7248B29C28863937A0EB44B58F258131CE5DD7795EF3BE863C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742BECA8 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db363646d287334b7a31293e9082935613ba5dde14aee32d187fc7345eaa1eeb
Instruction ID: bfb73854994ece081878bf43e899071cff6c3ce66a13bdbc7c6b5d86be225f05
Opcode Fuzzy Hash: db363646d287334b7a31293e9082935613ba5dde14aee32d187fc7345eaa1eeb
Instruction Fuzzy Hash: 5151C637A38652D6E7248B28C18823837A4EB45F58F245131CE5DD77A5EF7BE862C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742BF4C8 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e46230d8c0bb23a9b26f12389beaf27d8e9063d4bba2e4d98de2a57eaa924be5
Instruction ID: 332aef2acf3b84fce6d150bb0570ff51aa8d5c1649105141868ed1019be97ebf
Opcode Fuzzy Hash: e46230d8c0bb23a9b26f12389beaf27d8e9063d4bba2e4d98de2a57eaa924be5
Instruction Fuzzy Hash: FA516877A28651C6E7248F19C18833877A0EB48B58F258131CE5DD77A5EF3BE862C744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C3540 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: e4228691e955bd99339f79c97151fd7b10163bb4e9ab0fb752b165c518226525
Instruction ID: dbe979b963b5fe3861fb7f92fe913dd8ab87f2ea5aebd863e4b5c86e93d01f85
Opcode Fuzzy Hash: e4228691e955bd99339f79c97151fd7b10163bb4e9ab0fb752b165c518226525
Instruction Fuzzy Hash: E0412423728A55C2EF04CF2ADA98169B3A1FB88FC0B599532DE1DD7B58DE3ED5518300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A9B42 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a73defb420c0301d6211ef34a18bbfe4c14f7b5d1fdb07bd45b56ff44be47d
Instruction ID: f1d224b98e596ab61a5da0ce7201a3ba6913d171909053cf598c1fc6eb6ddf1f
Opcode Fuzzy Hash: 49a73defb420c0301d6211ef34a18bbfe4c14f7b5d1fdb07bd45b56ff44be47d
Instruction Fuzzy Hash: ED410E96CABFE906F743F13B0886091D2216FBB480578E313FDF175962DB11BAC98244

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A9B40 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8712fb7685a7bc5c307192e8a271bd055cd8e29da1ebad526d45390f58f2ebc2
Instruction ID: 4b844cb1415590da783767d26343eab893ac5576adb45dd054b26f38949b5a05
Opcode Fuzzy Hash: 8712fb7685a7bc5c307192e8a271bd055cd8e29da1ebad526d45390f58f2ebc2
Instruction Fuzzy Hash: FB411A96CABFE906F743F13B0886091D2216FBB480578E313FDF175922EB11BAC98244

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742AAF60 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da5decc7d44b5991bdcaf8dc27e5df3e3f834a4a37d431bae3e1d41514e3bdc1
Instruction ID: e2cde2194e6e2bb36fbc399fa50e9cd8a6c244d37e57acfe7191c05f684bbefa
Opcode Fuzzy Hash: da5decc7d44b5991bdcaf8dc27e5df3e3f834a4a37d431bae3e1d41514e3bdc1
Instruction Fuzzy Hash: EC41B12361D3D19AC7168B75A2450BEBFB0EB1B354B0A8092DFF847A47CE2CE169D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742AAF50 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c589e2d7475d8ffd9936c0a26d5ed3f3e51c120a2419c501d862aecb32b83e
Instruction ID: 18aaecf4d9528e07ec624ab303e7148daf923331a2c88c7c34021942ff36146b
Opcode Fuzzy Hash: b9c589e2d7475d8ffd9936c0a26d5ed3f3e51c120a2419c501d862aecb32b83e
Instruction Fuzzy Hash: 8241B42361D3C19AC7168B75A2450BEBFB0EB1B790B0AC052DFF847A47DA2CE169D711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A8230 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8423b740542bbc846aa3f26c00602555a174eef9b3fa68c55d937d9eaf423b7b
Instruction ID: 2e94acfb99da30c3bcc0e53947c8c170f3666b1b57b9d15739ed12eb99f39c56
Opcode Fuzzy Hash: 8423b740542bbc846aa3f26c00602555a174eef9b3fa68c55d937d9eaf423b7b
Instruction Fuzzy Hash: 4841AE32B2974586E7548B64E6987A977A0FB88780F90513ADF9E83790DF3DE460CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B0730 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2728dc5e9c5f93e1ca93c12a13c62ddba9ac8287f2c550728baecfbe47a9b5b0
Instruction ID: 7ccf2f246da3bee1ae831cbe4731b60dcf90f3db3c170831c9cf8098494ce207
Opcode Fuzzy Hash: 2728dc5e9c5f93e1ca93c12a13c62ddba9ac8287f2c550728baecfbe47a9b5b0
Instruction Fuzzy Hash: 9431D6333289908BA358CF3EAC1152B7692F7D8781745D529FF5AC3B56CA78C502CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A9190 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a314bc253aa598a84304ff2f055a79c34ef46d3b88a1f83dd1b3010dddcc368c
Instruction ID: 6712737a031d343f13e8c8e8582cea51a6bb68e80cb4468b68c801ce2e2ee8aa
Opcode Fuzzy Hash: a314bc253aa598a84304ff2f055a79c34ef46d3b88a1f83dd1b3010dddcc368c
Instruction Fuzzy Hash: 2531A0333197C596D70E9A399A693EAAB50FB45790F440026CFAC8B683CF68E136C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A8B00 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 558910b8a58765232ab734f5ed0002cfde70dc3fc16e816fb505de0f03801711
Instruction ID: 3b44d145697f08c12e4a8580f6885ab80723adbe65d0ee958c4d60830e01e27f
Opcode Fuzzy Hash: 558910b8a58765232ab734f5ed0002cfde70dc3fc16e816fb505de0f03801711
Instruction Fuzzy Hash: 9D31E9729147D154D7429B39E1053DAF664AF9BB88F198326EF8876713EF399282C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742AE2B0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669b6542c02ecb0bbb3e60ab2ab0b00fe971b16ad71d4d7d883ca442f54acb5d
Instruction ID: 256f3ce831bfd119325a46b9d8930ffd4cc1ca6ba4f813afd3448650dd34b4f3
Opcode Fuzzy Hash: 669b6542c02ecb0bbb3e60ab2ab0b00fe971b16ad71d4d7d883ca442f54acb5d
Instruction Fuzzy Hash: 262101A23341F41BA309CB3E9941169BED0F3CA6863848121FEE6D7A85D63ED802D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B6E08 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8104b3c7c7b61104e8bfd4b65803c1eea16c828d3de3daa29b57a1546cf0a612
Instruction ID: 5adc4e3bee5cec6b7c3aebc57fee47b58e24cf73933832de663bb3e48923d48e
Opcode Fuzzy Hash: 8104b3c7c7b61104e8bfd4b65803c1eea16c828d3de3daa29b57a1546cf0a612
Instruction Fuzzy Hash: 5BA00123928C42D0E6488B04EA984262220EB60300B540071C02D81460AE7EA4A0D755

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742BE530 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6742BE570
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6742BE938
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6742BEBD7

Strings

f, xrefs: 00007FF6742BE608
f, xrefs: 00007FF6742BE672
p, xrefs: 00007FF6742BE615
f, xrefs: 00007FF6742BE7BD
p, xrefs: 00007FF6742BE67A

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: e3a8d8bfeb5cb2a65c2c467754c3467bbb615d516fd2690564e53e4db3ed3e50
Instruction ID: a3406f818b36189cc4b473ce382b362febd508a0f5bb7f596af162144c3c1d4b
Opcode Fuzzy Hash: e3a8d8bfeb5cb2a65c2c467754c3467bbb615d516fd2690564e53e4db3ed3e50
Instruction Fuzzy Hash: D012B363E2C543D6FB649B14D2986B97291FB50750F888031E6EA866C4FF3EE4A4DB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B9BDC Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6742B9C38

Part of subcall function 00007FF6742BBF9C: __GetUnwindTryBlock.LIBCMT ref: 00007FF6742BBFDF
Part of subcall function 00007FF6742BBF9C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6742BC004

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6742B9D10
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6742B9F5F
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6742BA06B

Strings

csm, xrefs: 00007FF6742B9CB9
csm, xrefs: 00007FF6742B9C52
csm, xrefs: 00007FF6742B9D33

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: a0fb18242a3d6f0d5da8240325cb65982117881598e58d54bb51349d813d21b2
Instruction ID: 82768830d96dd575756a058903d5b8ed2bd03e1948c03b8257d3ce7a314267ea
Opcode Fuzzy Hash: a0fb18242a3d6f0d5da8240325cb65982117881598e58d54bb51349d813d21b2
Instruction Fuzzy Hash: 2ED19333A28B41CAEB609F25D5893AD37A0FB45798F100535EE9D97B55EF39E4A0C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A24CC Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32 ref: 00007FF6742A25B0
CloseHandle.KERNEL32 ref: 00007FF6742A25C3
MoveFileW.KERNEL32 ref: 00007FF6742A2697
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6742A27B9

Strings

iter: , xrefs: 00007FF6742A2727
- SUCCESS, xrefs: 00007FF6742A269D
- ERROR, xrefs: 00007FF6742A270D

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: File$CloseConcurrency::cancel_current_taskHandleMove
String ID: - ERROR$ - SUCCESS$ iter:
API String ID: 2815471687-1678496372
Opcode ID: 51e365e58ddc436f3a2e370d00b50e0c46a4f57f8dfa83e456e8815b5645fd8d
Instruction ID: 23493c7ca30896dec2862eb7e5f69ea331a11269c39d0cba39643e6aa0bfb629
Opcode Fuzzy Hash: 51e365e58ddc436f3a2e370d00b50e0c46a4f57f8dfa83e456e8815b5645fd8d
Instruction Fuzzy Hash: CC816863B28A42D5EB10DB64D9D83EC2360FF44758F844232DE6D96AD9DF39E5A8C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C9FC0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF6742CA6C8,?,?,?,?,00007FF6742C572D,?,?,?,?,00007FF6742B71F4), ref: 00007FF6742CA13C
GetProcAddress.KERNEL32(?,?,?,00007FF6742CA6C8,?,?,?,?,00007FF6742C572D,?,?,?,?,00007FF6742B71F4), ref: 00007FF6742CA148

Strings

ext-ms-, xrefs: 00007FF6742CA099
api-ms-, xrefs: 00007FF6742CA086

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: cad7b501b2248e3808ffde60f228f232754f2bc3d3160e4cb8f926487255e5ab
Instruction ID: 3d9015dec511f0640a40646ab7a93e4ae34b6827dffc6c8be13ee7c068873d13
Opcode Fuzzy Hash: cad7b501b2248e3808ffde60f228f232754f2bc3d3160e4cb8f926487255e5ab
Instruction Fuzzy Hash: E2410623B39A02C1EB55DB16AA887752391BF44BE0F494635CD2DD7744DE3EE8258700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B51D0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF6742B5295
GetLastError.KERNEL32 ref: 00007FF6742B52AC
SetFileAttributesW.KERNEL32 ref: 00007FF6742B52E9

Part of subcall function 00007FF6742B5DC0: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF6742B5E3E
Part of subcall function 00007FF6742B5DC0: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF6742B5E7E
Part of subcall function 00007FF6742B5DC0: SetEntriesInAclW.ADVAPI32 ref: 00007FF6742B5EFA
Part of subcall function 00007FF6742B5DC0: SetNamedSecurityInfoW.ADVAPI32 ref: 00007FF6742B5F37
Part of subcall function 00007FF6742B5DC0: FreeSid.ADVAPI32 ref: 00007FF6742B60BB
Part of subcall function 00007FF6742B5DC0: FreeSid.ADVAPI32 ref: 00007FF6742B60CB

GetFileSizeEx.KERNEL32 ref: 00007FF6742B5389

Strings

No permission: %s, xrefs: 00007FF6742B530E
Cant open: %s, xrefs: 00007FF6742B533B
In use another process: %s, xrefs: 00007FF6742B52D8

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: File$AllocateFreeInitialize$AttributesCreateEntriesErrorInfoLastNamedSecuritySize
String ID: Cant open: %s$In use another process: %s$No permission: %s
API String ID: 1542743717-3297638996
Opcode ID: 247a4147948dcf377ac1d8f7558a9ce0d4e431a22502e3bbd5d99ecc17cb4923
Instruction ID: b97f21e3d387b094927fabc8190ddf4efde35d1dcc57e2bf385db6f78fe7996d
Opcode Fuzzy Hash: 247a4147948dcf377ac1d8f7558a9ce0d4e431a22502e3bbd5d99ecc17cb4923
Instruction Fuzzy Hash: 1D41DEB2918B81C2E7108F25D6883AD3360FB41BA8F544235CB7D9B6D5DF7A94E6C344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A7924 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 00007FF6742A7942
wnsprintfW.SHLWAPI ref: 00007FF6742A796C
GetDriveTypeW.KERNEL32 ref: 00007FF6742A7977
wnsprintfW.SHLWAPI ref: 00007FF6742A7999

Part of subcall function 00007FF6742A7644: wnsprintfW.SHLWAPI ref: 00007FF6742A76A3
Part of subcall function 00007FF6742A7644: FindFirstFileExW.KERNELBASE ref: 00007FF6742A76C3

Sleep.KERNEL32 ref: 00007FF6742A79BB

Strings

%c:\, xrefs: 00007FF6742A7958
\\.\%c:, xrefs: 00007FF6742A7988

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: wnsprintf$DriveDrivesFileFindFirstLogicalSleepType
String ID: %c:\$\\.\%c:
API String ID: 4230318963-1924356460
Opcode ID: aa7cd666b3d54713daf19969fa84ba345c238decf2acc5df50b2030d5cef1992
Instruction ID: da940fddec6ce47c98b4242288d8f7c1de415677c31adde716f66ac5cda17b1e
Opcode Fuzzy Hash: aa7cd666b3d54713daf19969fa84ba345c238decf2acc5df50b2030d5cef1992
Instruction Fuzzy Hash: D8213E33A28543C2F710A715EAD91796360FFC8755F901132DEADC36A4DE2DE965CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C6E8C Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6742C6ECF
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6742C72BC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6742C7558

Strings

p, xrefs: 00007FF6742C6FF9
f, xrefs: 00007FF6742C6FF1
p, xrefs: 00007FF6742C6F81

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: 3e81594253d2af29ce7b87c8d6179118aae310fc9e219d086824ae778102a3bb
Instruction ID: d07d6c4693857cd6fc1e4306f2e50fa44024c678f5f04c53540d687e0ef7fc85
Opcode Fuzzy Hash: 3e81594253d2af29ce7b87c8d6179118aae310fc9e219d086824ae778102a3bb
Instruction Fuzzy Hash: D212B663E2C143C5FB207B15D29C2B976A2FBC0750F944235E6A9876C4DF3EE9A08B15

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A6074 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 169COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6742A609F

Part of subcall function 00007FF6742A1C60: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6742A1C85
Part of subcall function 00007FF6742A1C60: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6742A1CA9

std::_Facet_Register.LIBCPMT ref: 00007FF6742A6125
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6742A613F
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6742A6167

Strings

ios_base::failbit set, xrefs: 00007FF6742A617E

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID: ios_base::failbit set
API String ID: 2081738530-3924258884
Opcode ID: de1b6b5e4f82700410bde481b233ecdaefb5ea43a378115584c5506df396da44
Instruction ID: 47a46f4f38313f7bcb45a8460e37c554e459c1c7ef65875eb507a9908400ae2b
Opcode Fuzzy Hash: de1b6b5e4f82700410bde481b233ecdaefb5ea43a378115584c5506df396da44
Instruction Fuzzy Hash: 0F51C123B28642C0EE149B16E6882BA6751FF44BD4F480632DFAD87786DF3DE4A1C304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A1DDC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6742A1E42
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF6742A1E89
_Getctype.LIBCPMT ref: 00007FF6742A1EA0
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6742A1F58
_Getwctype.LIBCPMT ref: 00007FF6742A1F99

Strings

bad locale name, xrefs: 00007FF6742A1F7A

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: std::_$Lockit$GetctypeGetwctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1386471777-1405518554
Opcode ID: b8539c2f4486b6d3d1b907b93a4fa07cdfba7e0cb6bae40afaebe721e704fdee
Instruction ID: b5f082734c552a6d54ebb4fbaef485f5f7d1c5e9f104c9c5f4c651f1c51e169d
Opcode Fuzzy Hash: b8539c2f4486b6d3d1b907b93a4fa07cdfba7e0cb6bae40afaebe721e704fdee
Instruction Fuzzy Hash: 5C519923F29B82CAEB14DBB4D1841BC2374EF94754B040635DE9EA2A56DF39E466C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742BC50C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF6742BC7BE,?,?,?,00007FF6742BC408,?,?,?,00007FF6742B8D99), ref: 00007FF6742BC591
GetLastError.KERNEL32(?,?,?,00007FF6742BC7BE,?,?,?,00007FF6742BC408,?,?,?,00007FF6742B8D99), ref: 00007FF6742BC59F
LoadLibraryExW.KERNEL32(?,?,?,00007FF6742BC7BE,?,?,?,00007FF6742BC408,?,?,?,00007FF6742B8D99), ref: 00007FF6742BC5C9
FreeLibrary.KERNEL32(?,?,?,00007FF6742BC7BE,?,?,?,00007FF6742BC408,?,?,?,00007FF6742B8D99), ref: 00007FF6742BC637
GetProcAddress.KERNEL32(?,?,?,00007FF6742BC7BE,?,?,?,00007FF6742BC408,?,?,?,00007FF6742B8D99), ref: 00007FF6742BC643

Strings

api-ms-, xrefs: 00007FF6742BC5B1

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: d60885e2f5dcf8238ac8f8a4737aa3847d0cb16acec91e073d544a97c38958ea
Instruction ID: 588d0575e50dd786110a9d6bb9eac64bdcf56175ac2cd8ab234ca87049f2c675
Opcode Fuzzy Hash: d60885e2f5dcf8238ac8f8a4737aa3847d0cb16acec91e073d544a97c38958ea
Instruction Fuzzy Hash: E0310623B2A782C1EE119B13AA886752394FF48BA0F595139DD3D97390EF3DE4A4C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C8E64 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6742C8E73
FlsGetValue.KERNEL32 ref: 00007FF6742C8E88
FlsSetValue.KERNEL32 ref: 00007FF6742C8EA9
FlsSetValue.KERNEL32 ref: 00007FF6742C8ED6
FlsSetValue.KERNEL32 ref: 00007FF6742C8EE7
FlsSetValue.KERNEL32 ref: 00007FF6742C8EF8
SetLastError.KERNEL32 ref: 00007FF6742C8F13

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 7db356a0bf92796612e1af19c5ecb224f63876e6a5066522970a54af1ad6ec75
Instruction ID: 67d54097f315249741ca6c638d0932d9b992e41d792d0d2409d6ba2d2933aff5
Opcode Fuzzy Hash: 7db356a0bf92796612e1af19c5ecb224f63876e6a5066522970a54af1ad6ec75
Instruction Fuzzy Hash: BF219A23F2C682C2FB69A3315BDD13952425F847A0F548B34E93E86AD6DE2EE4608201

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742D5C28 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6742D5C59
GetLastError.KERNEL32 ref: 00007FF6742D5C65
CloseHandle.KERNEL32 ref: 00007FF6742D5C7D
CreateFileW.KERNEL32 ref: 00007FF6742D5CA8
WriteConsoleW.KERNEL32 ref: 00007FF6742D5CC7

Strings

CONOUT$, xrefs: 00007FF6742D5C89

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 1342d5704d7f2087a52e45bfb305b659bf225a2488428d354601f93c9678ff20
Instruction ID: da6dee46e604d016a83430eb8a61919995ccdb7695154a095cea69721b38f8f9
Opcode Fuzzy Hash: 1342d5704d7f2087a52e45bfb305b659bf225a2488428d354601f93c9678ff20
Instruction Fuzzy Hash: 8D117F22628B41C6E3509B52E98832963A0BF88FE4F244234DA7DC7794CF7DD8648B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742BA0AC Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6742BA24A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6742BA573

Strings

csm, xrefs: 00007FF6742BA271
csm, xrefs: 00007FF6742BA1F3
csm, xrefs: 00007FF6742BA191

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 70479e19ae8ed96efe8ee87d619db38b665c41175b05d40ed4ddbd0c1030711c
Instruction ID: b29ed2f80ca37c331d521a83c60f9ed50c26919a62f2730c5424a9d5e4656176
Opcode Fuzzy Hash: 70479e19ae8ed96efe8ee87d619db38b665c41175b05d40ed4ddbd0c1030711c
Instruction Fuzzy Hash: 8AE1F033A28782CAE7519F34D5C92AD37A4FB45788F104135DAAD87B96EF39E491CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C8FDC Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00008E472D18676E,00007FF6742C5655,?,?,?,?,00007FF6742D08D6,?,?,00000000,00007FF6742CC5B7,?,?,?), ref: 00007FF6742C8FEB
FlsSetValue.KERNEL32(?,?,00008E472D18676E,00007FF6742C5655,?,?,?,?,00007FF6742D08D6,?,?,00000000,00007FF6742CC5B7,?,?,?), ref: 00007FF6742C9021
FlsSetValue.KERNEL32(?,?,00008E472D18676E,00007FF6742C5655,?,?,?,?,00007FF6742D08D6,?,?,00000000,00007FF6742CC5B7,?,?,?), ref: 00007FF6742C904E
FlsSetValue.KERNEL32(?,?,00008E472D18676E,00007FF6742C5655,?,?,?,?,00007FF6742D08D6,?,?,00000000,00007FF6742CC5B7,?,?,?), ref: 00007FF6742C905F
FlsSetValue.KERNEL32(?,?,00008E472D18676E,00007FF6742C5655,?,?,?,?,00007FF6742D08D6,?,?,00000000,00007FF6742CC5B7,?,?,?), ref: 00007FF6742C9070
SetLastError.KERNEL32(?,?,00008E472D18676E,00007FF6742C5655,?,?,?,?,00007FF6742D08D6,?,?,00000000,00007FF6742CC5B7,?,?,?), ref: 00007FF6742C908B

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: cef8db87358bbd1bb94d461cb40769e749808dc7d0f8ea07841b7c184a02da71
Instruction ID: 2c2943a357ceda53af5dfdb523bd344017f66f01283286bc5a8179211f45b754
Opcode Fuzzy Hash: cef8db87358bbd1bb94d461cb40769e749808dc7d0f8ea07841b7c184a02da71
Instruction Fuzzy Hash: 43119A23F2C652C2FB64A3316BDD13962425F857B0F204B35E93E866D2EE2FF4218600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C2DDC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6742C2E01
GetProcAddress.KERNEL32 ref: 00007FF6742C2E17
FreeLibrary.KERNEL32 ref: 00007FF6742C2E3E

Strings

mscoree.dll, xrefs: 00007FF6742C2DF8
CorExitProcess, xrefs: 00007FF6742C2E10

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0278d18345afb49aed3f296f556ce83c92b3962c6d5b11118b52e635ee81f5b1
Instruction ID: 2a8ea16594705f4def412e26dd6f85623d9f657b5d5f220a6bd9373823cee163
Opcode Fuzzy Hash: 0278d18345afb49aed3f296f556ce83c92b3962c6d5b11118b52e635ee81f5b1
Instruction Fuzzy Hash: B9F0C222A29B42C1EB548B24E59C7396320AF89B61F600335C67E852E0CF3EE059CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B94AC Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FF6742B95CF
__AdjustPointer.LIBCMT ref: 00007FF6742B961A

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: b443bef51e4ce891ad96efdcb9728f74f950800b5ba6620d7f191b32bdad19ab
Instruction ID: b4570a35ff5d604bca532c71d42ace109d4a4f9e1e98c9f67c416dd15ae6a126
Opcode Fuzzy Hash: b443bef51e4ce891ad96efdcb9728f74f950800b5ba6620d7f191b32bdad19ab
Instruction Fuzzy Hash: 0FB10323A2EA42C1EA65CF1193C86396794EF46BC0F298435CE6D87785FE3EE461C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C9570 Relevance: 7.7, APIs: 5, Instructions: 196COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6742C95AF
_set_statfp.LIBCMT ref: 00007FF6742C95CD
_set_statfp.LIBCMT ref: 00007FF6742C95F6
_set_statfp.LIBCMT ref: 00007FF6742C9832

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: a744e18eaa2fea3fc939351ac5b04869bfc5dfc7b6a79ce1bda5445e8e44399a
Instruction ID: 8a9598ec6878efa5ee2d316e10d3015e67ee7e31d92fedc5c2e6ae70d0de6de9
Opcode Fuzzy Hash: a744e18eaa2fea3fc939351ac5b04869bfc5dfc7b6a79ce1bda5445e8e44399a
Instruction Fuzzy Hash: D2812613D28A46C5F3328F35A6C837A6250BF56394F344331E96DA65E4EF3EE5A1CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742D5890 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6742D58B8
_set_statfp.LIBCMT ref: 00007FF6742D58D3
_set_statfp.LIBCMT ref: 00007FF6742D58EF
_set_statfp.LIBCMT ref: 00007FF6742D592B

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: e65ba792651367d839098e214d5891407b2dde01c0b567b7a4e043ebbfca8b6f
Instruction ID: 8d3438343c021d256719d407ca785e751fd66f7eca8e1999c9920a921e321e42
Opcode Fuzzy Hash: e65ba792651367d839098e214d5891407b2dde01c0b567b7a4e043ebbfca8b6f
Instruction Fuzzy Hash: 3F11AB23E3CA13C1F7541128E7CD3B911406F55374F360635E5BEC66DA9EAE99E08548

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C90A4 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF6742C23DB,?,?,00000000,00007FF6742C2676,?,?,?,?,?,00007FF6742C2602), ref: 00007FF6742C90C3
FlsSetValue.KERNEL32(?,?,?,00007FF6742C23DB,?,?,00000000,00007FF6742C2676,?,?,?,?,?,00007FF6742C2602), ref: 00007FF6742C90E2
FlsSetValue.KERNEL32(?,?,?,00007FF6742C23DB,?,?,00000000,00007FF6742C2676,?,?,?,?,?,00007FF6742C2602), ref: 00007FF6742C910A
FlsSetValue.KERNEL32(?,?,?,00007FF6742C23DB,?,?,00000000,00007FF6742C2676,?,?,?,?,?,00007FF6742C2602), ref: 00007FF6742C911B
FlsSetValue.KERNEL32(?,?,?,00007FF6742C23DB,?,?,00000000,00007FF6742C2676,?,?,?,?,?,00007FF6742C2602), ref: 00007FF6742C912C

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 0334a6b7a3ca8351b483bca08dc4299107a909103d44cca445d0d889198c38e1
Instruction ID: 5ac1610d04db7afa5f6183756dcd384796c528a8269df9a896438c53d7a56e7d
Opcode Fuzzy Hash: 0334a6b7a3ca8351b483bca08dc4299107a909103d44cca445d0d889198c38e1
Instruction Fuzzy Hash: A3118C22F2C25282FB99A3319BDE27952415F853B0F544734D93E877D6EE6EE4218201

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742C8F38 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF6742C8F49
FlsSetValue.KERNEL32 ref: 00007FF6742C8F68
FlsSetValue.KERNEL32 ref: 00007FF6742C8F90
FlsSetValue.KERNEL32 ref: 00007FF6742C8FA1
FlsSetValue.KERNEL32 ref: 00007FF6742C8FB2

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e181c022f3e2034a02169dfb07b8239979e25df240f999ddee0acf2e018ad264
Instruction ID: 33f36c81e58c4634420a3d47014ca811979900451d7263a2c9ded63824740d5a
Opcode Fuzzy Hash: e181c022f3e2034a02169dfb07b8239979e25df240f999ddee0acf2e018ad264
Instruction Fuzzy Hash: 0C114F12E2C207C1FBA8A6315ADD17A12424F84331F448B35EA3ECA2D3DE6FF4219201

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A54B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 235COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6742A62BC: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6742A62E7

std::ios_base::failure::failure.LIBCPMT ref: 00007FF6742A57EC

Strings

ios_base::badbit set, xrefs: 00007FF6742A57B4
ios_base::failbit set, xrefs: 00007FF6742A57C0
ios_base::eofbit set, xrefs: 00007FF6742A57C7

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: LockitLockit::_std::_std::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1478341485-1866435925
Opcode ID: 3770c53c090fc8ddb56f030ecb786e12d12777cdcd3f23781505a55a82505db7
Instruction ID: 6b313b4e0cc01701e71d75240d0364d8ef8e4b4de3bd9a1a70871dfb916fab84
Opcode Fuzzy Hash: 3770c53c090fc8ddb56f030ecb786e12d12777cdcd3f23781505a55a82505db7
Instruction Fuzzy Hash: D2A14A63715A85C2EA608F06E6C466E67A0FF84F84F558132DE6E937A4CF3ED4A5C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A3410 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6742B769C: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6742B76B9
Part of subcall function 00007FF6742B769C: std::locale::_Setgloballocale.LIBCPMT ref: 00007FF6742B76DC
Part of subcall function 00007FF6742B769C: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6742B7771

Part of subcall function 00007FF6742A62BC: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6742A62E7

std::ios_base::failure::failure.LIBCPMT ref: 00007FF6742A3711

Strings

ios_base::badbit set, xrefs: 00007FF6742A36DD
ios_base::failbit set, xrefs: 00007FF6742A36E8
ios_base::eofbit set, xrefs: 00007FF6742A36EF

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_$Lockit::~_Setgloballocalestd::ios_base::failure::failurestd::locale::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2608914508-1866435925
Opcode ID: f75de1daf047e404971f05ffe4df853e92e270e4c9e48374ab59b249af9a750f
Instruction ID: 6af7d8a9b47660275b1bd4a903322b33b5b4d163827bbe3b51379c1b0aca73b0
Opcode Fuzzy Hash: f75de1daf047e404971f05ffe4df853e92e270e4c9e48374ab59b249af9a750f
Instruction Fuzzy Hash: 2DA14833614F99D6DB40CF15E98859D77ACFB48B88B158126EB9D83B20EF39D166C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742BA820 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6742BA890
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6742BA8DB

Strings

MOC, xrefs: 00007FF6742BA8A4
RCC, xrefs: 00007FF6742BA8AC

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 702081a4b5113a7cd2a71d8a00ec4cc59b8cccfc9533e3bf604e7636ea624da6
Instruction ID: d4078ff48bb9a1a29f6f4e33c39a301371c60f67b139592a3fdb5ab9a9e31d4f
Opcode Fuzzy Hash: 702081a4b5113a7cd2a71d8a00ec4cc59b8cccfc9533e3bf604e7636ea624da6
Instruction Fuzzy Hash: FC91E173A18B81CAE751CF64E5842AD7BB0FB44788F14412AEE9C87B55EF39D1A5CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A6C7C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 177COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FF6742A6ED0

Strings

ios_base::badbit set, xrefs: 00007FF6742A6E98
ios_base::failbit set, xrefs: 00007FF6742A6EA4
ios_base::eofbit set, xrefs: 00007FF6742A6EAB

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: std::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2264918676-1866435925
Opcode ID: b41963570bf1611b1a788375f3290b028db0e0f7993ae9bf3bb6ae602dafeed0
Instruction ID: ba44357d660bd564106cfb215be1d4d0de8a3f20bcd52bddf96f926cafecda22
Opcode Fuzzy Hash: b41963570bf1611b1a788375f3290b028db0e0f7993ae9bf3bb6ae602dafeed0
Instruction Fuzzy Hash: 82711663628A85C1EB508B19D6C8769A761FF84F84F548032CE9D877A4DF3ED866C344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A5258 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 173COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FF6742A5499

Strings

ios_base::badbit set, xrefs: 00007FF6742A5461
ios_base::failbit set, xrefs: 00007FF6742A546D
ios_base::eofbit set, xrefs: 00007FF6742A5474

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: std::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2264918676-1866435925
Opcode ID: a9ef15020e3af22209faca721597019a7477c2d8090d58438a95a2c273c374f0
Instruction ID: 6a1e35320caed20633b574c680b1758cbe25f8caab9e061440f55fb18b1fb11b
Opcode Fuzzy Hash: a9ef15020e3af22209faca721597019a7477c2d8090d58438a95a2c273c374f0
Instruction Fuzzy Hash: E2718D63724A45C1EB508F0AD2C457DA7A0FF84F94B568132DE6E877A4DF3AD8A2C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B8DD4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6742B8DFF
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6742B8E96
RtlUnwindEx.KERNEL32 ref: 00007FF6742B8EF0

Strings

csm, xrefs: 00007FF6742B8E7D

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: e65b68d5a51b8a9ef35aab0d2a89749b8615e9821dbceb7135f3e7ef4eaf6677
Instruction ID: e17665c9600814a625d2fa2d39177f8f7a33a001cd6f5bc8bb2a31a5ed7159ce
Opcode Fuzzy Hash: e65b68d5a51b8a9ef35aab0d2a89749b8615e9821dbceb7135f3e7ef4eaf6677
Instruction Fuzzy Hash: 2251C833B29602CAEB14CF15D58867C7392EB44B98F504138EA6D87788EF7EE861C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742BADA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6742BADC8
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF6742BAEB0

Strings

csm, xrefs: 00007FF6742BAF02
csm, xrefs: 00007FF6742BADEA

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: a1d65aad2006f26d59088d3189d27120353d4dd3ef269476987652f2b17b44dd
Instruction ID: bcc75128d635e389521be310f271f1c0959474d9f42c6fc1dcc966f7f36ca1f5
Opcode Fuzzy Hash: a1d65aad2006f26d59088d3189d27120353d4dd3ef269476987652f2b17b44dd
Instruction Fuzzy Hash: 88519373928242C6EBB58F1196883A877A0FB54B84F144136DAAD87BD5EF7EE470C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A3728 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6742A5804: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6742A582F
Part of subcall function 00007FF6742A5804: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6742A58CF

std::ios_base::failure::failure.LIBCPMT ref: 00007FF6742A38E7

Strings

ios_base::badbit set, xrefs: 00007FF6742A38AF
ios_base::failbit set, xrefs: 00007FF6742A38BB
ios_base::eofbit set, xrefs: 00007FF6742A38C2

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_std::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2434615303-1866435925
Opcode ID: 1ea5d9f47e4d9b2337268a64374f33d9fa148227742119e5f5da4f04f78dd542
Instruction ID: e87d8f49f5e3171efe196129b1bbfaa4cf388f505fc30afd2ded09ec77cf1dbc
Opcode Fuzzy Hash: 1ea5d9f47e4d9b2337268a64374f33d9fa148227742119e5f5da4f04f78dd542
Instruction Fuzzy Hash: 63518A23A28A85C6EB10CB55E5842ADB7A0FBC4B80F548136EE9D83B68DF7ED415C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A4E38 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FF6742A4F6E

Strings

ios_base::badbit set, xrefs: 00007FF6742A4F36
ios_base::failbit set, xrefs: 00007FF6742A4F42
ios_base::eofbit set, xrefs: 00007FF6742A4F49

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: std::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2264918676-1866435925
Opcode ID: 9fe3ce9e685a85436171d2246ae9a236db5c6c98222c779ba95759f26e7b3508
Instruction ID: 025b153c72023cd945b249cbfb9215b4e4bf07741559d5d5d8e99273daac155e
Opcode Fuzzy Hash: 9fe3ce9e685a85436171d2246ae9a236db5c6c98222c779ba95759f26e7b3508
Instruction Fuzzy Hash: F7319E23728A45C1EB10CB15E6C93796361FF84B88F548531DE6D87AA9DF3EE415C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A6170 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 75COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6742A62B4

Strings

ios_base::failbit set, xrefs: 00007FF6742A617E
true, xrefs: 00007FF6742A6B5D
false, xrefs: 00007FF6742A6B47

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: false$ios_base::failbit set$true
API String ID: 3668304517-1341940614
Opcode ID: 7963d7e326ab3a34ecb530769207e168e947808460bd976599071dd5c00ab066
Instruction ID: dd8fc732495bcc668485b3164639225855e75dc80d1674c634af210e18e1d4b4
Opcode Fuzzy Hash: 7963d7e326ab3a34ecb530769207e168e947808460bd976599071dd5c00ab066
Instruction Fuzzy Hash: 3621F563B28646C4FE109B52AA887AE6351BF44FD4F144631DFBC4B786CE3EE4A18304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A4F88 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FF6742A5012

Strings

ios_base::badbit set, xrefs: 00007FF6742A4FDB
ios_base::failbit set, xrefs: 00007FF6742A4FE6
ios_base::eofbit set, xrefs: 00007FF6742A4FED

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: std::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2264918676-1866435925
Opcode ID: 74de8cbccdfe61a88623b0fde3542d0a68f0f2a664356a4e46fdabed29463d2f
Instruction ID: 39ac8649c8fa7edde51c9ac36b270be666f2caec42ef6c29fa48b18ae1d650cd
Opcode Fuzzy Hash: 74de8cbccdfe61a88623b0fde3542d0a68f0f2a664356a4e46fdabed29463d2f
Instruction Fuzzy Hash: D831A023B28A0AC5EB54DB14D6D92B86360EF84B98F544531DE2DC77A5DF7EE462C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B55F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 00007FF6742B5655
GetLastError.KERNEL32 ref: 00007FF6742B565D
Sleep.KERNEL32 ref: 00007FF6742B568F

Strings

%s: ReadFile code: %lu, xrefs: 00007FF6742B567B

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: ErrorFileLastReadSleep
String ID: %s: ReadFile code: %lu
API String ID: 1807766164-1591830175
Opcode ID: b93c87f6792688bd9242f28f65cd3b99e264913d430d63788dcd8dc5960c9a05
Instruction ID: c9c53f447ab43285c637fb59feb36199c47214bb50a89d9a6a55125cbcae6d93
Opcode Fuzzy Hash: b93c87f6792688bd9242f28f65cd3b99e264913d430d63788dcd8dc5960c9a05
Instruction Fuzzy Hash: B211D633A18B90C1D7108F21A544169A360FB49BE8F090632EFBD9B794DF3CD8A5C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B56C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55sleepCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00007FF6742B5720
GetLastError.KERNEL32 ref: 00007FF6742B572C
Sleep.KERNEL32 ref: 00007FF6742B575A

Strings

%s: SetPos code: %lu, xrefs: 00007FF6742B5746

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: ErrorFileLastPointerSleep
String ID: %s: SetPos code: %lu
API String ID: 3558500073-1696969906
Opcode ID: de8b7b193158e2acb61545423dad85fa6235c153c35e48b64971a12bddaa0865
Instruction ID: 955bd9ea2c86405b8c4039c80da22d26745bfbe5ee812ca012eb42598cf50d24
Opcode Fuzzy Hash: de8b7b193158e2acb61545423dad85fa6235c153c35e48b64971a12bddaa0865
Instruction Fuzzy Hash: 96110423B08A41C2D7109B66B6882A973A0FB49BE4F190231DF3C97794DF39C8E6C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742D27D8 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6742D2857
WriteFile.KERNEL32 ref: 00007FF6742D2B1F
WriteFile.KERNEL32 ref: 00007FF6742D2B65
GetLastError.KERNEL32 ref: 00007FF6742D2C1B

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: ed120615c4b30cb319dfa6e1fd33f0de21ff057578ceedafaedcb9c3019b1ea7
Instruction ID: c412fda69655c78776c21ace368e0184f03ed79d4415a7e0f7f08169a1ef917f
Opcode Fuzzy Hash: ed120615c4b30cb319dfa6e1fd33f0de21ff057578ceedafaedcb9c3019b1ea7
Instruction Fuzzy Hash: 3CD1E233B28A41C9E711CF65D6842AC37B1FF44B98B208235CE6D97B89DE39D426CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742D3100 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF6742D30EB), ref: 00007FF6742D321C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF6742D30EB), ref: 00007FF6742D32A7

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 39de4e75a88ccfd7056b3cf9c751cfc0f1b669b872293ea2a928f699db7c5cea
Instruction ID: 26a8f380658df458c1050e93dd29f40b3cb2a18234eab5a1d55f7059303d78d5
Opcode Fuzzy Hash: 39de4e75a88ccfd7056b3cf9c751cfc0f1b669b872293ea2a928f699db7c5cea
Instruction Fuzzy Hash: 4891D523F2C652C6F7508F65D6C82BD6BA0BF44B88F644139DE2E97684CE3AD465CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742A5804 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6742A582F

Part of subcall function 00007FF6742A1C60: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6742A1C85
Part of subcall function 00007FF6742A1C60: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6742A1CA9

std::_Facet_Register.LIBCPMT ref: 00007FF6742A58B5
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6742A58CF
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6742A58F7

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: ef5092d09f6ba7755f94b8de341e7956f31c4b238991596541b66ae9cf0227cb
Instruction ID: 47d9cbd6e4acae19df2104afa243ac44a4031f882e0a6b897605f74bda2b6820
Opcode Fuzzy Hash: ef5092d09f6ba7755f94b8de341e7956f31c4b238991596541b66ae9cf0227cb
Instruction Fuzzy Hash: 99218423B28A41C5EA14AB15E6D81BA6360FF84B90F490931DF7D87795DE3DE4A1C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742BAFD8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6742BB002

Strings

csm, xrefs: 00007FF6742BB196
csm, xrefs: 00007FF6742BB027

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: 5bd19ae8f8816e0488f5930f67d270faae5b41ff9230d602d73f07b7a15854a1
Instruction ID: 4d72b2491af30e9ecb9dd1eca127d55c95a6753e697634a15c971024ca81b2f8
Opcode Fuzzy Hash: 5bd19ae8f8816e0488f5930f67d270faae5b41ff9230d602d73f07b7a15854a1
Instruction Fuzzy Hash: 2D71DE33A28681C6DB618F25D2D837D7BA0FB45B84F088135DAAD87E89EE3DD461C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742BA5B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6742BA60F

Strings

MOC, xrefs: 00007FF6742BA623
RCC, xrefs: 00007FF6742BA62B

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 4a617cb7c5a2b0f9ee08026935e1233e4dd359005d9d1204c15a17e91c723e5b
Instruction ID: 7f919fc8b7503ba1bd8597aa9f60ab596e5080470095650eb58a7323d21813ac
Opcode Fuzzy Hash: 4a617cb7c5a2b0f9ee08026935e1233e4dd359005d9d1204c15a17e91c723e5b
Instruction Fuzzy Hash: F1619E73918BC5C1DB618B15E5847AEB7A0FB85B84F044225EBAC43B95EF3DE1A0CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742BB670 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6742BB71A
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF6742BB746

Strings

csm, xrefs: 00007FF6742BB846

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 4f7d2f96df4359bfbac3624fe192e1f235e9ba441475615fa34b75b965e0f75a
Instruction ID: 361d02d261e285652492cb733ec89f2b7f0840c4cb1c787df4af102222b6e7ee
Opcode Fuzzy Hash: 4f7d2f96df4359bfbac3624fe192e1f235e9ba441475615fa34b75b965e0f75a
Instruction Fuzzy Hash: 5D516133A28751C6D620EB16E58926E77A4FB89B90F100534DB9D87B55EF3DD4A0CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742D2E70 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6742D2F87
GetLastError.KERNEL32 ref: 00007FF6742D2FA9

Strings

U, xrefs: 00007FF6742D2F33

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 5586347850751d6d6e8a4a94f947bbedd47548904c8b310408ab203d768ad6f0
Instruction ID: ffb2db3758d0652b6d21656ba313f99e40e0db7279a83665a7356294af5fe4d8
Opcode Fuzzy Hash: 5586347850751d6d6e8a4a94f947bbedd47548904c8b310408ab203d768ad6f0
Instruction Fuzzy Hash: B041E323B28A41C6DB20CF25E5883AAA7A0FB88784F904031EE5DC7798EF7DD451CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6742B8FEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6742A154B), ref: 00007FF6742B903C
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6742A154B), ref: 00007FF6742B907D

Strings

csm, xrefs: 00007FF6742B906A

Memory Dump Source

Source File: 00000000.00000002.2971128036.00007FF6742A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6742A0000, based on PE: true

Associated: 00000000.00000002.2971098538.00007FF6742A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971170636.00007FF6742D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971202442.00007FF6742EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2971227456.00007FF6742F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6742a0000_decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 255ae39ff20dc6672bea7db3a80c9cf421f71f986a58273a28b23aaba9861165
Instruction ID: e80ad0d78fb9f47f8fb04ef17faaac3129eeeec8bb8027bf854f1614bc5d091e
Opcode Fuzzy Hash: 255ae39ff20dc6672bea7db3a80c9cf421f71f986a58273a28b23aaba9861165
Instruction Fuzzy Hash: 6C114932628B81C2EB618F15E58426A77E0FB88B84F684635DE9C47754EF3DD561CB00

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exePID: 7304, Parent PID: 2580

General

Chronological Activities

Disassembly

Analysis Process: decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exePID: 7304, Parent PID: 2580COMMON

Execution Graph

Graph

Executed Functions

Function 00007FF6742A7BC8 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 176windowthreadsynchronizationCOMMON

Control-flow Graph

Function 00007FF6742A7644 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 162stringCOMMON

Windows Analysis Report
decryptor_E2DF5F6A783CA512D022CDF85C17143454400931A915DD68.exe

Function 00007FF6742A7BC8 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 176
windowthreadsynchronizationCOMMON

Function 00007FF6742A7644 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 162
stringCOMMON

Function 00007FF6742A7EE4 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 121
windowsynchronizationthreadCOMMON

Function 00007FF6742A79FC Relevance: 40.3, APIs: 17, Strings: 6, Instructions: 76
sleepCOMMON

Function 00007FF6742B5BB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
COMMON

Function 00007FF6742A7B44 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 20
fileCOMMON

Function 00007FF6742B65F4 Relevance: 4.6, APIs: 3, Instructions: 94
COMMON

Function 00007FF6742B5B00 Relevance: 4.5, APIs: 3, Instructions: 49
COMMON

Function 00007FF6742A70C4 Relevance: 4.5, APIs: 3, Instructions: 39
COMMON

Function 00007FF6742A7148 Relevance: 3.1, APIs: 2, Instructions: 130
COMMON

Function 00007FF6742B59A0 Relevance: 3.1, APIs: 2, Instructions: 95
COMMON

Function 00007FF6742B6260 Relevance: 3.0, APIs: 2, Instructions: 21
COMMONLIBRARYCODE

Function 00007FF6742CCC74 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 00007FF6742C779C Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE