Play interactive tour

Edit tour

Analysis Report logman.exe

Overview

General Information

Sample Name:	logman.exe
Analysis ID:	319946
MD5:	ca042c9a80d01c409c740d0437942b4e
SHA1:	715146caa48d94a6ae2f6f0b2d5268296d51773e
SHA256:	cdaa7d2fd4328877fcab873cfa85b6b46b0a1afa6cc39017ced21dcfb139bba7

Detection

Score:	23
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Binary contains a suspicious time stamp

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Classification

Startup

System is w10x64

logman.exe (PID: 4828 cmdline: 'C:\Users\user\Desktop\logman.exe' MD5: CA042C9A80D01C409C740D0437942B4E)

conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A3E5EC _wsplitpath_s,FindFirstFileW,_wmakepath_s,memmove,FindNextFileW,wcschr,wcschr,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,memmove,FindClose,		0_2_00007FF665A3E5EC
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A3E5EC _wsplitpath_s,FindFirstFileW,_wmakepath_s,memmove,FindNextFileW,wcschr,wcschr,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,memmove,FindClose,		0_2_00007FF665A3E5EC

Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A404BC	0_2_00007FF665A404BC
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A34EA8	0_2_00007FF665A34EA8
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A3A2D4	0_2_00007FF665A3A2D4
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A3B530	0_2_00007FF665A3B530
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A3D130	0_2_00007FF665A3D130
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A3B03C	0_2_00007FF665A3B03C
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A35C2C	0_2_00007FF665A35C2C
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A37C0C	0_2_00007FF665A37C0C
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A3D544	0_2_00007FF665A3D544
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A33F88	0_2_00007FF665A33F88
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A36B8C	0_2_00007FF665A36B8C
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A3D384	0_2_00007FF665A3D384
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A404BC	0_2_00007FF665A404BC
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A34EA8	0_2_00007FF665A34EA8
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A3A2D4	0_2_00007FF665A3A2D4
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A3B530	0_2_00007FF665A3B530
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A3D130	0_2_00007FF665A3D130
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A3B03C	0_2_00007FF665A3B03C
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A35C2C	0_2_00007FF665A35C2C
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A37C0C	0_2_00007FF665A37C0C
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A3D544	0_2_00007FF665A3D544
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A33F88	0_2_00007FF665A33F88
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A36B8C	0_2_00007FF665A36B8C
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A3D384	0_2_00007FF665A3D384

Source: logman.exe	Binary or memory string: OriginalFilename vs logman.exe
Source: logman.exe, 00000000.00000002.666277863.00000207768A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs logman.exe
Source: logman.exe, 00000000.00000000.664776601.00007FF665A42000.00000002.00020000.sdmp	Binary or memory string: \VarFileInfo\TranslationProductVersion\StringFileInfo\%04x%04x\%sOriginalFilename vs logman.exe
Source: logman.exe	Binary or memory string: \VarFileInfo\TranslationProductVersion\StringFileInfo\%04x%04x\%sOriginalFilename vs logman.exe
Source: logman.exe	Binary or memory string: OriginalFilename vs logman.exe
Source: logman.exe, 00000000.00000002.666277863.00000207768A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs logman.exe
Source: logman.exe, 00000000.00000000.664776601.00007FF665A42000.00000002.00020000.sdmp	Binary or memory string: \VarFileInfo\TranslationProductVersion\StringFileInfo\%04x%04x\%sOriginalFilename vs logman.exe
Source: logman.exe	Binary or memory string: \VarFileInfo\TranslationProductVersion\StringFileInfo\%04x%04x\%sOriginalFilename vs logman.exe

Source: classification engine

Classification label: sus23.winEXE@2/0@0/0

Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A3C270 LoadLibraryW,GetLastError,FormatMessageW,FormatMessageW,FreeLibrary,LocalFree,		0_2_00007FF665A3C270
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A3C270 LoadLibraryW,GetLastError,FormatMessageW,FormatMessageW,FreeLibrary,LocalFree,		0_2_00007FF665A3C270

Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A34EA8 VariantInit,HeapSetInformation,CoInitializeEx,SysAllocString,_wcsicmp,_wcsicmp,_wcsicmp,GetUserNameExW,GetLastError,LoadStringW,CoCreateInstance,VariantClear,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SysFreeString,SysFreeString,SysFreeString,CoUninitialize,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,		0_2_00007FF665A34EA8
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A34EA8 VariantInit,HeapSetInformation,CoInitializeEx,SysAllocString,_wcsicmp,_wcsicmp,_wcsicmp,GetUserNameExW,GetLastError,LoadStringW,CoCreateInstance,VariantClear,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SysFreeString,SysFreeString,SysFreeString,CoUninitialize,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,		0_2_00007FF665A34EA8

Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A395E8 FindResourceW,LoadResource,LockResource,SizeofResource,GlobalAlloc,GlobalLock,memmove,CreateStreamOnHGlobal,GetLastError,FreeResource,GlobalUnlock,GlobalFree,		0_2_00007FF665A395E8
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A395E8 FindResourceW,LoadResource,LockResource,SizeofResource,GlobalAlloc,GlobalLock,memmove,CreateStreamOnHGlobal,GetLastError,FreeResource,GlobalUnlock,GlobalFree,		0_2_00007FF665A395E8

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_01

Source: logman.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: logman.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\logman.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior
Source: C:\Users\user\Desktop\logman.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\logman.exe 'C:\Users\user\Desktop\logman.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\logman.exe 'C:\Users\user\Desktop\logman.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: logman.exe	Static PE information: Image base 0x140000000 > 0x60000000
Source: logman.exe	Static PE information: Image base 0x140000000 > 0x60000000

Source: logman.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: logman.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: logman.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: logman.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: logman.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: logman.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: logman.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: logman.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: logman.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: logman.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: logman.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: logman.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: logman.exe	Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: logman.exe	Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: logman.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: logman.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: logman.pdb source: logman.exe
Source:	Binary string: logman.pdbGCTL source: logman.exe
Source:	Binary string: logman.pdb source: logman.exe
Source:	Binary string: logman.pdbGCTL source: logman.exe

Source: logman.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: logman.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: logman.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: logman.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: logman.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: logman.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: logman.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: logman.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: logman.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: logman.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Binary contains a suspicious time stamp

Show sources

Source: initial sample	Static PE information: 0xEA48DB36 [Thu Jul 22 13:20:54 2094 UTC]
Source: initial sample	Static PE information: 0xEA48DB36 [Thu Jul 22 13:20:54 2094 UTC]

Source: C:\Users\user\Desktop\logman.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_0-5467
Source: C:\Users\user\Desktop\logman.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_0-5467

Source: C:\Users\user\Desktop\logman.exe	API coverage: 6.5 %
Source: C:\Users\user\Desktop\logman.exe	API coverage: 6.5 %

Source: all processes	Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processes	Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A3E5EC _wsplitpath_s,FindFirstFileW,_wmakepath_s,memmove,FindNextFileW,wcschr,wcschr,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,memmove,FindClose,		0_2_00007FF665A3E5EC
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A3E5EC _wsplitpath_s,FindFirstFileW,_wmakepath_s,memmove,FindNextFileW,wcschr,wcschr,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,memmove,FindClose,		0_2_00007FF665A3E5EC

Source: logman.exe, 00000000.00000002.666277863.00000207768A0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: logman.exe, 00000000.00000002.666277863.00000207768A0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: logman.exe, 00000000.00000002.666277863.00000207768A0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: logman.exe, 00000000.00000002.666277863.00000207768A0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: logman.exe, 00000000.00000002.666277863.00000207768A0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: logman.exe, 00000000.00000002.666277863.00000207768A0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: logman.exe, 00000000.00000002.666277863.00000207768A0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: logman.exe, 00000000.00000002.666277863.00000207768A0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A34EA8 VariantInit,HeapSetInformation,CoInitializeEx,SysAllocString,_wcsicmp,_wcsicmp,_wcsicmp,GetUserNameExW,GetLastError,LoadStringW,CoCreateInstance,VariantClear,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SysFreeString,SysFreeString,SysFreeString,CoUninitialize,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,		0_2_00007FF665A34EA8
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A34EA8 VariantInit,HeapSetInformation,CoInitializeEx,SysAllocString,_wcsicmp,_wcsicmp,_wcsicmp,GetUserNameExW,GetLastError,LoadStringW,CoCreateInstance,VariantClear,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SysFreeString,SysFreeString,SysFreeString,CoUninitialize,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,		0_2_00007FF665A34EA8

Source: all processes	Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processes	Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A414A0 SetUnhandledExceptionFilter,	0_2_00007FF665A414A0
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A41194 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF665A41194
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A414A0 SetUnhandledExceptionFilter,	0_2_00007FF665A414A0
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A41194 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF665A41194

Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A35C2C GetProcessHeap,HeapAlloc,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,InitializeSecurityDescriptor,GetLastError,GetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorOwner,GetLastError,GetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorGroup,GetLastError,GetSecurityDescriptorDacl,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,GetProcessHeap,HeapFree,LocalFree,LocalFree,		0_2_00007FF665A35C2C
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A35C2C GetProcessHeap,HeapAlloc,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,InitializeSecurityDescriptor,GetLastError,GetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorOwner,GetLastError,GetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorGroup,GetLastError,GetSecurityDescriptorDacl,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,GetProcessHeap,HeapFree,LocalFree,LocalFree,		0_2_00007FF665A35C2C

Source: C:\Users\user\Desktop\logman.exe	Code function: LoadLibraryW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,	0_2_00007FF665A404BC
Source: C:\Users\user\Desktop\logman.exe	Code function: GetProcessHeap,HeapAlloc,GetProcessHeap,RtlAllocateHeap,wcstok,wcstok,_wcsicmp,wcstok,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,wcsrchr,wcstok,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	0_2_00007FF665A3C948
Source: C:\Users\user\Desktop\logman.exe	Code function: GetProcessHeap,HeapAlloc,GetLocaleInfoW,wcstok,wcstok,GetProcessHeap,HeapFree,	0_2_00007FF665A3EEA8
Source: C:\Users\user\Desktop\logman.exe	Code function: LoadLibraryW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,	0_2_00007FF665A404BC
Source: C:\Users\user\Desktop\logman.exe	Code function: GetProcessHeap,HeapAlloc,GetProcessHeap,RtlAllocateHeap,wcstok,wcstok,_wcsicmp,wcstok,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,wcsrchr,wcstok,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	0_2_00007FF665A3C948
Source: C:\Users\user\Desktop\logman.exe	Code function: GetProcessHeap,HeapAlloc,GetLocaleInfoW,wcstok,wcstok,GetProcessHeap,HeapFree,	0_2_00007FF665A3EEA8

Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A41674 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,		0_2_00007FF665A41674
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A41674 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,		0_2_00007FF665A41674

Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A34EA8 VariantInit,HeapSetInformation,CoInitializeEx,SysAllocString,_wcsicmp,_wcsicmp,_wcsicmp,GetUserNameExW,GetLastError,LoadStringW,CoCreateInstance,VariantClear,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SysFreeString,SysFreeString,SysFreeString,CoUninitialize,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,		0_2_00007FF665A34EA8
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A34EA8 VariantInit,HeapSetInformation,CoInitializeEx,SysAllocString,_wcsicmp,_wcsicmp,_wcsicmp,GetUserNameExW,GetLastError,LoadStringW,CoCreateInstance,VariantClear,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SysFreeString,SysFreeString,SysFreeString,CoUninitialize,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,		0_2_00007FF665A34EA8

Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A3FF14 memset,GetVersionExW,GetVersionExW,		0_2_00007FF665A3FF14
Source: C:\Users\user\Desktop\logman.exe	Code function: 0_2_00007FF665A3FF14 memset,GetVersionExW,GetVersionExW,		0_2_00007FF665A3FF14

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection1	Process Injection1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Timestomp1	LSASS Memory	Security Software Discovery11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Owner/User Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery13	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
logman.exe	0%	Virustotal	Browse
logman.exe	0%	Metadefender	Browse
logman.exe	0%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	319946
Start date:	18.11.2020
Start time:	21:15:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	logman.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus23.winEXE@2/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 28.4%) Quality average: 19.3% Quality standard deviation: 33.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): svchost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	5.525535467255417
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	logman.exe
File size:	120320
MD5:	ca042c9a80d01c409c740d0437942b4e
SHA1:	715146caa48d94a6ae2f6f0b2d5268296d51773e
SHA256:	cdaa7d2fd4328877fcab873cfa85b6b46b0a1afa6cc39017ced21dcfb139bba7
SHA512:	32c0ef8ab6a938dfc0bb00f41b4a2937ea9370d80104a4d1f6cc5782d1f97d4c8823f413a02a6f911dc06f4b1eecf4bafab08db56cdf678e0e0b37cba7c96a63
SSDEEP:	3072:jk3dNq/ZpEoxPeFpT0NMrUs0Kj6aWkGTy:jk3/q/PEoxP6pT0NY0Kja
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@.......................-.......*......./......./.......+.......&...............,.....Rich....................PE..d...6.H....

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x140011050
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0xEA48DB36 [Thu Jul 22 13:20:54 2094 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	468ae0e85185c7b62e8740f0b95d8d25

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F511489BEC0h
dec eax
add esp, 28h
jmp 00007F511489B6C3h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [0000A1D1h]
jne 00007F511489B8B2h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007F511489B8A3h
ret
dec eax
ror ecx, 10h
jmp 00007F511489B9D7h
int3
int3
int3
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
dec eax
lea ecx, dword ptr [0000C6E4h]
call dword ptr [00004096h]
mov eax, dword ptr [0000A190h]
dec eax
lea ecx, dword ptr [0000C6D1h]
mov edx, dword ptr [0000CC63h]
inc eax
mov dword ptr [0000A17Bh], eax
mov dword ptr [ebx], eax
dec eax
mov eax, dword ptr [00000058h]
inc ecx
mov ecx, 00000004h
dec esp
mov eax, dword ptr [eax+edx*8]
mov eax, dword ptr [0000A160h]
inc ebx
mov dword ptr [ecx+eax], eax
call dword ptr [0000405Eh]
dec eax
lea ecx, dword ptr [0000C69Fh]
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00004063h]
int3
int3
int3
int3
int3
int3
int3
inc eax
push ebx
dec eax

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18ae8	0x280	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x20000	0x808	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1f000	0x924	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x21000	0x854	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x17f40	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x14db8	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x14ca0	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x14de0	0x5c8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x10966	0x10a00	False	0.486548402256	data	6.18960548838	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x12000	0x8134	0x8200	False	0.364603365385	data	4.20455027863	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1b000	0x3068	0x2800	False	0.06630859375	data	0.447443967859	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x1f000	0x924	0xa00	False	0.45625	PEX Binary Archive	4.50307300662	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x20000	0x808	0xa00	False	0.38359375	data	3.71062234732	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x21000	0x854	0xa00	False	0.4015625	data	4.98444381936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
MUI	0x20738	0xd0	data	English	United States
RT_VERSION	0x20398	0x39c	data	English	United States
RT_MANIFEST	0x200f0	0x2a6	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
msvcrt.dll	bsearch, ??3@YAXPEAX@Z, __CxxFrameHandler3, ?terminate@@YAXXZ, _commode, wcsncmp, _fmode, __C_specific_handler, _initterm, __setusermatherr, _wcsnicmp, _cexit, _exit, iswspace, _wmakepath_s, exit, __set_app_type, __wgetmainargs, _amsg_exit, _XcptFilter, wcsrchr, isspace, fgetws, wcsstr, _wfopen, wprintf, wcschr, _errno, wcstok, qsort, fseek, _wtoi, fclose, _wcsicmp, towlower, ferror, memmove, _vsnwprintf, _wsplitpath_s, malloc, _callnewh, memcpy, memset
api-ms-win-security-base-l1-1-0.dll	SetSecurityDescriptorDacl, GetSecurityDescriptorDacl, GetTokenInformation, SetSecurityDescriptorGroup, InitializeSecurityDescriptor, GetSecurityDescriptorOwner, SetSecurityDescriptorOwner, GetSecurityDescriptorGroup
api-ms-win-core-file-l1-1-0.dll	CreateFileW, WriteFile, FindFirstFileW, ReadFile, FindClose, FindNextFileW, SetFilePointerEx, GetFullPathNameW, GetFileType
api-ms-win-core-libraryloader-l1-2-0.dll	FreeResource, SizeofResource, LoadStringW, FreeLibrary, GetModuleFileNameW, LoadResource, FindResourceExW, GetModuleHandleW, LockResource, LoadLibraryExW
OLEAUT32.dll	SystemTimeToVariantTime, VariantInit, SysAllocString, VariantChangeType, VarDateFromStr, SysFreeString, SafeArrayUnaccessData, SafeArrayDestroy, VariantTimeToSystemTime, SafeArrayCreateVector, SafeArrayAccessData, VariantClear, VarBstrFromDate
api-ms-win-core-heap-l1-1-0.dll	GetProcessHeap, HeapFree, HeapAlloc, HeapSetInformation
api-ms-win-core-processthreads-l1-1-0.dll	GetCurrentProcessId, OpenProcessToken, GetCurrentThreadId, GetCurrentProcess, OpenThreadToken, GetCurrentThread, TerminateProcess
api-ms-win-core-processenvironment-l1-1-0.dll	GetStdHandle, GetCurrentDirectoryW, SearchPathW
api-ms-win-security-sddl-l1-1-0.dll	ConvertSidToStringSidW, ConvertStringSecurityDescriptorToSecurityDescriptorW
api-ms-win-core-console-l1-1-0.dll	ReadConsoleW, GetConsoleMode, GetConsoleOutputCP, WriteConsoleW, SetConsoleMode
api-ms-win-core-com-l1-1-0.dll	CoInitializeEx, CoCreateInstance, CoUninitialize, CoInitializeSecurity, CreateStreamOnHGlobal, StringFromGUID2
SspiCli.dll	GetUserNameExW
api-ms-win-shcore-path-l1-1-0.dll
api-ms-win-core-string-l1-1-0.dll	WideCharToMultiByte, MultiByteToWideChar
api-ms-win-core-errorhandling-l1-1-0.dll	GetLastError, SetUnhandledExceptionFilter, UnhandledExceptionFilter, SetLastError
api-ms-win-core-heap-l2-1-0.dll	GlobalFree, LocalFree, GlobalAlloc
api-ms-win-core-handle-l1-1-0.dll	CloseHandle
api-ms-win-core-libraryloader-l1-2-1.dll	LoadLibraryW, FindResourceW
api-ms-win-core-heap-obsolete-l1-1-0.dll	GlobalUnlock, GlobalLock
api-ms-win-core-timezone-l1-1-0.dll	SystemTimeToFileTime
api-ms-win-core-synch-l1-2-0.dll	SleepConditionVariableSRW, WakeAllConditionVariable, Sleep
api-ms-win-core-synch-l1-1-0.dll	AcquireSRWLockExclusive, ReleaseSRWLockExclusive
api-ms-win-core-rtlsupport-l1-1-0.dll	RtlLookupFunctionEntry, RtlCaptureContext, RtlVirtualUnwind
api-ms-win-core-profile-l1-1-0.dll	QueryPerformanceCounter
api-ms-win-core-sysinfo-l1-1-0.dll	GetVersionExW, GetTickCount, GetSystemTimeAsFileTime
api-ms-win-core-localization-l1-2-0.dll	GetLocaleInfoW, FormatMessageW, SetThreadPreferredUILanguages
api-ms-win-core-version-l1-1-0.dll	GetFileVersionInfoExW, GetFileVersionInfoSizeExW, VerQueryValueW
api-ms-win-core-console-l2-1-0.dll	GetConsoleScreenBufferInfo
api-ms-win-core-registry-l1-1-0.dll	RegCloseKey, RegQueryValueExW, RegOpenKeyExW
api-ms-win-core-localization-obsolete-l1-2-0.dll	GetUserDefaultUILanguage, GetSystemDefaultUILanguage
api-ms-win-core-memory-l1-1-0.dll	CreateFileMappingW, UnmapViewOfFile, MapViewOfFile

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	Logman.exe
FileVersion	10.0.19041.546 (WinBuild.160101.0800)
CompanyName	Microsoft Corporation
ProductName	Microsoft Windows Operating System
ProductVersion	10.0.19041.546
FileDescription	Performance Log Utility
OriginalFilename	Logman.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: logman.exe PID: 4828 Parent PID: 5936

General

Start time:	21:16:22
Start date:	18/11/2020
Path:	C:\Users\user\Desktop\logman.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\logman.exe'
Imagebase:	0x7ff665a30000
File size:	120320 bytes
MD5 hash:	CA042C9A80D01C409C740D0437942B4E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 6468 Parent PID: 4828

General

Start time:	21:16:22
Start date:	18/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: logman.exe PID: 4828 Parent PID: 5936 logman.exeCOMMON

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	42.9%
Total number of Nodes:	1317
Total number of Limit Nodes:	3

Executed Functions

Function 00007FF665A34EA8, Relevance: 65.5, APIs: 33, Strings: 4, Instructions: 708memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF665A34F0C
HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A34F38

Part of subcall function 00007FF665A3DDAC: SetThreadPreferredUILanguages.KERNELBASE(?,?,?,?,?,?,00000000,00000000,?,00007FF665A34F4E), ref: 00007FF665A3DDE8
Part of subcall function 00007FF665A3DDAC: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000000,00000000,?,00007FF665A34F4E), ref: 00007FF665A3DDF9
Part of subcall function 00007FF665A3DDAC: GetConsoleScreenBufferInfo.KERNELBASE(?,?,?,?,?,?,00000000,00000000,?,00007FF665A34F4E), ref: 00007FF665A3DE35
Part of subcall function 00007FF665A3DDAC: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00000000,?,00007FF665A34F4E), ref: 00007FF665A3DE45

CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF665A34F65
SysAllocString.OLEAUT32 ref: 00007FF665A34F9D
_wcsicmp.MSVCRT ref: 00007FF665A34FFC
_wcsicmp.MSVCRT ref: 00007FF665A35020
_wcsicmp.MSVCRT ref: 00007FF665A351F0
GetUserNameExW.SSPICLI ref: 00007FF665A35231
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF665A35241
VariantClear.OLEAUT32 ref: 00007FF665A35735
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A35769
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3577D
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A35793
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A357A7
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A357BD
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A357D1
SysFreeString.OLEAUT32 ref: 00007FF665A357E7
SysFreeString.OLEAUT32 ref: 00007FF665A357FF
SysFreeString.OLEAUT32 ref: 00007FF665A35899
CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF665A358CA
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A358F2
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A35906
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3591F
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A35933
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3594C
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A35960
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A35979
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3598D
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A359B3
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A359C7

Part of subcall function 00007FF665A35C2C: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF665A35C5B
Part of subcall function 00007FF665A35C2C: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF665A35C72
Part of subcall function 00007FF665A35C2C: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF665A35F1B
Part of subcall function 00007FF665A35C2C: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF665A35F2B

FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF665A359F2

Strings

* , xrefs: 00007FF665A35268
system, xrefs: 00007FF665A351E9
session, xrefs: 00007FF665A34FF5
autosession, xrefs: 00007FF665A35019

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$Free$Process$String$_wcsicmp$AllocErrorLastLocalVariant$BufferClearConsoleHandleInfoInformationInitInitializeLanguagesLibraryNamePreferredScreenThreadUninitializeUser
String ID: * $autosession$session$system
API String ID: 458234009-83901310
Opcode ID: 4b025d3d5182439bc3d474bdd108457c76c75260f48871e0497235036acfb712
Instruction ID: adff83bb3201a7be630cd25d699a51a89c9877a1cbe684d430aec3ccf65280ef
Opcode Fuzzy Hash: 4b025d3d5182439bc3d474bdd108457c76c75260f48871e0497235036acfb712
Instruction Fuzzy Hash: 70624B25A09A83C6EB109BA9E4525796BB1FF88F88F544135EA4ECB765DF3CEC05C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3C948, Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 256
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3C97F
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3C998
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3C9BD
RtlAllocateHeap.NTDLL ref: 00007FF665A3C9D1
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3CD17
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3CD2B

Strings

%s %s, xrefs: 00007FF665A3CC72
%s %s[%s|%s], xrefs: 00007FF665A3CC49

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$Process$AllocAllocateFree
String ID: %s %s$%s %s[%s|%s]
API String ID: 1927113959-619522601
Opcode ID: fc8f53e1a38ee0093a996aea513ba28f1b8a8d045b33a8843f2e02462afc6140
Instruction ID: 1a276a99805868bb182b47c3e077fc7a0c0edfaf8e25fd9c7c4fe67960cde17c
Opcode Fuzzy Hash: fc8f53e1a38ee0093a996aea513ba28f1b8a8d045b33a8843f2e02462afc6140
Instruction Fuzzy Hash: 4FB15E21A09B52C6EB108B51E82627867B4FF89F88F858535DA4ECB794EF3CED54C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A404BC, Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 357
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF665A3FF14: memset.MSVCRT ref: 00007FF665A3FF48
Part of subcall function 00007FF665A3FF14: GetVersionExW.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF665A3FF5A
Part of subcall function 00007FF665A3FF14: GetVersionExW.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF665A3FF77

LoadLibraryW.KERNELBASE ref: 00007FF665A40521
SearchPathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF665A4056A
FindResourceExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF665A405B5
GetUserDefaultUILanguage.API-MS-WIN-CORE-LOCALIZATION-OBSOLETE-L1-2-0 ref: 00007FF665A405D8
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF665A40610
wcsncmp.MSVCRT ref: 00007FF665A40634
GetSystemDefaultUILanguage.API-MS-WIN-CORE-LOCALIZATION-OBSOLETE-L1-2-0 ref: 00007FF665A40700
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF665A40854
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF665A409CD
LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF665A409F0
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF665A40A07

Strings

MUI, xrefs: 00007FF665A405A7
%s\%s, xrefs: 00007FF665A40872

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Library$Free$DefaultLanguageLoadVersion$FindInfoLocalePathResourceSearchSystemUsermemsetwcsncmp
String ID: %s\%s$MUI
API String ID: 1026695814-2651373239
Opcode ID: 90d34b9ab477659f843cde9baaae141349e5483f5f8188f8e86cbd08c41d877b
Instruction ID: ad93feec9fa1728b68a7a59c5ece95ad37c9d7c79ef18d26e7395959cac53554
Opcode Fuzzy Hash: 90d34b9ab477659f843cde9baaae141349e5483f5f8188f8e86cbd08c41d877b
Instruction Fuzzy Hash: 52E1B322A19A86C6FA609B91D5066FAA2B0FF65FC4F444031DE4E8FB89DF3CDD059740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3C270, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 78
windowlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 00007FF665A3C28E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF665A3C2A2
FormatMessageW.KERNELBASE ref: 00007FF665A3C30A
FormatMessageW.KERNELBASE ref: 00007FF665A3C342
FreeLibrary.KERNELBASE ref: 00007FF665A3C384
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF665A3C39A

Strings

pdh.dll, xrefs: 00007FF665A3C287

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: FormatFreeLibraryMessage$ErrorLastLoadLocal
String ID: pdh.dll
API String ID: 1294030245-3378302140
Opcode ID: 038b587c4490429e5ccbab2bbc70e84d6e0d849361c5174492147ad67f0e304c
Instruction ID: 63adb1ea4a376df0af90365ee40e22e0bbfed9af8cd4c2b14929aabecef7e3ed
Opcode Fuzzy Hash: 038b587c4490429e5ccbab2bbc70e84d6e0d849361c5174492147ad67f0e304c
Instruction Fuzzy Hash: 09316171A08B41C6E7645B95E46237ABAB0FF89F99F448139DA4ECAB95CF3CDC448700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A414A0, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 00007FF665A414AB

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 67d2c54695339df7a5555eb053d7b24bb2de5de247fe95676dd543c2f754d831
Instruction ID: 2b7cd916f1a4ecc99859f5fb722c3007a040e4f37529fbe99694fb92b7fdbefa
Opcode Fuzzy Hash: 67d2c54695339df7a5555eb053d7b24bb2de5de247fe95676dd543c2f754d831
Instruction Fuzzy Hash: 7AB01214F25402C1D604EFA1EC870B012B07F5CB4CFD00430C10DC9120DE5C99AB8700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3BDF8, Relevance: 19.7, APIs: 13, Instructions: 200
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF665A3BE1E
WriteConsoleW.KERNELBASE(?,?,?,?,?,00000000,00007FF665A3C160), ref: 00007FF665A3BE8C

Part of subcall function 00007FF665A3BD04: GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,00007FF665A3BE4F), ref: 00007FF665A3BD5B

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00000000,00007FF665A3C160), ref: 00007FF665A3BEA0
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00000000,00007FF665A3C160), ref: 00007FF665A3BEE4
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF665A3C079
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FF665A3C160), ref: 00007FF665A3C098
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FF665A3C160), ref: 00007FF665A3C0AC

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: ErrorLast$ConsoleHeap$FreeHandleOutputProcessWrite
String ID:
API String ID: 1006420052-0
Opcode ID: fcf909f1a46a8a25542ed62ec4726a942a4def42d310a4e1628c6b41bac06545
Instruction ID: db84ba91407cae35a4422f92c6ab08648d02ab321e99a65a16bb541f6bfe0885
Opcode Fuzzy Hash: fcf909f1a46a8a25542ed62ec4726a942a4def42d310a4e1628c6b41bac06545
Instruction Fuzzy Hash: F371C522A08B97C6F7108B65D856379A5E1FF4AF94F548339DA4ECA394DF3CEC058A10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3C5FC, Relevance: 12.1, APIs: 8, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF665A3C8E3), ref: 00007FF665A3C626
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF665A3C8E3), ref: 00007FF665A3C63D
GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,00007FF665A3C8E3), ref: 00007FF665A3C669
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FF665A3C8E3), ref: 00007FF665A3C679
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF665A3C8E3), ref: 00007FF665A3C6EB
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF665A3C8E3), ref: 00007FF665A3C6FF

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$Process$AllocErrorFileFreeLastModuleName
String ID:
API String ID: 4281205730-0
Opcode ID: bc5a87fdb0858a539558e43a59203451f03e1861209a5ba02d65ff77e63dff5d
Instruction ID: 8060da87c00fac9ef515ac5bb280e10ce9bc749d3da3dde418e098e74b3d9e0b
Opcode Fuzzy Hash: bc5a87fdb0858a539558e43a59203451f03e1861209a5ba02d65ff77e63dff5d
Instruction Fuzzy Hash: 3A317F31A08B56CAE7109F91E956179BAB0FF89F85B55A138CE4ECB754DF3CEC418A00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A40E80, Relevance: 9.1, APIs: 6, Instructions: 95
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF665A40EC4
_amsg_exit.MSVCRT ref: 00007FF665A40EE0
_initterm.MSVCRT ref: 00007FF665A40F64
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF665A40F91
exit.KERNELBASE ref: 00007FF665A40FDE
_cexit.MSVCRT ref: 00007FF665A40FED

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
String ID:
API String ID: 4291973834-0
Opcode ID: 122c23335260713928010548e5698b691d9ba90b486abce56278abbc5116aadc
Instruction ID: 1f93a48181e8833332704dcd1c9f0e5f444be5d7a5c2e430fdc9596f7b243bad
Opcode Fuzzy Hash: 122c23335260713928010548e5698b691d9ba90b486abce56278abbc5116aadc
Instruction Fuzzy Hash: 7341E131A18642C6FB609B94E94227962B0BF58F84F94043AD94ECF6A4DF3CED50D740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3DDAC, Relevance: 6.2, APIs: 4, Instructions: 153
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadPreferredUILanguages.KERNELBASE(?,?,?,?,?,?,00000000,00000000,?,00007FF665A34F4E), ref: 00007FF665A3DDE8
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000000,00000000,?,00007FF665A34F4E), ref: 00007FF665A3DDF9

Part of subcall function 00007FF665A3E578: GetFileType.KERNELBASE(?,?,00000000,00007FF665A3BE65), ref: 00007FF665A3E581

GetConsoleScreenBufferInfo.KERNELBASE(?,?,?,?,?,?,00000000,00000000,?,00007FF665A34F4E), ref: 00007FF665A3DE35
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00000000,?,00007FF665A34F4E), ref: 00007FF665A3DE45

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: BufferConsoleErrorFileHandleInfoLanguagesLastPreferredScreenThreadType
String ID:
API String ID: 3317847511-0
Opcode ID: c0c2edf4c239bd1dd7d92177eb650b69b84330f3cd296dfc37a5a1fd4e1c5b70
Instruction ID: 0f08818c6fdec8caef26a8d9b4615560c1b71cdc34abf23269ced52aa81da22a
Opcode Fuzzy Hash: c0c2edf4c239bd1dd7d92177eb650b69b84330f3cd296dfc37a5a1fd4e1c5b70
Instruction Fuzzy Hash: E6517921B18652C6FB649B61D99327966B5AF88FD8F504239EE4ECF691DE3CEC01C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3E578, Relevance: 4.5, APIs: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,?,00000000,00007FF665A3BE65), ref: 00007FF665A3E581
GetConsoleMode.KERNELBASE(?,?,00000000,00007FF665A3BE65), ref: 00007FF665A3E5A6
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF665A3BE65), ref: 00007FF665A3E5B8

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: ConsoleErrorFileLastModeType
String ID:
API String ID: 2867079444-0
Opcode ID: 3d3d397adf416d82cfcc1ddc2963b86d3519c7ab1d8e2ef6ed9c6a3d6a772c55
Instruction ID: 6de50b0e3251935b6bb20cba8e322de9449d088bba15e9f4b67749ea90051038
Opcode Fuzzy Hash: 3d3d397adf416d82cfcc1ddc2963b86d3519c7ab1d8e2ef6ed9c6a3d6a772c55
Instruction Fuzzy Hash: 1AF03A61A18743CBE7501FA5E88617AAAB0EF4DF45B559134DA4BCE240EE2CDC488610

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3C8BC, Relevance: 3.0, APIs: 2, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF665A3C5FC: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF665A3C8E3), ref: 00007FF665A3C626
Part of subcall function 00007FF665A3C5FC: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF665A3C8E3), ref: 00007FF665A3C63D

LoadStringW.KERNELBASE ref: 00007FF665A3C8F9
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF665A3C909

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$AllocErrorLastLoadProcessString
String ID:
API String ID: 687070592-0
Opcode ID: 3c50ac57a039396b457700c5dc362494d3ee0ee6d98a9471463f8d0f100e9a64
Instruction ID: ddda87e6bc622b0ce67d10b169220ccb175e2ceeacbb9437e1d4bfa9949a9108
Opcode Fuzzy Hash: 3c50ac57a039396b457700c5dc362494d3ee0ee6d98a9471463f8d0f100e9a64
Instruction Fuzzy Hash: 0B018B66B04B52C6E3104B66F8813697AA4FF88F84F068135DB8ACB394EF38DC41C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A40E30, Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wgetmainargs.KERNELBASE ref: 00007FF665A40E68

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: __wgetmainargs
String ID:
API String ID: 1709950718-0
Opcode ID: 731880b81678335e1cbd31024e0b1a71b849c4a077cf4ff238ab084f88e1869f
Instruction ID: 186bdc81eef53f657d0e726709a2dd5573a7613f422f728a4748f6a0511eac02
Opcode Fuzzy Hash: 731880b81678335e1cbd31024e0b1a71b849c4a077cf4ff238ab084f88e1869f
Instruction Fuzzy Hash: 56E075B5E09647D6FB008F90F8424A237B0FF58B08F800032D80C9A230EE3CA949CB80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF665A36B8C, Relevance: 77.7, APIs: 42, Strings: 2, Instructions: 676fileCOMMON

Download Yara Rule

APIs

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF665A36BF4
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF665A36C09
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF665A36C40
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF665A36C50
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF665A36EEB
SafeArrayDestroy.OLEAUT32 ref: 00007FF665A36EFF

Strings

", xrefs: 00007FF665A370A1
;, xrefs: 00007FF665A36D81

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: ErrorFileLast$ArrayCloseCreateDestroyHandleReadSafe
String ID: "$;
API String ID: 3893635249-2221622046
Opcode ID: d5c3a603fb3da9d1355b44d1b765f2842e3f7d65100ed97ad7fe576d628cc7ca
Instruction ID: cf139d490d73e741bc763567fda79454b254c0645a1fbb25ca514a4bec4b1575
Opcode Fuzzy Hash: d5c3a603fb3da9d1355b44d1b765f2842e3f7d65100ed97ad7fe576d628cc7ca
Instruction Fuzzy Hash: 75526E32A08A42C6EB108B65E85227967B1FF89F99F558131DA4ECB7A4DF3DEC05C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3B03C, Relevance: 51.1, APIs: 25, Strings: 4, Instructions: 314
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 00007FF665A3B07F
VariantInit.OLEAUT32 ref: 00007FF665A3B08F
VariantInit.OLEAUT32 ref: 00007FF665A3B09F
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3B0AB
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3B0C4
VariantClear.OLEAUT32 ref: 00007FF665A3B0E8
VariantClear.OLEAUT32 ref: 00007FF665A3B0F8
VariantClear.OLEAUT32 ref: 00007FF665A3B108
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3B167
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3B17B
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3B18C
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3B1A0
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3B1B1
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3B1C5
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3B1EF
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3B203
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3B21B
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3B22F
LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF665A3B2EA
LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF665A3B307
LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF665A3B323

Strings

0x%1!016I64x! %2!-20s! %3!s!, xrefs: 00007FF665A3B4BF
0x%1!02x! %2!-20s! %3!s!, xrefs: 00007FF665A3B4E3
0x%1!08x! %2!-20s! %3!s!, xrefs: 00007FF665A3B4B2
%1!-18s! %2!-20s! %3!s!, xrefs: 00007FF665A3B332

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$ProcessVariant$AllocClearFreeInitLoadString
String ID: %1!-18s! %2!-20s! %3!s!$0x%1!016I64x! %2!-20s! %3!s!$0x%1!02x! %2!-20s! %3!s!$0x%1!08x! %2!-20s! %3!s!
API String ID: 1805853320-3335809433
Opcode ID: 6490f9479f253628138642087272e6b601dbd61cb1d95f7b7d1f6e7c19e80749
Instruction ID: d6c9cf3452de8a5e642ac24752f00839adc1ae8d13c7b13e52c305d2e8d4c94d
Opcode Fuzzy Hash: 6490f9479f253628138642087272e6b601dbd61cb1d95f7b7d1f6e7c19e80749
Instruction Fuzzy Hash: 67E1C826B05E4ACAEB00DFA5E8551AC6BB1FF89F89B458135DE0E9B764DF38D905C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A35C2C, Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 206
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF665A35A38: GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF665A35A4F
Part of subcall function 00007FF665A35A38: OpenThreadToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF665A35A69
Part of subcall function 00007FF665A35A38: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF665A35A7E
Part of subcall function 00007FF665A35A38: GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF665A35AA8
Part of subcall function 00007FF665A35A38: OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF665A35AC1
Part of subcall function 00007FF665A35A38: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF665A35AD1
Part of subcall function 00007FF665A35A38: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A35B00
Part of subcall function 00007FF665A35A38: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A35B14
Part of subcall function 00007FF665A35A38: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A35B24
Part of subcall function 00007FF665A35A38: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A35B38
Part of subcall function 00007FF665A35A38: GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF665A35B6C
Part of subcall function 00007FF665A35A38: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF665A35B7C
Part of subcall function 00007FF665A35A38: ConvertSidToStringSidW.API-MS-WIN-SECURITY-SDDL-L1-1-0 ref: 00007FF665A35BAC
Part of subcall function 00007FF665A35A38: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF665A35BBC

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF665A35C5B
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF665A35C72
ConvertStringSecurityDescriptorToSecurityDescriptorW.API-MS-WIN-SECURITY-SDDL-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF665A35CCA
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF665A35CE0
InitializeSecurityDescriptor.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF665A35D0C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF665A35D1C
GetSecurityDescriptorOwner.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF665A35D4B
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF665A35D5B
SetSecurityDescriptorOwner.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF665A35D8A
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF665A35D9A
GetSecurityDescriptorGroup.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF665A35DC9
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF665A35DD9
SetSecurityDescriptorGroup.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF665A35E08
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF665A35E18
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF665A35F1B
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF665A35F2B

Strings

, xrefs: 00007FF665A35EC2
O:%sG:%sD:(A;;0x7;;;%s), xrefs: 00007FF665A35C94

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: ErrorLast$DescriptorSecurity$Heap$Process$FreeToken$AllocConvertCurrentGroupLocalOpenOwnerStringThread$InformationInitialize
String ID: $O:%sG:%sD:(A;;0x7;;;%s)
API String ID: 1303351966-3381022231
Opcode ID: 033c648bfd06c79449feffb491a42a91789286ccf8333b5359487b0f2f769939
Instruction ID: e3eed87c1230302df8fc1a56ce707bc2317ce67100423fed8c2e0a9ec27d8471
Opcode Fuzzy Hash: 033c648bfd06c79449feffb491a42a91789286ccf8333b5359487b0f2f769939
Instruction Fuzzy Hash: 16913B32A04B43CAE7109FA9E4856B9ABB0FF49F49F418135DE4EDA654DF78EC098710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3D544, Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 197
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,?,00007FF665A3DA8A), ref: 00007FF665A3D586
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,?,00007FF665A3DA8A), ref: 00007FF665A3D59F
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,?,00007FF665A3DA8A), ref: 00007FF665A3D5C1
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,?,00007FF665A3DA8A), ref: 00007FF665A3D5D8
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,?,00007FF665A3DA8A), ref: 00007FF665A3D7DF
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,?,00007FF665A3DA8A), ref: 00007FF665A3D7F3
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,?,00007FF665A3DA8A), ref: 00007FF665A3D804
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,?,00007FF665A3DA8A), ref: 00007FF665A3D818
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,?,00007FF665A3DA8A), ref: 00007FF665A3D829
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,?,00007FF665A3DA8A), ref: 00007FF665A3D83D

Strings

ProductVersion, xrefs: 00007FF665A3D724
\StringFileInfo\%04x%04x\%s, xrefs: 00007FF665A3D714, 00007FF665A3D76E
OriginalFilename, xrefs: 00007FF665A3D782
%1!s! %2!s! (%3!s!), xrefs: 00007FF665A3D7D3
\VarFileInfo\Translation, xrefs: 00007FF665A3D6EA

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$Process$Free$Alloc
String ID: %1!s! %2!s! (%3!s!)$OriginalFilename$ProductVersion$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
API String ID: 3689955550-3739321850
Opcode ID: 193d3a76fac85f8b1ad68e31236a513a26f92c021d5d149f58e997a69c21f482
Instruction ID: 2ca002f19e89de61b9c220fd07b94c8aa3d787e37da68482e11777215639ff23
Opcode Fuzzy Hash: 193d3a76fac85f8b1ad68e31236a513a26f92c021d5d149f58e997a69c21f482
Instruction Fuzzy Hash: 91911B22A04B52CAE7109BA1E8412BDBBB1FF89F89B558139CE4D9BB54DF3CD845C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A37C0C, Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 471memorycomCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF665A37C65
CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF665A37CAF
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A37CC5
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A37CDC
_wfopen.MSVCRT ref: 00007FF665A37D10
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF665A37D24
VariantClear.OLEAUT32 ref: 00007FF665A38298
SysFreeString.OLEAUT32 ref: 00007FF665A382B0
fclose.MSVCRT ref: 00007FF665A38330
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A38341
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A38355

Strings

, xrefs: 00007FF665A37E1C, 00007FF665A37E2F, 00007FF665A37E38

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$FreeProcessVariant$AllocClearCreateErrorInitInstanceLastString_wfopenfclose
String ID:
API String ID: 3713371570-410699589
Opcode ID: 4aeb28876fd0c5f9e98f8158f35f9bce4b3c4eac5d5b3d2615974a0ab57e64ab
Instruction ID: 3d6799617dce0facb9c13331af85d0f15a8594751fba5659446c9102d8e60ef7
Opcode Fuzzy Hash: 4aeb28876fd0c5f9e98f8158f35f9bce4b3c4eac5d5b3d2615974a0ab57e64ab
Instruction Fuzzy Hash: E922F426B09B46C6EB508BA9E4521B967B1FF89F88B444132DE4ECB764DF78ED45C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3A2D4, Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 265memorycomCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF665A3A32B
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3A337
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3A34E
SysAllocString.OLEAUT32 ref: 00007FF665A3A390
CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF665A3A3F5
VariantClear.OLEAUT32 ref: 00007FF665A3A506
VariantClear.OLEAUT32 ref: 00007FF665A3A653
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3A664
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3A678
SysFreeString.OLEAUT32 ref: 00007FF665A3A68E

Strings

session\*, xrefs: 00007FF665A3A375
service\*, xrefs: 00007FF665A3A389

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$Variant$AllocClearFreeProcessString$CreateInitInstance
String ID: service\*$session\*
API String ID: 256460511-2341345938
Opcode ID: 9c3114284af54396d1a867b3776e7649df92ddcec5e16d702708d133b37a5ab4
Instruction ID: 2f186a4c02290f7e67e87a88f31f9214e965dfdd18f5bd948bff8b9b85680956
Opcode Fuzzy Hash: 9c3114284af54396d1a867b3776e7649df92ddcec5e16d702708d133b37a5ab4
Instruction Fuzzy Hash: 46D11836609B86C6EB008B65E4521697BB1FF89F88F504036DA4E8BB68DF3DEC45C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3E5EC, Relevance: 19.8, APIs: 13, Instructions: 279memoryfileCOMMON

Download Yara Rule

APIs

_wsplitpath_s.MSVCRT ref: 00007FF665A3E6AA
FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF665A3E6C5
_wmakepath_s.MSVCRT ref: 00007FF665A3E739
memmove.MSVCRT ref: 00007FF665A3E836
FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF665A3E8AA
wcschr.MSVCRT ref: 00007FF665A3E8CB
wcschr.MSVCRT ref: 00007FF665A3E8E6
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3E9B0
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3E9C4
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3E9EE
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3EA02
memmove.MSVCRT ref: 00007FF665A3EA3B
FindClose.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF665A3EA50

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$Find$FileProcessmemmovewcschr$AllocCloseFirstFreeNext_wmakepath_s_wsplitpath_s
String ID:
API String ID: 3425222978-0
Opcode ID: 25ecf0add4ce65bad0817fa65b2af72f8de03f63710de67add37a2d883fc61d8
Instruction ID: 4146fde742cf7a51f5adcb198d4593adbdcd143014a24ab5417a2f2406ca5de1
Opcode Fuzzy Hash: 25ecf0add4ce65bad0817fa65b2af72f8de03f63710de67add37a2d883fc61d8
Instruction Fuzzy Hash: 97C15F32A08B82C6EA108F55E4411A9B7B5FF88BA8F454236DA9D8B7D4DF7CED45C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A395E8, Relevance: 18.1, APIs: 12, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

FindResourceW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1(00000001,?,00000000,00007FF665A3620F), ref: 00007FF665A39612
LoadResource.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF665A39633
LockResource.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF665A39652
SizeofResource.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF665A39675
GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF665A3968E
GlobalLock.API-MS-WIN-CORE-HEAP-OBSOLETE-L1-1-0 ref: 00007FF665A396A9
memmove.MSVCRT ref: 00007FF665A396CB
CreateStreamOnHGlobal.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF665A396DB
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF665A396EB
FreeResource.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF665A3970D
GlobalUnlock.API-MS-WIN-CORE-HEAP-OBSOLETE-L1-1-0 ref: 00007FF665A39721
GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF665A39739

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: GlobalResource$FreeLock$AllocCreateErrorFindLastLoadSizeofStreamUnlockmemmove
String ID:
API String ID: 3361051293-0
Opcode ID: aaece6a30071f986e97ff5687322ce59bbb5af9a295880495176d3fc510f560b
Instruction ID: 651fcefa603b96532ed66bb2b49c68c5a1985d61dc6d09eba81446a784827982
Opcode Fuzzy Hash: aaece6a30071f986e97ff5687322ce59bbb5af9a295880495176d3fc510f560b
Instruction Fuzzy Hash: A8414D31A09A42CBE6045F62E645179AAA0FF4AFB5B458334DE6ECB7D4DF3CDC418600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3B530, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 190memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000001,00000000,00000001,00000000,?,00000002,?,00007FF665A3539F), ref: 00007FF665A3B568
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3B57F
StringFromGUID2.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF665A3B5C9
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF665A3B5D9
_wcsicmp.MSVCRT ref: 00007FF665A3B606
_wcsicmp.MSVCRT ref: 00007FF665A3B61C

Strings

%1!-40s! %2!-38s!, xrefs: 00007FF665A3B67C

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap_wcsicmp$AllocErrorFromLastProcessString
String ID: %1!-40s! %2!-38s!
API String ID: 3821196655-2002942371
Opcode ID: a6400e080f0d0da4d28cb11b721a14704c8a39ac3192fe0e44e2de7e3d533435
Instruction ID: ed6157e8dce3d1c994b1faa91e0a969c16e8b83a2efa92c673ecda1e529687cd
Opcode Fuzzy Hash: a6400e080f0d0da4d28cb11b721a14704c8a39ac3192fe0e44e2de7e3d533435
Instruction Fuzzy Hash: 2A814A26B15E5AC6EB108B66D85667967B1BF48F88F408135CE0ECB765DF7DEC058300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3EEA8, Relevance: 10.6, APIs: 7, Instructions: 116memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3EEE7
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3EEFE
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF665A3EF36
wcstok.MSVCRT ref: 00007FF665A3EF80
wcstok.MSVCRT ref: 00007FF665A3EFB4
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3F013
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3F027

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$Processwcstok$AllocFreeInfoLocale
String ID:
API String ID: 3763529093-0
Opcode ID: 78e75197a721c6ccfec268c0d4a1a5298bad2254f178965899641632965e0cdd
Instruction ID: 2626af903aff2734c1e4f31cb588d964542b1c849ee0443b0cce8f23719f2336
Opcode Fuzzy Hash: 78e75197a721c6ccfec268c0d4a1a5298bad2254f178965899641632965e0cdd
Instruction Fuzzy Hash: CE415B26A24B52CAEB108B66E4011BD66B1FF8AF88F548035DE4EDB754EF3CDD428710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A41674, Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF665A416A4
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF665A416B2
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF665A416BE
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF665A416CA
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF665A416DA
QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0 ref: 00007FF665A416F5

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: f8145ee991bba0ce992050832f4fadfa445b3df78faf0bbad4ea6aa3408f916c
Instruction ID: 74a1a6643736a26a7409ad33b1b1d979c7d6bb777bbf0453cfa4cdf8ee375087
Opcode Fuzzy Hash: f8145ee991bba0ce992050832f4fadfa445b3df78faf0bbad4ea6aa3408f916c
Instruction Fuzzy Hash: 93110E26A04B45CBEB10DFA5E84516933B4FF58B58F400A35EA6D8A754EF7CD9A4C240

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3D130, Relevance: 7.7, APIs: 5, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00007FF665A3DF96,?,?,?,?,?,?,00000000,00000000,?,00007FF665A34F4E), ref: 00007FF665A3D2B5
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,00007FF665A3DF96,?,?,?,?,?,?,00000000,00000000,?,00007FF665A34F4E), ref: 00007FF665A3D2CC
wcstok.MSVCRT ref: 00007FF665A3D326
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,00007FF665A3DF96,?,?,?,?,?,?,00000000,00000000,?,00007FF665A34F4E), ref: 00007FF665A3D33A
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,00007FF665A3DF96,?,?,?,?,?,?,00000000,00000000,?,00007FF665A34F4E), ref: 00007FF665A3D34E

Part of subcall function 00007FF665A3BDF8: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF665A3BE1E
Part of subcall function 00007FF665A3BDF8: WriteConsoleW.KERNELBASE(?,?,?,?,?,00000000,00007FF665A3C160), ref: 00007FF665A3BE8C

Part of subcall function 00007FF665A3BDF8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00000000,00007FF665A3C160), ref: 00007FF665A3BEA0
Part of subcall function 00007FF665A3BDF8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00000000,00007FF665A3C160), ref: 00007FF665A3BEE4

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$ErrorLastProcess$AllocConsoleFreeHandleWritewcstok
String ID:
API String ID: 611209975-0
Opcode ID: 03d3d2132bfac06fdaf7d0c14ea8e091a477c2e9d1a3a4ea64eafcd154402123
Instruction ID: d2a7ce2c5b18e3d54b3657885fd38bf3b32ffd89988e4f52b3c4c348e7528daf
Opcode Fuzzy Hash: 03d3d2132bfac06fdaf7d0c14ea8e091a477c2e9d1a3a4ea64eafcd154402123
Instruction Fuzzy Hash: AE616A71A08B42C6EB649B65E41317967B2EF48F88F44843AD90ECE699CF7CEC45C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3FF14, Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF665A3FF48
GetVersionExW.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF665A3FF5A
GetVersionExW.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF665A3FF77

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Version$memset
String ID:
API String ID: 3607446104-0
Opcode ID: 134a97ef0477d238f73521c359988d66ab773a5adf20d640f6b65f3e2f119e0c
Instruction ID: 53df9b5a255570337753c50b0807633d2600510e67b69b9c24bf6773a2d64af0
Opcode Fuzzy Hash: 134a97ef0477d238f73521c359988d66ab773a5adf20d640f6b65f3e2f119e0c
Instruction Fuzzy Hash: 20313831A18146C6FB748B64E5523BA66F0FFA9F44F504139DA4ECE684EF3DED449A00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A41194, Relevance: 4.5, APIs: 3, Instructions: 13COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF665A4119F
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF665A411A8
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF665A411AE

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CurrentProcess
String ID:
API String ID: 1249254920-0
Opcode ID: 190f0c9cf2e63ebc2514097563bd3f5bda4b2f6388e4ef4920ad6970d80fea3c
Instruction ID: fa234533473e440f4e4df0355575e9f17c6cfca97a1054c03175a35566f29204
Opcode Fuzzy Hash: 190f0c9cf2e63ebc2514097563bd3f5bda4b2f6388e4ef4920ad6970d80fea3c
Instruction Fuzzy Hash: DBD0C759E08906C6F75C5BE1FC174751231AF9DF45F155034C94F8A350DD7D5C8A8740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A33F88, Relevance: .8, Instructions: 755COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 605de4a4e25ad8854672d4795f1d7f1ec4ac7b4a79fd9c18f50adee2990bee41
Instruction ID: 49742bec6dab0100a7609f32d4d6a38e6688b1b4c8374b7f0fa53f91fc064b02
Opcode Fuzzy Hash: 605de4a4e25ad8854672d4795f1d7f1ec4ac7b4a79fd9c18f50adee2990bee41
Instruction Fuzzy Hash: B292D071E09B06CAEB10CBA0E8961B833B9AF54F48F40423AD84DDE665EF7DAD55C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3D384, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5afda1d434f605ec6dab8cd345f7cfe15459255fbfbf9c475e7b9b36d858b2e5
Instruction ID: acb2d239bd5aba1bc12a48c019926f35e9f0ce79c926480bf0069a77e9b1759a
Opcode Fuzzy Hash: 5afda1d434f605ec6dab8cd345f7cfe15459255fbfbf9c475e7b9b36d858b2e5
Instruction Fuzzy Hash: B1513872A09A12C2EB619B15D50227967B2AF48FDCF894036CA1DCF694CFBDFC85C640

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A35A38, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 128memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF665A35A4F
OpenThreadToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF665A35A69
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF665A35A7E
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF665A35AA8
OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF665A35AC1
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF665A35AD1
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A35B00
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A35B14
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A35B24
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A35B38
GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF665A35B6C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF665A35B7C
ConvertSidToStringSidW.API-MS-WIN-SECURITY-SDDL-L1-1-0 ref: 00007FF665A35BAC
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF665A35BBC
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A35BD6
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A35BEA
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF665A35C07

Strings

T, xrefs: 00007FF665A35AF3

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$Process$ErrorLast$Token$CurrentFreeOpenThread$AllocCloseConvertHandleInformationString
String ID: T
API String ID: 140808997-3187964512
Opcode ID: 10ff41e0a32023c95977cbc58c50dfdc5029366e9b9a691ffb8021a234ae0f48
Instruction ID: 20c5fa9a0da2d0a3718eaabd315b8d9604ae3346ac4794af5095894f47f117ed
Opcode Fuzzy Hash: 10ff41e0a32023c95977cbc58c50dfdc5029366e9b9a691ffb8021a234ae0f48
Instruction Fuzzy Hash: 12510C35A08B46CAE7105FA5E445279ABB0FF8EF95F458134CA4ACA654EF7CEC058610

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3761C, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 188memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF665A37655
wcstok.MSVCRT ref: 00007FF665A3766B
isspace.MSVCRT ref: 00007FF665A3768E
VariantClear.OLEAUT32 ref: 00007FF665A376AF
SysAllocString.OLEAUT32 ref: 00007FF665A376BE
VariantInit.OLEAUT32 ref: 00007FF665A37729
VariantInit.OLEAUT32 ref: 00007FF665A37739
VariantClear.OLEAUT32 ref: 00007FF665A37782
VariantClear.OLEAUT32 ref: 00007FF665A377E8
VariantClear.OLEAUT32 ref: 00007FF665A37867
VariantClear.OLEAUT32 ref: 00007FF665A37877
VariantClear.OLEAUT32 ref: 00007FF665A3788D
wcstok.MSVCRT ref: 00007FF665A378C9
VariantClear.OLEAUT32 ref: 00007FF665A378EB

Strings

(),, xrefs: 00007FF665A37661, 00007FF665A378C0

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Variant$Clear$Init$wcstok$AllocStringisspace
String ID: (),
API String ID: 638735022-3212918082
Opcode ID: 0a63b5d847dfeb361e9bfe18baa8fbb19abfc56681a8e9d21c1c10666a9883a7
Instruction ID: 97a839ab0994780213e60400ef1ae3e11e2720fea43e7e991eda500e26deba10
Opcode Fuzzy Hash: 0a63b5d847dfeb361e9bfe18baa8fbb19abfc56681a8e9d21c1c10666a9883a7
Instruction Fuzzy Hash: 45912736B04E42C6EB018F65E8512A86BB1FF49F89F558132CE4E9B754EF78E945C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3B93C, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 150fileCOMMON

Download Yara Rule

APIs

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF665A36420), ref: 00007FF665A3B96D
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF665A36420), ref: 00007FF665A3B991
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF665A36420), ref: 00007FF665A3B9A6
GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF665A36420), ref: 00007FF665A3B9B5
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF665A36420), ref: 00007FF665A3B9E4
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF665A3BA32
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF665A3BA71
ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF665A36420), ref: 00007FF665A3BA83
wprintf.MSVCRT ref: 00007FF665A3BAEE
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF665A36420), ref: 00007FF665A3BB22
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF665A36420), ref: 00007FF665A3BB52

Part of subcall function 00007FF665A3BDF8: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF665A3BE1E
Part of subcall function 00007FF665A3BDF8: WriteConsoleW.KERNELBASE(?,?,?,?,?,00000000,00007FF665A3C160), ref: 00007FF665A3BE8C

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF665A36420), ref: 00007FF665A3BB75

Strings

%c %c, xrefs: 00007FF665A3BAE4

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Console$FileModeRead$ErrorHandleLast$ByteCharMultiTypeWideWritewprintf
String ID: %c %c
API String ID: 1390269697-3801459041
Opcode ID: 7485b384eabae3195ca0692ecfa4258bdb405900b32f60aab22617bdacb2827f
Instruction ID: 9edcfb6d2ee0f7b7a690f1fe98d0d8f900ce1fad8fa82cd5c8f6804ca02f2e0e
Opcode Fuzzy Hash: 7485b384eabae3195ca0692ecfa4258bdb405900b32f60aab22617bdacb2827f
Instruction Fuzzy Hash: CB518E32A08E55CBE7148F20D4022B87AB2FF49F59F558635DA4ACA7A4DF3DDC458710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A38428, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 255memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665A38398: _wcsicmp.MSVCRT ref: 00007FF665A383BD

SysAllocString.OLEAUT32 ref: 00007FF665A3848F
towlower.MSVCRT ref: 00007FF665A38555
wcsstr.MSVCRT ref: 00007FF665A3858B
_wtoi.MSVCRT ref: 00007FF665A386CF
_wtoi.MSVCRT ref: 00007FF665A38717
_wcsicmp.MSVCRT ref: 00007FF665A38767
_wcsicmp.MSVCRT ref: 00007FF665A38785
SysFreeString.OLEAUT32 ref: 00007FF665A387ED

Strings

perf, xrefs: 00007FF665A38760
system, xrefs: 00007FF665A3877E
cycle, xrefs: 00007FF665A387A1

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: _wcsicmp$String_wtoi$AllocFreetowlowerwcsstr
String ID: cycle$perf$system
API String ID: 2625957229-1414367915
Opcode ID: a9e2468ff03ee93f3f4897dd50b927cb824294edcf99e113a79a37289d4fc389
Instruction ID: 3c130c7e4312899a3171ae0ecfd70efc936fa005721a0b1d08efce1d71d02dde
Opcode Fuzzy Hash: a9e2468ff03ee93f3f4897dd50b927cb824294edcf99e113a79a37289d4fc389
Instruction Fuzzy Hash: D3C1E826B0AA47C6EB148B6AE8521796BB1FF48F89B544132DA0DCB364DF7DEC45C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A39768, Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 180memoryCOMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00007FF665A39890
_wcsicmp.MSVCRT ref: 00007FF665A398AC
_wcsicmp.MSVCRT ref: 00007FF665A398CC
_wcsicmp.MSVCRT ref: 00007FF665A398E8
_wcsicmp.MSVCRT ref: 00007FF665A39904

Part of subcall function 00007FF665A3C828: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3C866
Part of subcall function 00007FF665A3C828: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3C87A
Part of subcall function 00007FF665A3C828: memmove.MSVCRT ref: 00007FF665A3C897

SysAllocString.OLEAUT32 ref: 00007FF665A399F2

Strings

legacy, xrefs: 00007FF665A398DC
service, xrefs: 00007FF665A39802
system, xrefs: 00007FF665A398F8
session, xrefs: 00007FF665A39809
autosession, xrefs: 00007FF665A398C0
%s\%s, xrefs: 00007FF665A399C9

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: _wcsicmp$AllocHeap$ProcessStringmemmove
String ID: %s\%s$autosession$legacy$service$session$system
API String ID: 2853241229-3132811936
Opcode ID: b986bca90d6689e86ebcb196d71dab2db6de9bde0e9eac888a83798d9e7a8da1
Instruction ID: 25712423a5f328689cfc679435800028543b2c11603beae5588ea84a6f03a0cf
Opcode Fuzzy Hash: b986bca90d6689e86ebcb196d71dab2db6de9bde0e9eac888a83798d9e7a8da1
Instruction Fuzzy Hash: 7F81AC22A19A46DAEA50CF10E5521B967B0FF84F18F805635E65ECB6E4EF3CED15C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A390A4, Relevance: 19.6, APIs: 13, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00000003,00000000,?,00007FF665A39EE3), ref: 00007FF665A390C6
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00000003,00000000,?,00007FF665A39EE3), ref: 00007FF665A390DD
GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00000003,00000000,?,00007FF665A39EE3), ref: 00007FF665A39119
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000003,00000000,?,00007FF665A39EE3), ref: 00007FF665A39129
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00000003,00000000,?,00007FF665A39EE3), ref: 00007FF665A39272
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00000003,00000000,?,00007FF665A39EE3), ref: 00007FF665A39286
SysFreeString.OLEAUT32 ref: 00007FF665A3929A

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$FreeProcess$AllocCurrentDirectoryErrorLastString
String ID:
API String ID: 171301060-0
Opcode ID: 2888566fb334214c9ef4aeee684fd0fef4db5b9239423247195526b91ba74c5e
Instruction ID: 2907d291376b38e26b1492f4a572a1f2c05ace2ba4f8c48015c586457ee9fe88
Opcode Fuzzy Hash: 2888566fb334214c9ef4aeee684fd0fef4db5b9239423247195526b91ba74c5e
Instruction Fuzzy Hash: F1512B21A08B42CAEA509F96E946179BAB0FF89F85F458135CE4ECB764DF7CEC458700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3D87C, Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665A3BDF8: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF665A3BE1E
Part of subcall function 00007FF665A3BDF8: WriteConsoleW.KERNELBASE(?,?,?,?,?,00000000,00007FF665A3C160), ref: 00007FF665A3BE8C

SysFreeString.OLEAUT32 ref: 00007FF665A3DA57

Strings

FALSE, xrefs: 00007FF665A3DA17
TRUE, xrefs: 00007FF665A3DA0B
%1!s!, xrefs: 00007FF665A3DA1E
%1!26s!%2!-20s!, xrefs: 00007FF665A3D9C7
%1!d!, xrefs: 00007FF665A3D910
%1!02d!:%2!02d!:%3!02d!, xrefs: 00007FF665A3D972
%1!-20s!, xrefs: 00007FF665A3D9AF
%1!-16s! %2!-6s! = , xrefs: 00007FF665A3D8C9

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: ConsoleFreeHandleStringWrite
String ID: %1!26s!%2!-20s!$%1!-16s! %2!-6s! = $%1!-20s!$%1!02d!:%2!02d!:%3!02d!$%1!d!$%1!s!$FALSE$TRUE
API String ID: 1268984746-2453359417
Opcode ID: 5c1517ec00812bcdc8a1b57281dc262cf3bd5ff4232645bd83f1d22e9b88845b
Instruction ID: 01fe28d8176f6717951d5f90342622b8217c21f8dc0c3c1dbb1f8b422b6e23a8
Opcode Fuzzy Hash: 5c1517ec00812bcdc8a1b57281dc262cf3bd5ff4232645bd83f1d22e9b88845b
Instruction Fuzzy Hash: 56516922A0C552C2EB609F64E9522B96771FF45F88F989136DA4ECF998DF2CED45C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A36684, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 243COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF665A366B3
VariantInit.OLEAUT32 ref: 00007FF665A366C3
_wcsicmp.MSVCRT ref: 00007FF665A366EF
VariantClear.OLEAUT32 ref: 00007FF665A369EB
VariantClear.OLEAUT32 ref: 00007FF665A369FB

Strings

start, xrefs: 00007FF665A366E8
stop, xrefs: 00007FF665A36719

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Variant$ClearInit$_wcsicmp
String ID: start$stop
API String ID: 4111760150-149793450
Opcode ID: 385e3626686d79f64ff0c0fe4a9c1d92f3cb63dcf11f9eaf6d7845ac1b8f8477
Instruction ID: d3654ff9a4929b60e1e78928ee22338a8890271ab9ffb20b7a38cb9b2278960a
Opcode Fuzzy Hash: 385e3626686d79f64ff0c0fe4a9c1d92f3cb63dcf11f9eaf6d7845ac1b8f8477
Instruction Fuzzy Hash: 64C1E922B04A56C6EB118F69E8561B827B1FF48F99B404132DA0ECB765EF79EC85C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A36334, Relevance: 13.6, APIs: 9, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000001,00000000,00000003,00007FF665A356D4), ref: 00007FF665A363B8
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A363CF

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 3b8fd32e934026671a154eaab04067345d8261a616bb3edeb66e502125c838e4
Instruction ID: bde894491479189d3b1f5eebab22c4b3ed8ecf1545fe5f6ce09b75d7522e2936
Opcode Fuzzy Hash: 3b8fd32e934026671a154eaab04067345d8261a616bb3edeb66e502125c838e4
Instruction Fuzzy Hash: F8416E21A08A42C6EA149F56E502179ABB0FF89F94F598134CF5E8B7A4DF3CEC468300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3F2FC, Relevance: 12.7, APIs: 10, Instructions: 188memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665A3C828: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3C866
Part of subcall function 00007FF665A3C828: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3C87A
Part of subcall function 00007FF665A3C828: memmove.MSVCRT ref: 00007FF665A3C897

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3F349
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3F360
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF665A3F713), ref: 00007FF665A3F55D
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF665A3F713), ref: 00007FF665A3F573

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$Process$Alloc$Freememmove
String ID:
API String ID: 4047584235-0
Opcode ID: a179c7c869220021086d0b1c3e626983815b20538cc4e231da7b06faa497f2e8
Instruction ID: 12d5189c30d5385ed3925c77a918ce854ad78d8590ac2a4f6fe7c4e557dcd8fe
Opcode Fuzzy Hash: a179c7c869220021086d0b1c3e626983815b20538cc4e231da7b06faa497f2e8
Instruction Fuzzy Hash: 6671AB22A19B42C6EB148F56E44527966B1EF89F98F588139DE4ECB394DF3DEC45C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A38C5C, Relevance: 12.2, APIs: 8, Instructions: 218memoryCOMMON

Download Yara Rule

APIs

#170.API-MS-WIN-SHCORE-PATH-L1-1-0(?,?,?,?,00000003,00000000,?,00007FF665A39EE3), ref: 00007FF665A38CBF
SysAllocString.OLEAUT32 ref: 00007FF665A38CE0
SysFreeString.OLEAUT32 ref: 00007FF665A38F43
SysFreeString.OLEAUT32 ref: 00007FF665A38F57
SafeArrayDestroy.OLEAUT32 ref: 00007FF665A38F6B

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: String$Free$#170AllocArrayDestroySafe
String ID:
API String ID: 280707029-0
Opcode ID: 2090eb09321799808ec08f1bf7a679c2363292f8ec9890f1625c44d6807c9e25
Instruction ID: 2b3ec4224f9eebc0e5ec5d1e8c123a2907391923fa76c6ff9b71ef677c13eb1b
Opcode Fuzzy Hash: 2090eb09321799808ec08f1bf7a679c2363292f8ec9890f1625c44d6807c9e25
Instruction Fuzzy Hash: 0AA12625B0AA53C6EB109FA6E85217967B1BF48F89B148032EE0DCB765DF7DEC448350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A364E4, Relevance: 12.1, APIs: 8, Instructions: 116timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?,00000000,00000000,00000000,?,00000007,?,00000000,?,00007FF665A368BF), ref: 00007FF665A36516
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00000000,00000000,?,00000007,?,00000000,?,00007FF665A368BF), ref: 00007FF665A36529
VariantClear.OLEAUT32 ref: 00007FF665A36566
SystemTimeToVariantTime.OLEAUT32 ref: 00007FF665A365B8
VariantClear.OLEAUT32 ref: 00007FF665A365D2
SystemTimeToVariantTime.OLEAUT32 ref: 00007FF665A3661C
VariantInit.OLEAUT32 ref: 00007FF665A36640
VariantInit.OLEAUT32 ref: 00007FF665A3664F

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: TimeVariant$System$ClearInit$ErrorFileLast
String ID:
API String ID: 3722993077-0
Opcode ID: ca731bc622532af89c6b98cbe2234c5eeba0b88abb80220fb6aabdd62e9c7679
Instruction ID: 47fc36c7dcb1a57dbdb7c9b50578a152db14b2148126842b09b726454abf337f
Opcode Fuzzy Hash: ca731bc622532af89c6b98cbe2234c5eeba0b88abb80220fb6aabdd62e9c7679
Instruction Fuzzy Hash: E6416D26A14B92DAE7019FA1D8420BCB7B0FF59F58B45A132DF098B754EF78E895C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3F064, Relevance: 12.1, APIs: 8, Instructions: 95memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3F08C
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3F0A3
VarDateFromStr.OLEAUT32 ref: 00007FF665A3F139
VariantTimeToSystemTime.OLEAUT32 ref: 00007FF665A3F158
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3F166
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3F17A
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3F18D
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3F1A3

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$Process$FreeTime$AllocDateFromSystemVariant
String ID:
API String ID: 297023416-0
Opcode ID: 8ef3c66c08d285beaa8af497a0e25921d9eb69a54ed368faee913849b8511309
Instruction ID: 1ce1e9e6b98fe69a7c2313ce397228cc032a29b8d44f263a7d9b3acf955a2ded
Opcode Fuzzy Hash: 8ef3c66c08d285beaa8af497a0e25921d9eb69a54ed368faee913849b8511309
Instruction Fuzzy Hash: 05310921A18B82C6E7009BA2F94517AAAB1FF8AF84F458135DE4DCB755DF3CE8468600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3A898, Relevance: 10.8, APIs: 7, Instructions: 278COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF665A3A8D2
VariantInit.OLEAUT32 ref: 00007FF665A3A8E2
VariantClear.OLEAUT32 ref: 00007FF665A3A996
VariantClear.OLEAUT32 ref: 00007FF665A3AB49
VariantClear.OLEAUT32 ref: 00007FF665A3AB81
VariantClear.OLEAUT32 ref: 00007FF665A3ABBB
VariantClear.OLEAUT32 ref: 00007FF665A3ABCB

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Variant$Clear$Init
String ID:
API String ID: 3740757921-0
Opcode ID: f23c89b3d0001e82b7fa9390aff1daa36116dbeea918a5813f2f648cf382305e
Instruction ID: f2c737230854b9b345f80cc2ec4095342ff5d5ac36dfb5d4da9859b7749c64b4
Opcode Fuzzy Hash: f23c89b3d0001e82b7fa9390aff1daa36116dbeea918a5813f2f648cf382305e
Instruction Fuzzy Hash: C0D1A326B05E56C6EB04CFA9E8911A82771FF48F89B554032DE0E9BB68DF79EC45C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A392C8, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 210memoryCOMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00007FF665A39387
_wcsicmp.MSVCRT ref: 00007FF665A393AC
SysAllocString.OLEAUT32 ref: 00007FF665A393F9
SysFreeString.OLEAUT32 ref: 00007FF665A395C0

Part of subcall function 00007FF665A38C5C: #170.API-MS-WIN-SHCORE-PATH-L1-1-0(?,?,?,?,00000003,00000000,?,00007FF665A39EE3), ref: 00007FF665A38CBF
Part of subcall function 00007FF665A38C5C: SysFreeString.OLEAUT32 ref: 00007FF665A38F43
Part of subcall function 00007FF665A38C5C: SysFreeString.OLEAUT32 ref: 00007FF665A38F57
Part of subcall function 00007FF665A38C5C: SafeArrayDestroy.OLEAUT32 ref: 00007FF665A38F6B

Part of subcall function 00007FF665A390A4: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00000003,00000000,?,00007FF665A39EE3), ref: 00007FF665A390C6
Part of subcall function 00007FF665A390A4: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00000003,00000000,?,00007FF665A39EE3), ref: 00007FF665A390DD

Strings

mmddhhmm, xrefs: 00007FF665A393A5
nnnnnn, xrefs: 00007FF665A39380

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: String$Free$AllocHeap_wcsicmp$#170ArrayDestroyProcessSafe
String ID: mmddhhmm$nnnnnn
API String ID: 2715546783-2666863168
Opcode ID: 71b197583b609deaf72ec081c22b87ab1773176f0a43cf3a7d8c6ee57f790235
Instruction ID: 36e3300e649e7fdf21a9c040eb385ac09ff85b970246964e0f35d401787e88f6
Opcode Fuzzy Hash: 71b197583b609deaf72ec081c22b87ab1773176f0a43cf3a7d8c6ee57f790235
Instruction Fuzzy Hash: 36914061B0C643CAFB549F5AEA9213926B5AF48F89F444135DA0ECF3A5DE3CEC858700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A38830, Relevance: 10.7, APIs: 7, Instructions: 160memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF665A3894A
SysFreeString.OLEAUT32 ref: 00007FF665A3899A
SysAllocString.OLEAUT32 ref: 00007FF665A389BC
SysFreeString.OLEAUT32 ref: 00007FF665A389FE
SysAllocString.OLEAUT32 ref: 00007FF665A38A20
SysFreeString.OLEAUT32 ref: 00007FF665A38A59
SafeArrayDestroy.OLEAUT32 ref: 00007FF665A38A6D

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: String$AllocFree$ArrayDestroySafe
String ID:
API String ID: 2618382806-0
Opcode ID: ad4ed5dcc9d218c2befe8663d1be73388acfffe0db7459eece0a7c6c32be8417
Instruction ID: b61b94dcbee93b236986b102107659240c09b2d22e72b42c8ba2e9e3e67b0141
Opcode Fuzzy Hash: ad4ed5dcc9d218c2befe8663d1be73388acfffe0db7459eece0a7c6c32be8417
Instruction Fuzzy Hash: 6C71FD26A0AA47C6EB508F65E85227867B0BF88F89F494136DA4DCB364DF3CEC45C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3ACBC, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF665A3ACE0

Part of subcall function 00007FF665A3A898: VariantInit.OLEAUT32 ref: 00007FF665A3A8D2
Part of subcall function 00007FF665A3A898: VariantInit.OLEAUT32 ref: 00007FF665A3A8E2
Part of subcall function 00007FF665A3A898: VariantClear.OLEAUT32 ref: 00007FF665A3A996

SysAllocString.OLEAUT32 ref: 00007FF665A3AD05
VariantClear.OLEAUT32 ref: 00007FF665A3AD89
SysFreeString.OLEAUT32 ref: 00007FF665A3ADF2
VariantClear.OLEAUT32 ref: 00007FF665A3AE02

Strings

logman.xsl, xrefs: 00007FF665A3ACFE

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Variant$ClearInit$String$AllocFree
String ID: logman.xsl
API String ID: 1429121160-611824906
Opcode ID: bc3ddd7204e269528c4a3ffd5188b1adfa29419c7fd8874098c3201a3da701c8
Instruction ID: 324f79181be983d356f065a5a80bca44d83c14fd4f4154fee3521482343a8462
Opcode Fuzzy Hash: bc3ddd7204e269528c4a3ffd5188b1adfa29419c7fd8874098c3201a3da701c8
Instruction Fuzzy Hash: 7A412822B14A56C6EB019B66D8522A86BB1FF49FC9F458032DE0E9B765DF38EC458310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3A740, Relevance: 10.6, APIs: 7, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00000001,00000000,00000000,00007FF665A3AB3F), ref: 00007FF665A3A787
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00000001,00000000,00000000,00007FF665A3AB3F), ref: 00007FF665A3A79E
StringFromGUID2.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,00000001,00000000,00000000,00007FF665A3AB3F), ref: 00007FF665A3A7CA
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00000001,00000000,00000000,00007FF665A3AB3F), ref: 00007FF665A3A84E
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00000001,00000000,00000000,00007FF665A3AB3F), ref: 00007FF665A3A862

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$Process$AllocFreeFromString
String ID:
API String ID: 1592319463-0
Opcode ID: 6620021ebeaa957f9d75ccc6ab9bf6efa276a40b17019acb6afe4bb1711d4bf2
Instruction ID: ff18a75b3f91985c5dd2b6d7e326e04cd89288c25e800dbf4a9fa2aca58c4115
Opcode Fuzzy Hash: 6620021ebeaa957f9d75ccc6ab9bf6efa276a40b17019acb6afe4bb1711d4bf2
Instruction Fuzzy Hash: 07312A21B08A92C6EA108B56E8462796AB1FF8DFC5F458135DE4E8B764DF3CD8468700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A40200, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF665A40257
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF665A40291
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF665A402A4
_wcsnicmp.MSVCRT ref: 00007FF665A402CE

Strings

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}, xrefs: 00007FF665A40249
Locale, xrefs: 00007FF665A4027A

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: CloseOpenQueryValue_wcsnicmp
String ID: Locale$Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
API String ID: 2262609651-1161606707
Opcode ID: 14d1c757d91ac24a21972e11ea89e99e1d46283fb26e97f50747c00b3d1f08c9
Instruction ID: e749ffd112c8c0a4f68470d0b4442b81562e03788f6640192ddb72d20f5c8090
Opcode Fuzzy Hash: 14d1c757d91ac24a21972e11ea89e99e1d46283fb26e97f50747c00b3d1f08c9
Instruction Fuzzy Hash: C9317A32A18B42C6EB108FA5E44516977B1FF89F90F904131DA5D8B794DF3DE844CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A39B60, Relevance: 9.3, APIs: 6, Instructions: 292memorycomCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF665A39BA1
CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000001,00000000), ref: 00007FF665A39BCA
SysAllocString.OLEAUT32 ref: 00007FF665A39C75
VariantClear.OLEAUT32 ref: 00007FF665A39D98
SysAllocString.OLEAUT32 ref: 00007FF665A39DA8
VariantClear.OLEAUT32 ref: 00007FF665A39F20

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Variant$AllocClearString$CreateInitInstance
String ID:
API String ID: 431318470-0
Opcode ID: d0efa196d4e7141bb6d94861a8fc7feed3d993593326fa1d669127e86c095b8c
Instruction ID: bf1f81930cd0143f91426c8227ad16946b6e71beb06874aa6bdbb2235bd559a8
Opcode Fuzzy Hash: d0efa196d4e7141bb6d94861a8fc7feed3d993593326fa1d669127e86c095b8c
Instruction Fuzzy Hash: EFD10226B09B46CAEB508FA5D6921B923B4BF48F88B444036DE0EDB764DF39EC45C350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3AE48, Relevance: 9.1, APIs: 6, Instructions: 141memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00000001,?,00000001,00000000,?,00000002,?,00007FF665A35368), ref: 00007FF665A3AE90
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00000001,?,00000001,00000000,?,00000002,?,00007FF665A35368), ref: 00007FF665A3AEA6
qsort.MSVCRT ref: 00007FF665A3AF4F
SysFreeString.OLEAUT32 ref: 00007FF665A3AFC1
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00000001,?,00000001,00000000,?,00000002,?,00007FF665A35368), ref: 00007FF665A3AFF8
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00000001,?,00000001,00000000,?,00000002,?,00007FF665A35368), ref: 00007FF665A3B00C

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$FreeProcess$AllocStringqsort
String ID:
API String ID: 2546129487-0
Opcode ID: 07ea276afa83eb74051b5d209921b635dec16792e39456f9a31a3bd7a02946d9
Instruction ID: d3c063e0acc5e3bf8c13ed7a2a171e612ccf17e76e9eff88e040467440a9a030
Opcode Fuzzy Hash: 07ea276afa83eb74051b5d209921b635dec16792e39456f9a31a3bd7a02946d9
Instruction Fuzzy Hash: CF518F32A14A66CAEB05CF69E8412AD7B71FF48F89F158135EE0A9B714DF39EC458340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3F1D4, Relevance: 9.1, APIs: 6, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665A3C828: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3C866
Part of subcall function 00007FF665A3C828: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3C87A
Part of subcall function 00007FF665A3C828: memmove.MSVCRT ref: 00007FF665A3C897

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3F21E
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3F235
wcstok.MSVCRT ref: 00007FF665A3F287
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3F2B6
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3F2CA

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$Process$Alloc$Freememmovewcstok
String ID:
API String ID: 1457313128-0
Opcode ID: ae3230fd5b862c756589a95ef7c9d22ee6bf97aac2a89b5efd6e78d40ab19d73
Instruction ID: 7fbb4fb098a8807d10b7a051fc2f29e72b58756afa9af22300d75ce75f7267ff
Opcode Fuzzy Hash: ae3230fd5b862c756589a95ef7c9d22ee6bf97aac2a89b5efd6e78d40ab19d73
Instruction Fuzzy Hash: BA314E25A19B42C6EA559B96E405179BAB0FF89F84F498138CE4ECB795EE3CEC05C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3FCB8, Relevance: 9.1, APIs: 6, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF665A3DEE3,?,?,?,?,?,?,00000000,00000000,?,00007FF665A34F4E), ref: 00007FF665A3FCD2
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF665A3DEE3,?,?,?,?,?,?,00000000,00000000,?,00007FF665A34F4E), ref: 00007FF665A3FCE7
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF665A3DEE3,?,?,?,?,?,?,00000000,00000000,?,00007FF665A34F4E), ref: 00007FF665A3FD37
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF665A3DEE3,?,?,?,?,?,?,00000000,00000000,?,00007FF665A34F4E), ref: 00007FF665A3FD4E
_wfopen.MSVCRT ref: 00007FF665A3FD77
_errno.MSVCRT ref: 00007FF665A3FD8C

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$AllocProcess$_errno_wfopen
String ID:
API String ID: 3346283745-0
Opcode ID: d6047d9a7d9fac2cd3974ac98a5e5c848385ceb342b2da517d5eafb97ad054ea
Instruction ID: ee960c28f864227ac9622dbb62c53050f3c60ef3f99a3329a3797e68392dfef1
Opcode Fuzzy Hash: d6047d9a7d9fac2cd3974ac98a5e5c848385ceb342b2da517d5eafb97ad054ea
Instruction Fuzzy Hash: 01311A32A15B42CAE7148F51F4450697BB4FF89F88B948139DA8D8B724EF3CE865C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3FE24, Relevance: 9.1, APIs: 6, Instructions: 62filelibraryCOMMON

Download Yara Rule

APIs

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF665A3FE58
CreateFileMappingW.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF665A3FE82
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF665A3FE94
MapViewOfFile.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF665A3FEB6
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF665A3FEC8
LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,00000000,00007FF665A408A5), ref: 00007FF665A3FEF1

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: File$CloseCreateHandle$LibraryLoadMappingView
String ID:
API String ID: 1262414356-0
Opcode ID: 2c7d4b9669b024abbd5c980492fb2d0d2dcd22018dbfd3fe4917dc6bbf14e63d
Instruction ID: 85f498c1484bbcd45c1fe61b212235fedf465ec3845a64b4ae8cde2a6d6c4204
Opcode Fuzzy Hash: 2c7d4b9669b024abbd5c980492fb2d0d2dcd22018dbfd3fe4917dc6bbf14e63d
Instruction Fuzzy Hash: 0A215E35A18B52C7E7208F55F505529BAB1FF89FA4B199234CE5D47B58DF3C98058A00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A37924, Relevance: 7.7, APIs: 5, Instructions: 189COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF665A3796B
VariantClear.OLEAUT32 ref: 00007FF665A379BE
VariantClear.OLEAUT32 ref: 00007FF665A37AB9
VariantClear.OLEAUT32 ref: 00007FF665A37B28
VariantClear.OLEAUT32 ref: 00007FF665A37B65

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Variant$Clear$Init
String ID:
API String ID: 3740757921-0
Opcode ID: 1b5306229c6c1118e6ae0a55da821b2c76ab74581ef4e983c35217193c0925a9
Instruction ID: 45d2addf0664e90eaa7b8291b726d44a489d477d8223f09381e461c69994d1e7
Opcode Fuzzy Hash: 1b5306229c6c1118e6ae0a55da821b2c76ab74581ef4e983c35217193c0925a9
Instruction Fuzzy Hash: 8391B426B05A46C6EB01DFA5E4922AC6771FF48F89F414132DE0E9B769DF78E905C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3DB30, Relevance: 7.7, APIs: 6, Instructions: 184memoryCOMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00007FF665A3DBE8
_wcsicmp.MSVCRT ref: 00007FF665A3DC0A
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3DCFB
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3DD10
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3DD59
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF665A3DD6E

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$FreeProcess_wcsicmp
String ID:
API String ID: 624438734-0
Opcode ID: a29f2d0d946e92caead90d3e78cea09dde3356660a10d7e2746af4661e807340
Instruction ID: 127a3caf1c4ff70313d52003381baa5e6f75281e4b9764c5559f4ec6388525aa
Opcode Fuzzy Hash: a29f2d0d946e92caead90d3e78cea09dde3356660a10d7e2746af4661e807340
Instruction Fuzzy Hash: B9711472A18A46CAEB508F61D8463B927B1FF48F8CF544036DA0DCB698DF78EC45C240

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3C3BC, Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000001,00000000,00000000,00007FF665A3D0DB,00000000,00000000,00000000,00007FF665A3D15E,00000000,00000000,?,00007FF665A3DF96), ref: 00007FF665A3C402
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,00007FF665A3DF96,?,?,?,?,?,?,00000000,00000000,?,00007FF665A34F4E), ref: 00007FF665A3C419
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,00007FF665A3DF96,?,?,?,?,?,?,00000000,00000000,?,00007FF665A34F4E), ref: 00007FF665A3C532
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,00007FF665A3DF96,?,?,?,?,?,?,00000000,00000000,?,00007FF665A34F4E), ref: 00007FF665A3C546

Part of subcall function 00007FF665A3BDF8: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF665A3BE1E
Part of subcall function 00007FF665A3BDF8: WriteConsoleW.KERNELBASE(?,?,?,?,?,00000000,00007FF665A3C160), ref: 00007FF665A3BE8C

Strings

%1!s!, xrefs: 00007FF665A3C526

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$Process$AllocConsoleFreeHandleWrite
String ID: %1!s!
API String ID: 2134094217-1485915839
Opcode ID: 102afc81578587306dcdf7ac50bddcdd48089c6338b9417b23d1ff438d5f18f7
Instruction ID: c53c2a5e8eb590be62e42e0c6e026328078da77002f87cd7d61c58921a149535
Opcode Fuzzy Hash: 102afc81578587306dcdf7ac50bddcdd48089c6338b9417b23d1ff438d5f18f7
Instruction Fuzzy Hash: 7051E621F0CA62C2EB249B65D81E17996B1BF84F88F954036DA4ECB791DE7DEC418310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A36A54, Relevance: 7.6, APIs: 5, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32 ref: 00007FF665A36AAF
SafeArrayAccessData.OLEAUT32 ref: 00007FF665A36AD2
SysAllocString.OLEAUT32 ref: 00007FF665A36AF1
SafeArrayUnaccessData.OLEAUT32 ref: 00007FF665A36B45
SafeArrayDestroy.OLEAUT32 ref: 00007FF665A36B5D

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: ArraySafe$Data$AccessAllocCreateDestroyStringUnaccessVector
String ID:
API String ID: 2177256657-0
Opcode ID: 9ef660b1661b8b01e200de58bb8b5fdf737335e33039b4573c90660d9da01980
Instruction ID: 0f555a74ac33acf830ee9d22de3726d5d7fc8eb97bcabf08b454b8508a8807ba
Opcode Fuzzy Hash: 9ef660b1661b8b01e200de58bb8b5fdf737335e33039b4573c90660d9da01980
Instruction Fuzzy Hash: 2131EE22A08B41C2E6119F51E8421B9AB70FF89FA4F588230CE6E8B784DFBCDC55C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3FC30, Relevance: 7.5, APIs: 5, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF665A3FC4B
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF665A3FDB9,?,?,00000000,00007FF665A3DEE3,?,?,?,?,?,?,00000000,00000000), ref: 00007FF665A3FC60
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF665A3FDB9,?,?,00000000,00007FF665A3DEE3,?,?,?,?,?,?,00000000,00000000), ref: 00007FF665A3FC74
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF665A3FDB9,?,?,00000000,00007FF665A3DEE3,?,?,?,?,?,?,00000000,00000000), ref: 00007FF665A3FC85
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF665A3FDB9,?,?,00000000,00007FF665A3DEE3,?,?,?,?,?,?,00000000,00000000), ref: 00007FF665A3FC99

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Heap$FreeProcess$fclose
String ID:
API String ID: 916384275-0
Opcode ID: 0462fb4797b3b6797991485470a4b5633faf3aacbb359a49fe1fe749b8ec038e
Instruction ID: 7007d424efc8c8f086f74332463f4d6fc38125f8e134c5a0689f441e548335db
Opcode Fuzzy Hash: 0462fb4797b3b6797991485470a4b5633faf3aacbb359a49fe1fe749b8ec038e
Instruction Fuzzy Hash: E0011D32A19A41CAEB048F92F445278ABB1FF8EF95F599138CE0E8A754CF3CD845C600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A36148, Relevance: 6.1, APIs: 4, Instructions: 124commemoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF665A36185
CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF665A361AF
SysAllocString.OLEAUT32 ref: 00007FF665A36270
VariantClear.OLEAUT32 ref: 00007FF665A362CD

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Variant$AllocClearCreateInitInstanceString
String ID:
API String ID: 3126708813-0
Opcode ID: bfe94621eca50100cb919f2d55dcb6240be1b4cce8e2bf259d0dfd3adbc1d24e
Instruction ID: 2089adc85346dfbdbde887d53892b4d5603435d965ed46ff3fe93c12fafba1fe
Opcode Fuzzy Hash: bfe94621eca50100cb919f2d55dcb6240be1b4cce8e2bf259d0dfd3adbc1d24e
Instruction Fuzzy Hash: 0151E526F04B56C6EB118FA6D8562AC27B0BF48F88F554136DE0D9B768DF79E849C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A40044, Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

_vsnwprintf.MSVCRT ref: 00007FF665A4009B

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: _vsnwprintf
String ID:
API String ID: 1036211903-0
Opcode ID: eb8563e2293d5362b0112a5e805a54d3f693922d22de05abfbc8c2ffed6e55f2
Instruction ID: b91068f9ba3116becba1e514f3d421a75ff9283ce1639dd9c208d481aec2a0a4
Opcode Fuzzy Hash: eb8563e2293d5362b0112a5e805a54d3f693922d22de05abfbc8c2ffed6e55f2
Instruction Fuzzy Hash: 3331A122B19B42C6EA209B95E8522BA62F0BF99F84F444535DE4DCF791EF3CEC418710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A39A48, Relevance: 6.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF665A39A67
VariantClear.OLEAUT32 ref: 00007FF665A39B23

Part of subcall function 00007FF665A36148: VariantInit.OLEAUT32 ref: 00007FF665A36185
Part of subcall function 00007FF665A36148: CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF665A361AF
Part of subcall function 00007FF665A36148: VariantClear.OLEAUT32 ref: 00007FF665A362CD

VariantClear.OLEAUT32 ref: 00007FF665A39AB7
SysAllocString.OLEAUT32 ref: 00007FF665A39ACE

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Variant$Clear$Init$AllocCreateInstanceString
String ID:
API String ID: 78311616-0
Opcode ID: f78e717284691bb1b3071f40d5654da807e72fda6bdff1f2f957a8da6bb13197
Instruction ID: 81deb663528ef08998bc04d3373e0c18a3148af98d5f966646eb3409d56355f6
Opcode Fuzzy Hash: f78e717284691bb1b3071f40d5654da807e72fda6bdff1f2f957a8da6bb13197
Instruction Fuzzy Hash: FB313436B04B46CAEB018F65E9420AC67B1FF48F88B458135DE0E9BB19EF38E855C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A38F98, Relevance: 6.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF665A38FBA
SysAllocString.OLEAUT32 ref: 00007FF665A38FCD
VariantClear.OLEAUT32 ref: 00007FF665A3904F
SysFreeString.OLEAUT32 ref: 00007FF665A39063

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID:
API String ID: 760788290-0
Opcode ID: b82c9e5cbb70415a525eb397670e1e24aec5a6e491ef82c5843ababeaf98c2ba
Instruction ID: 81329f2e0f8ee2a45f1f33e14d1af436eb29264bdba4f87f5568750f0a991025
Opcode Fuzzy Hash: b82c9e5cbb70415a525eb397670e1e24aec5a6e491ef82c5843ababeaf98c2ba
Instruction Fuzzy Hash: EC211736618B92C2EB118F56E852169ABB0FF89F94F498071DE4E8B764DF7CEC458700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3F9B0, Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

fgetws.MSVCRT ref: 00007FF665A3F9D7
iswspace.MSVCRT ref: 00007FF665A3FA04
fgetws.MSVCRT ref: 00007FF665A3FA3D
ferror.MSVCRT ref: 00007FF665A3FA55

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: fgetws$ferroriswspace
String ID:
API String ID: 565302097-0
Opcode ID: 5328180d120dc827a6cab6a1cc27cf10d973ba6f043c487eb31d2d2bb319958f
Instruction ID: db2b21b6265ce4af71dbd524fceee15046557a486008e67fbeaaa7de90861cd2
Opcode Fuzzy Hash: 5328180d120dc827a6cab6a1cc27cf10d973ba6f043c487eb31d2d2bb319958f
Instruction Fuzzy Hash: B5215C22A18A42C6E7204F51F44117966B0FF48FA8F548235EB9ECB794DF3CEC928340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A3EDF8, Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF665A3EE14
SysAllocString.OLEAUT32 ref: 00007FF665A3EE2C
VariantClear.OLEAUT32 ref: 00007FF665A3EE81

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: Variant$AllocClearInitString
String ID:
API String ID: 2213243845-0
Opcode ID: 783d2c435612e8b662e8a72583ad2d3018e3f67a92ec5de13cb6e881d3ebacd2
Instruction ID: 385e26aa387004a7880cfde9368fb2989c96ed4a7021b5f27254ab2fcc750b0a
Opcode Fuzzy Hash: 783d2c435612e8b662e8a72583ad2d3018e3f67a92ec5de13cb6e881d3ebacd2
Instruction Fuzzy Hash: C1112832608A92D7E7218F54E441169BBB0FF8CB98B558135EA8E8BB14DF3CDD59CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF665A38398, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00007FF665A383BD
_wcsicmp.MSVCRT ref: 00007FF665A383E0

Strings

bin, xrefs: 00007FF665A383B6
bincirc, xrefs: 00007FF665A383D9

Memory Dump Source

Source File: 00000000.00000002.666582694.00007FF665A31000.00000020.00020000.sdmp, Offset: 00007FF665A30000, based on PE: true

Associated: 00000000.00000002.666572885.00007FF665A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666599416.00007FF665A42000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.666610897.00007FF665A4B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.666625102.00007FF665A4F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665a30000_logman.jbxd

Similarity

API ID: _wcsicmp
String ID: bin$bincirc
API String ID: 2081463915-363318931
Opcode ID: 7d4de597bd397381b489a5ed02c0a307c78f16c3ef1be78329f8b77ec3ae1ea1
Instruction ID: 5ef2196c647351c38e2422e9385fe5dff43dc9d3f278cac3f78f56ce46367f23
Opcode Fuzzy Hash: 7d4de597bd397381b489a5ed02c0a307c78f16c3ef1be78329f8b77ec3ae1ea1
Instruction Fuzzy Hash: AD012C21B09947C1EB108B56E85613AA7B0FF89F98F549131E60DCB2A4DE7CEC468340

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report logman.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Spreading:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: logman.exe PID: 4828 Parent PID: 5936

General

Chronological Activities

Analysis Process: conhost.exe PID: 6468 Parent PID: 4828

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: logman.exe PID: 4828 Parent PID: 5936 logman.exeCOMMON

Execution Graph

Graph

Executed Functions

Function 00007FF665A34EA8, Relevance: 65.5, APIs: 33, Strings: 4, Instructions: 708memoryCOMMON

Function 00007FF665A3C948, Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 256memoryCOMMON

Function 00007FF665A3C948, Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 256
memoryCOMMON

Function 00007FF665A404BC, Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 357
libraryCOMMON

Function 00007FF665A3C270, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 78
windowlibraryCOMMON

Function 00007FF665A414A0, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 00007FF665A3BDF8, Relevance: 19.7, APIs: 13, Instructions: 200
memoryCOMMON

Function 00007FF665A3C5FC, Relevance: 12.1, APIs: 8, Instructions: 74
memoryCOMMON

Function 00007FF665A40E80, Relevance: 9.1, APIs: 6, Instructions: 95
sleepCOMMON

Function 00007FF665A3DDAC, Relevance: 6.2, APIs: 4, Instructions: 153
threadCOMMON

Function 00007FF665A3E578, Relevance: 4.5, APIs: 3, Instructions: 32
COMMON

Function 00007FF665A3C8BC, Relevance: 3.0, APIs: 2, Instructions: 38
COMMON

Function 00007FF665A40E30, Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Function 00007FF665A3B03C, Relevance: 51.1, APIs: 25, Strings: 4, Instructions: 314
memoryCOMMON

Function 00007FF665A35C2C, Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 206
memoryCOMMON

Function 00007FF665A3D544, Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 197
memoryCOMMON