Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pcre2-16.dll

Overview

General Information

Sample name:pcre2-16.dll
Analysis ID:1448101
MD5:36185746a613bdc3e52906e4c053ab89
SHA1:fa0ee487b8b311d26b51cca2c83eb12441a0d4d5
SHA256:b1adadb919f6fb08fa87b4a7bae069ead20f48f3e5779d9b3b4f2e4e1ba0f189
Infos:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 7260 cmdline: loaddll64.exe "C:\Users\user\Desktop\pcre2-16.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 7268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7312 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 7336 cmdline: rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • WerFault.exe (PID: 7440 cmdline: C:\Windows\system32\WerFault.exe -u -p 7336 -s 332 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7320 cmdline: rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_callout_enumerate_16 MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 7452 cmdline: C:\Windows\system32\WerFault.exe -u -p 7320 -s 332 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7596 cmdline: rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_code_copy_16 MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 7632 cmdline: C:\Windows\system32\WerFault.exe -u -p 7596 -s 324 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7756 cmdline: rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_code_copy_with_tables_16 MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 7792 cmdline: C:\Windows\system32\WerFault.exe -u -p 7756 -s 324 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7860 cmdline: rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_callout_enumerate_16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7868 cmdline: rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_code_copy_16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7884 cmdline: rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_code_copy_with_tables_16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7900 cmdline: rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_number_from_name_16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7924 cmdline: rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_nametable_scan_16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7952 cmdline: rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_list_get_16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7980 cmdline: rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_list_free_16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7992 cmdline: rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_length_bynumber_16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 8012 cmdline: rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_length_byname_16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 8028 cmdline: rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_get_bynumber_16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 8040 cmdline: rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_get_byname_16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 8052 cmdline: rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_free_16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 8064 cmdline: rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_copy_bynumber_16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 8088 cmdline: rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_copy_byname_16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 8112 cmdline: rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substitute_16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 8128 cmdline: rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_substitute_callout_16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 8144 cmdline: rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_recursion_memory_management_16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 8160 cmdline: rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_recursion_limit_16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 8180 cmdline: rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_parens_nest_limit_16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 4504 cmdline: rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_offset_limit_16 MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: pcre2-16.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\DISQO-Dev\vcpkg\buildtrees\pcre2\x64-windows-rel\pcre2-16.pdb source: loaddll64.exe, 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1748628092.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1771745285.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1748710356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1754823653.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1714157625.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.1717569155.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.1716011101.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1719718381.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.1719416153.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.1720597750.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.1720555307.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1719012220.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1722153325.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001C.00000002.1720518666.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001D.00000002.1720656916.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001E.00000002.1722112566.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001F.00000002.1720560199.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.1721926443.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000022.00000002.1721999203.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000023.00000002.1719436452.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000025.00000002.1720751694.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000026.00000002.1721201356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000029.00000002.1722036837.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, pcre2-16.dll
Source: Binary string: C:\DISQO-Dev\vcpkg\buildtrees\pcre2\x64-windows-rel\pcre2-16.pdb// source: loaddll64.exe, 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1748628092.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1771745285.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1748710356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1754823653.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1714157625.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.1717569155.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.1716011101.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1719718381.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.1719416153.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.1720597750.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.1720555307.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1719012220.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1722153325.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001C.00000002.1720518666.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001D.00000002.1720656916.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001E.00000002.1722112566.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001F.00000002.1720560199.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.1721926443.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000022.00000002.1721999203.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000023.00000002.1719436452.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000025.00000002.1720751694.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000026.00000002.1721201356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000029.00000002.1722036837.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, pcre2-16.dll
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Jump to behavior
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\Jump to behavior
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_pcr_1731c9291b48156d38e2b4f8fc44dc6afe3fb_76fbbc46_037511ff-28df-4739-9281-9d59950f9335\Jump to behavior
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\Jump to behavior
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_pcr_a85d3f61e282c6ab111541d23626a541f6483d_76fbbc46_27c8a652-5e23-4709-baa0-ace937338ba4\Jump to behavior
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueueJump to behavior
Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0052B8B00_2_00007FFE0052B8B0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005240B00_2_00007FFE005240B0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005128900_2_00007FFE00512890
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005418700_2_00007FFE00541870
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005080700_2_00007FFE00508070
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005159220_2_00007FFE00515922
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0051593D0_2_00007FFE0051593D
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0050F1000_2_00007FFE0050F100
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005159020_2_00007FFE00515902
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005159120_2_00007FFE00515912
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005170F00_2_00007FFE005170F0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0051E8F00_2_00007FFE0051E8F0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005170C90_2_00007FFE005170C9
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0052A9800_2_00007FFE0052A980
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005219600_2_00007FFE00521960
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005249600_2_00007FFE00524960
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0052A1700_2_00007FFE0052A170
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0051594D0_2_00007FFE0051594D
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0051B14F0_2_00007FFE0051B14F
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0052C1E00_2_00007FFE0052C1E0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005159D50_2_00007FFE005159D5
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE00515AA20_2_00007FFE00515AA2
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0051FAB00_2_00007FFE0051FAB0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE00515AB40_2_00007FFE00515AB4
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0051AA7E0_2_00007FFE0051AA7E
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005202900_2_00007FFE00520290
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005112920_2_00007FFE00511292
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0051F2400_2_00007FFE0051F240
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005192400_2_00007FFE00519240
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE00510BBB0_2_00007FFE00510BBB
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE00515B8C0_2_00007FFE00515B8C
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0051B38F0_2_00007FFE0051B38F
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0051DB700_2_00007FFE0051DB70
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE00515B4C0_2_00007FFE00515B4C
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0050A3F00_2_00007FFE0050A3F0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE004F3C400_2_00007FFE004F3C40
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE00526D350_2_00007FFE00526D35
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0051AD0E0_2_00007FFE0051AD0E
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0052BCE00_2_00007FFE0052BCE0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005214E00_2_00007FFE005214E0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0051F4C00_2_00007FFE0051F4C0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE004FD4EA0_2_00007FFE004FD4EA
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0051DDA00_2_00007FFE0051DDA0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE00524DB00_2_00007FFE00524DB0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0051B5B50_2_00007FFE0051B5B5
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0050FD800_2_00007FFE0050FD80
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005165900_2_00007FFE00516590
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0052ED600_2_00007FFE0052ED60
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0051054D0_2_00007FFE0051054D
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE00500D600_2_00007FFE00500D60
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0051EE200_2_00007FFE0051EE20
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0052A6100_2_00007FFE0052A610
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE00522E100_2_00007FFE00522E10
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0052B5C00_2_00007FFE0052B5C0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005095C00_2_00007FFE005095C0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0052C5D00_2_00007FFE0052C5D0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005115D00_2_00007FFE005115D0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0051669E0_2_00007FFE0051669E
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0050D6B00_2_00007FFE0050D6B0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0051667F0_2_00007FFE0051667F
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005166870_2_00007FFE00516687
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005166920_2_00007FFE00516692
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0051BE970_2_00007FFE0051BE97
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0053169C0_2_00007FFE0053169C
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005186720_2_00007FFE00518672
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE00512E750_2_00007FFE00512E75
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0053BF200_2_00007FFE0053BF20
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0050BF3D0_2_00007FFE0050BF3D
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005307100_2_00007FFE00530710
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE00506ECA0_2_00007FFE00506ECA
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0052DEC00_2_00007FFE0052DEC0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE00509FA00_2_00007FFE00509FA0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE00511FA90_2_00007FFE00511FA9
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE00514FB00_2_00007FFE00514FB0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0051AF9D0_2_00007FFE0051AF9D
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE00517F730_2_00007FFE00517F73
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE00528F400_2_00007FFE00528F40
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0050BF400_2_00007FFE0050BF40
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005157470_2_00007FFE00515747
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005238200_2_00007FFE00523820
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005088300_2_00007FFE00508830
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0051B8300_2_00007FFE0051B830
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005158050_2_00007FFE00515805
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0051581A0_2_00007FFE0051581A
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0051F7E00_2_00007FFE0051F7E0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005157F50_2_00007FFE005157F5
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE004FAFE80_2_00007FFE004FAFE8
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7336 -s 332
Source: classification engineClassification label: clean4.winDLL@108/17@0/0
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7596
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7268:120:WilError_03
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7320
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7336
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7756
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\9a540079-8a23-46e2-b9c0-b272d37860c0Jump to behavior
Source: pcre2-16.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_callout_enumerate_16
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\pcre2-16.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_callout_enumerate_16
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",#1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7336 -s 332
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7320 -s 332
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_code_copy_16
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7596 -s 324
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_code_copy_with_tables_16
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7756 -s 324
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_callout_enumerate_16
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_code_copy_16
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_code_copy_with_tables_16
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_number_from_name_16
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_nametable_scan_16
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_list_get_16
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_list_free_16
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_length_bynumber_16
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_length_byname_16
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_get_bynumber_16
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_get_byname_16
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_free_16
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_copy_bynumber_16
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_copy_byname_16
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substitute_16
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_substitute_callout_16
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_recursion_memory_management_16
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_recursion_limit_16
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_parens_nest_limit_16
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_offset_limit_16
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_callout_enumerate_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_code_copy_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_code_copy_with_tables_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_callout_enumerate_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_code_copy_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_code_copy_with_tables_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_number_from_name_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_nametable_scan_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_list_get_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_list_free_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_length_bynumber_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_length_byname_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_get_bynumber_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_get_byname_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_free_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_copy_bynumber_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_copy_byname_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substitute_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_substitute_callout_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_recursion_memory_management_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_recursion_limit_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_parens_nest_limit_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_offset_limit_16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: vcruntime140.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: pcre2-16.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: pcre2-16.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: pcre2-16.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: pcre2-16.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: pcre2-16.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: pcre2-16.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: pcre2-16.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: pcre2-16.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: pcre2-16.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\DISQO-Dev\vcpkg\buildtrees\pcre2\x64-windows-rel\pcre2-16.pdb source: loaddll64.exe, 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1748628092.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1771745285.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1748710356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1754823653.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1714157625.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.1717569155.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.1716011101.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1719718381.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.1719416153.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.1720597750.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.1720555307.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1719012220.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1722153325.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001C.00000002.1720518666.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001D.00000002.1720656916.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001E.00000002.1722112566.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001F.00000002.1720560199.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.1721926443.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000022.00000002.1721999203.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000023.00000002.1719436452.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000025.00000002.1720751694.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000026.00000002.1721201356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000029.00000002.1722036837.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, pcre2-16.dll
Source: Binary string: C:\DISQO-Dev\vcpkg\buildtrees\pcre2\x64-windows-rel\pcre2-16.pdb// source: loaddll64.exe, 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1748628092.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1771745285.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1748710356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1754823653.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1714157625.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.1717569155.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.1716011101.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1719718381.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.1719416153.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.1720597750.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.1720555307.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1719012220.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1722153325.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001C.00000002.1720518666.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001D.00000002.1720656916.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001E.00000002.1722112566.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001F.00000002.1720560199.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.1721926443.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000022.00000002.1721999203.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000023.00000002.1719436452.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000025.00000002.1720751694.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000026.00000002.1721201356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000029.00000002.1722036837.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, pcre2-16.dll
Source: pcre2-16.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: pcre2-16.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: pcre2-16.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: pcre2-16.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: pcre2-16.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0052B3D0 GetSystemInfo,VirtualAlloc,0_2_00007FFE0052B3D0
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Jump to behavior
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\Jump to behavior
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_pcr_1731c9291b48156d38e2b4f8fc44dc6afe3fb_76fbbc46_037511ff-28df-4739-9281-9d59950f9335\Jump to behavior
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\Jump to behavior
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_pcr_a85d3f61e282c6ab111541d23626a541f6483d_76fbbc46_27c8a652-5e23-4709-baa0-ace937338ba4\Jump to behavior
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueueJump to behavior
Source: Amcache.hve.8.drBinary or memory string: VMware
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.drBinary or memory string: vmci.sys
Source: Amcache.hve.8.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.drBinary or memory string: VMware20,1
Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005447F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FFE005447F0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE00543D50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FFE00543D50
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005447F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FFE005447F0
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005256B0 cpuid 0_2_00007FFE005256B0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE005443AC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FFE005443AC
Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Rundll32		LSASS Memory31
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets13
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1448101 Sample: pcre2-16.dll Startdate: 27/05/2024 Architecture: WINDOWS Score: 4 7 loaddll64.exe 1 2->7         started        process3 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 22 other processes 7->15 process4 17 rundll32.exe 9->17         started        19 WerFault.exe 20 16 11->19         started        21 WerFault.exe 16 13->21         started        23 WerFault.exe 16 15->23         started        process5 25 WerFault.exe 16 17->25         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
pcre2-16.dll3%VirustotalBrowse
pcre2-16.dll0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.8.drfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1448101
Start date and time:2024-05-27 20:13:45 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 6m 15s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:42
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:pcre2-16.dll
Detection:CLEAN
Classification:clean4.winDLL@108/17@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 109
Cookbook Comments:
  • Found application associated with file extension: .dll

Warnings

  • Exclude process from analysis (whitelisted): WerFault.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 104.208.16.94, 20.42.73.29
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
  • Execution Graph export aborted for target loaddll64.exe, PID 7260 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

TimeTypeDescription
14:14:43API Interceptor4x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_pcr_1731c9291b48156d38e2b4f8fc44dc6afe3fb_76fbbc46_037511ff-28df-4739-9281-9d59950f9335\Report.wer

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.7621005599273689
Encrypted:false
SSDEEP:192:rGhiVy4DG0U2a0LNqjkLzuiFCZ24lO85:Shiw4DtU2a0JqjIzuiFCY4lO85
MD5:4254488A3DD41380F7DA45F62896269A
SHA1:70C9BDA27FD5E94283A62C731357332850EB6872
SHA-256:5B78BB6B7A76D3E424DEC32C9624A2447A56C0F8FCAB44B3F9CF2119CB3D15D0
SHA-512:8E7D1A209B5145947C9CE87C107D3D094A6EEC5DDD940C9FF93D815B9272911994518244ABF1CA998501706144906C118121F6DE1AFE335C1CD35890AA09B59E
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.3.0.7.2.7.1.2.9.3.1.1.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.3.0.7.2.7.1.8.2.4.3.5.8.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.3.7.5.1.1.f.f.-.2.8.d.f.-.4.7.3.9.-.9.2.8.1.-.9.d.5.9.9.5.0.f.9.3.3.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.0.2.d.a.4.b.c.-.c.7.4.b.-.4.e.e.e.-.9.4.4.4.-.4.6.5.9.8.4.b.3.0.6.f.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.p.c.r.e.2.-.1.6...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.9.8.-.0.0.0.1.-.0.0.1.4.-.a.8.7.5.-.2.7.b.8.6.1.b.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_pcr_1731c9291b48156d38e2b4f8fc44dc6afe3fb_76fbbc46_9d0da3c6-3573-4aad-832a-d223597dd415\Report.wer

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.7616347574672605
Encrypted:false
SSDEEP:192:C4Ki2yxDG0U2a0LNqjkLzuiFCZ24lO85:RKiLxDtU2a0JqjIzuiFCY4lO85
MD5:1E198125B45BC3E73EA3604BBEF531F0
SHA1:0C78BF5595FF6F7B778C27FF5D503FABD304E9E8
SHA-256:D391002F1A607ECB4AE3B0161A0881D7042DAAB013B70B36AC1C4436534F6A7B
SHA-512:0428A6420A65F78A02B39C12B163450A408F63C08CBE58C512EEB74604703DD4B49679BE9149575889C70E7ED75B7D75E3CC160E720FD6F059F3B1D1EDACCF08
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.3.0.7.2.7.1.2.8.4.8.9.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.3.0.7.2.7.1.7.2.2.3.9.4.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.d.0.d.a.3.c.6.-.3.5.7.3.-.4.a.a.d.-.8.3.2.a.-.d.2.2.3.5.9.7.d.d.4.1.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.d.d.5.7.e.b.5.-.0.1.3.0.-.4.a.b.a.-.9.e.e.7.-.1.1.3.d.f.2.0.a.1.8.3.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.p.c.r.e.2.-.1.6...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.a.8.-.0.0.0.1.-.0.0.1.4.-.2.4.4.d.-.2.9.b.8.6.1.b.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_pcr_7e5183b4bd0fdc294ad553aa5ff79f7eff7cd_76fbbc46_ee145759-fa36-48dc-86ba-2b6d51b93db1\Report.wer

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.7589715246092213
Encrypted:false
SSDEEP:192:soiSy6ZDv0U2aZzX6DjkLzuiFCZ24lO85:LiPcDcU2aZzX6DjIzuiFCY4lO85
MD5:FB537E537EFC35FBC2400CD9CBC53C64
SHA1:053BC80A3105B4EF03EED12F53808E86D6883CB2
SHA-256:AB6191805728EA3294C4EE82CBA854657C13868189EA4F3D7392869DFEA2B78B
SHA-512:7C52F107BECB691BD96F18BE4573FC56FFC7C8222132F04E26E4E4DFFE52950E2B0D39FA76DC2E2AF54B221E74E593CBCBBD6791DFED0D657D2EE0C12EDB6565
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.3.0.7.2.7.7.0.5.1.3.7.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.3.0.7.2.7.7.2.8.5.7.5.4.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.e.1.4.5.7.5.9.-.f.a.3.6.-.4.8.d.c.-.8.6.b.a.-.2.b.6.d.5.1.b.9.3.d.b.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.e.2.c.5.b.3.8.-.0.9.e.4.-.4.1.7.4.-.8.6.f.5.-.4.0.f.0.d.f.5.2.3.6.5.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.p.c.r.e.2.-.1.6...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.4.c.-.0.0.0.1.-.0.0.1.4.-.9.9.f.1.-.b.f.b.b.6.1.b.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_pcr_a85d3f61e282c6ab111541d23626a541f6483d_76fbbc46_27c8a652-5e23-4709-baa0-ace937338ba4\Report.wer

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.7586993128057165
Encrypted:false
SSDEEP:192:b5vNi1yjDO0U2a5qAjkLzuiFCZ24lO85:3iQjD1U2a5qAjIzuiFCY4lO85
MD5:9CFABA2CC896E60C62394EA1CDBD8C4A
SHA1:E9EFA9CAD9ABD23135527F75B11391E0C539E8D5
SHA-256:6A0BD6A5F408B27980A636BBC31185E1733DBCA651EBBCB0C09780620878D0E8
SHA-512:EC51E1D050FA5A65AF32E9BF6280729DA72B9884192E493033F46AFB2E182FAE3FCB2764F0AC5E2A9B3DAC32B0F9AEB905E406A78EC107DA86D1221DD7A2EEC8
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.3.0.7.2.7.4.0.1.9.1.3.7.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.3.0.7.2.7.4.2.3.7.8.7.9.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.7.c.8.a.6.5.2.-.5.e.2.3.-.4.7.0.9.-.b.a.a.0.-.a.c.e.9.3.7.3.3.8.b.a.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.c.8.2.4.e.e.9.-.d.a.6.a.-.4.7.9.5.-.a.5.e.2.-.0.7.9.b.d.4.0.6.f.2.8.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.p.c.r.e.2.-.1.6...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.a.c.-.0.0.0.1.-.0.0.1.4.-.3.e.c.3.-.f.3.b.9.6.1.b.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1AD.tmp.dmp

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Mon May 27 18:14:37 2024, 0x1205a4 type
Category:dropped
Size (bytes):55198
Entropy (8bit):1.67655871433144
Encrypted:false
SSDEEP:192:Gzd8K1+DOMJuP02HmXwTF8MMom3aA5zRuACRDH:yd8B68uPJGAF8MM13agRPCN
MD5:348710EC56DA357187ED4DBA67AD1306
SHA1:94631C95E479310805281B8EE10890269C3075F3
SHA-256:FCEA78F46C35A3970787AF40B9A296EFA257141C63A3EFF762A6CB07693DDB3D
SHA-512:899791BDBE3A1DB9A7FA8E803FB9F2F1C87896EC454B32528735578E47BC8798E1479AC11AB5040A6290725FD010A7C16BC16BE768A181F1ADD37C51CBF1A174
Malicious:false
Preview:MDMP..a..... .........Tf........................L...............$)..........T.......8...........T...........0...n.......................................................................................................eJ......l.......Lw......................T.......L.....Tf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8500
Entropy (8bit):3.6966083370369605
Encrypted:false
SSDEEP:192:R6l7wVeJWS0gs96YavbvgmfAl0ZM/pre89bmFVf9vim:R6lXJj0gs96YqDgmfAl0ZM1mHfx
MD5:D8936BC9AE73337AD36818A926AECB18
SHA1:4C746D21AE7ED11D62CCDDDF48331E1B53A10344
SHA-256:4E85C3E66D00249EE25BBA880B6345E1A772E4B0B37913A28F4113CD746600D8
SHA-512:30CB6189BACF686FDE448E2E2D275D54124657F961B0FC0F18DF69B642ED351FEBC4E0A3E0E8CF06F7E947948516EEC741467E5F180C35FC819464F88D864AA8
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER20D.tmp.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4743
Entropy (8bit):4.470017874698691
Encrypted:false
SSDEEP:48:cvIwWl8zsuJg771I9s/1WpW8VYBYm8M4JCNCFExFYCyq85mmSxZ/ptSTSBd:uIjfkI7JE7VdJ6ECcwtpoOBd
MD5:88CE172FA98C6059EDAC4FE5F79B3DB8
SHA1:F0FEEB0587775E60351B4895AFD861CA23C6CBD9
SHA-256:456E61F2D0CBCD80ACDE3A6A89F89864DB03E1B7F306DF73536AF4F72F23CB7E
SHA-512:E7D27344F4A6752666A427C0E6742641C953A328E2407E2276BCC5A1B3DF882FDFD059428528D309FD3961E8C7888752CA7951DFB858407FBC48A46FB2617247
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="341837" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB37.tmp.dmp

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Mon May 27 18:14:31 2024, 0x1205a4 type
Category:dropped
Size (bytes):55718
Entropy (8bit):1.6647323348112437
Encrypted:false
SSDEEP:192:85HK12FXOMfu1YnOSnQAihRdwzfT0AM5VsWk:KHJAau1YntqifT0AM5VsW
MD5:5EB15A4269F1BBB00162B58A95F0F878
SHA1:299D50A4089497B187F092B5D795A44EB168875F
SHA-256:5A339E14E81EE3F77E979700FC7FFCB73D672738B086968853E9361839129975
SHA-512:92DCC362722B51C457FDC5260D0F2B4802C31EF8CE2728145E94F3BCA51295567CC7D78F94ABE24BF88FAD6EA66AA2070E04C7575207661F49F91AD7F79A8C34
Malicious:false
Preview:MDMP..a..... .........Tf........................L...............$)..........T.......8...........T...........0...v.......................................................................................................eJ......l.......Lw......................T.............Tf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB47.tmp.dmp

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Mon May 27 18:14:31 2024, 0x1205a4 type
Category:dropped
Size (bytes):57074
Entropy (8bit):1.636498788027373
Encrypted:false
SSDEEP:192:85sqK1ZSXOMLGns7y5QEjvwLzwaQM5ZVgNXG:Kb+7uGns7UYzwaQM5ZVgNX
MD5:0613926A9BEF9D6E6A1D943F41DC43EB
SHA1:898220143BB0C6C20092793E9D7994A8DAAE958B
SHA-256:F4E2E613C5C79FC59DB4CC35A83BF37C7FBC53E6ED17CBC1E7C98F513EC108E1
SHA-512:45A72A2E37890F1DE5584FC0DC2A46E5A0A9F65EAF1AFFD9C7A40AD8A52C85F55FA2FB7247BEC6F1A635792B9DC3F711FADF8F085AE4E835ECC92ED984EFF5EF
Malicious:false
Preview:MDMP..a..... .........Tf........................L...............$)..........T.......8...........T...............r.......................................................................................................eJ......l.......Lw......................T.............Tf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREBF4.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8760
Entropy (8bit):3.7009109146518564
Encrypted:false
SSDEEP:192:R6l7wVeJUf0bsv6Ysvt8dgmfAl/ZsNApr089bQ9rfznwm:R6lXJs0bsv6YU0gmfAl/Z0kQxfz1
MD5:14E66218C57321C6BFEDA152C9D370AB
SHA1:948741B6B1812131E0B312FF2A4A7921581221BD
SHA-256:74835B125CEF51061A587416BC584CC4DCE7C84E67EAF955FC9219C4C32A8DC8
SHA-512:1B2C4A535A9286EC161B52582AE2CB799E0E0FB6D4E6ECD1C14A497BC59B59D8E3EB4842E3431D6090A38475225E39CD779B07739C3765879E3EA676B75544A5
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC23.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8752
Entropy (8bit):3.7018037932910786
Encrypted:false
SSDEEP:192:R6l7wVeJTu0csk6Ya8bvgmfAl/ZsNAprw89bQ7rfPkwm:R6lXJa0csk6YxDgmfAl/Z04QHfPi
MD5:A0716452368B39764FCB56AE7FFC4990
SHA1:C8209DFEC4BFD6D6381C0A098583D36509DB501C
SHA-256:E4B8A08355645B4B175322DD9C5424E7508761B0A047E474DFB330F3E1DA2017
SHA-512:1F7DA624C08DD205B6F27A1342E10D9EC40BC6FE93B809342590CB4DBCB169F6BF62C8B92DC6BE634E76CE5B0D0706BABB67162D0A33D3D89080E0EE6B40FF38
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC33.tmp.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4744
Entropy (8bit):4.468349348226591
Encrypted:false
SSDEEP:48:cvIwWl8zsuJg771I9s/1WpW8VYTYm8M4JCNCFEMFeyq85mmS6jptSTSMd:uIjfkI7JE7V3J6XcHjpoOMd
MD5:9027C53803251DDB0AF4A0584C8AE1C8
SHA1:CB7F5D040D5DA760D3186BFE061C11F1A712D795
SHA-256:1DC4D72A22D5DE6CDB791CED0B745A22B2B27EB456F8C7D05EB0DECEC4EE00DB
SHA-512:3E7A1B1A004DC6E743AA2A164404C535B72ADE2DF9B730366EB5DE389F70278F3E324303D3247CC1D7C2D7D57FED5E3E7DC384B3ED70B76BF4FD89F3C8D53A63
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="341837" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC81.tmp.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4744
Entropy (8bit):4.471651421582905
Encrypted:false
SSDEEP:48:cvIwWl8zsuJg771I9s/1WpW8VYlGYm8M4JCNCFEMFYyq85mmS3ptSTSxd:uIjfkI7JE7V0vJ6xcgpoOxd
MD5:8028B1FD246AE02220D2D03F647BAF12
SHA1:60AFC8D30BD3783E1230DAB37A56693EBEA385BD
SHA-256:807A734C1C6B88994EB7C20421BDCD15DB8E5A07DDD2C53800FD852EEEC22960
SHA-512:2DCED4DD31FA28C86E2DAE1386EC162170BB70BBC06410664B0B5B43DF45051C48F2D01927B86ED50F5FF17AC635E1834C42D4B926BC0FEE750BA32E47F63ADB
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="341837" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5D6.tmp.dmp

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Mon May 27 18:14:34 2024, 0x1205a4 type
Category:dropped
Size (bytes):56342
Entropy (8bit):1.6491223788437936
Encrypted:false
SSDEEP:96:5M8558wReYOaUmTtsEGRirSzoi7Mevxa4di+5QJ2Jbql5anMJ26LxfizrWIvnIuO:V5MK1vOMepGNJ2wl5anMwQfizVGzGc
MD5:13B799C136F8CEB1DA4E07FC15E069FF
SHA1:28B731F11ED9D92DBD8CE310F5E20688115F4647
SHA-256:2ED2F8AF112F98273B404625F7FEAA560B6A098BF7AF10187960F4E9E51D4098
SHA-512:30E41209229C26640A3520362826AC5142C42278C5B672C95CF624FAB21F0353982DF747CE8BD958FE56AD42520CFEAEBD6D78BB8C505DD7CC6FD6C4AF849A8E
Malicious:false
Preview:MDMP..a..... .........Tf........................L...............$)..........T.......8...........T...........0...........................................................................................................eJ......l.......Lw......................T.............Tf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF616.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8500
Entropy (8bit):3.6960542190562893
Encrypted:false
SSDEEP:192:R6l7wVeJID0vs66YaWbvgmfAlHZ0uprl89b9MifgM/m:R6lXJs0vs66YTDgmfAlHZ0h9hfk
MD5:DC2FE57134D7F0F64F0B35A1E7A7AB16
SHA1:50B6C4D73006DDA44772C56F4BAD072730129BEC
SHA-256:FC97EFDAA837444C83FEE8EB0059D2599276C547D01FD4FC063F6BBC6B2A605C
SHA-512:EB22A46D8FB7CA62C52CF0A181546AB7FCDC6D86B68375034130397BD132A206AE11FAEC039C9842B73E7B8FEA504B906C9FEB8D0D0252E9D6C53E6B07B55AE7
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF636.tmp.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4743
Entropy (8bit):4.467272430678759
Encrypted:false
SSDEEP:48:cvIwWl8zsuJg771I9s/1WpW8VYGYm8M4JCNCFEOF1Iyq85mmSzptSTSid:uIjfkI7JE7V6J6MIcspoOid
MD5:107EFBD464B0B6DC3846514488DFD8FE
SHA1:297E2F2C23D6257A29820BD8568594D6279B48DA
SHA-256:510E323AE6DD151E78A26DBEA565B4329B46BE1AF4071B4463CCF8FB6947F5C1
SHA-512:AE719C137AE52A8CB494C117B5C1E366D92A0DBBD7135ED3E83BC38E5B11011B095BB3E41B82BDBDEFA3E9842BCCA5E26DB249644BD23B93BCBB6E0BF1FA63E9
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="341837" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):1835008
Entropy (8bit):4.466388724686657
Encrypted:false
SSDEEP:6144:nIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNcdwBCswSb9:IXD94zWlLZMM6YFHa+9
MD5:404C4034CDE1B40DE38EE9D7C272C2A6
SHA1:D7E396A76FF94AA98C87276AB58BBF63C6C95797
SHA-256:F10BF68C30058123975076BEBBBFAA8193A9CFC6CE2A3B66D277B0DC7394C2D0
SHA-512:DC35FC5ACC0AF7E33DB04CFBC29F88D87D5A16B03FE8A428B6A1FA8D5554A9D3269299EAF483C55D0C6971231358EA178752638FC7C8F14D176317A95825116A
Malicious:false
Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm6.Y.a................................................................................................................................................................................................................................................................................................................................................O.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):6.3573713896888275
TrID:
  • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
  • Win64 Executable (generic) (12005/4) 10.17%
  • Generic Win/DOS Executable (2004/3) 1.70%
  • DOS Executable Generic (2002/1) 1.70%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:pcre2-16.dll
File size:499'712 bytes
MD5:36185746a613bdc3e52906e4c053ab89
SHA1:fa0ee487b8b311d26b51cca2c83eb12441a0d4d5
SHA256:b1adadb919f6fb08fa87b4a7bae069ead20f48f3e5779d9b3b4f2e4e1ba0f189
SHA512:bb3bd51659d9478da7cfc55782bcdbaa63a770840bb6c6be35105ea28e22b6958e42c6234484980813e48616ad688a4b7326bf0d77edead7803cdc265258b35e
SSDEEP:6144:4XawSIibtGG5CPMZZIYyNZCdReBdBQgqmJORhMdX67:4XDcKPoyYyNZaQRQgqmJahmo
TLSH:23B41A03A1D3D1FACDA7C1309A56D992FE7AB01523284DDB25A0C654FED3970092BB7E
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........{.....................................................................................................Rich...................

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x18005436c
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x180000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x657ABD9F [Thu Dec 14 08:32:31 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:c841c4cc7c50f72e988d521454b95991

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007FBF7DAF1F57h
call 00007FBF7DAF1F74h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007FBF7DAF1DE4h
int3
int3
int3
dec eax
mov dword ptr [esp+18h], ebx
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 30h
dec eax
mov eax, dword ptr [00024EC0h]
dec eax
mov ebx, 2DDFA232h
cdq
sub eax, dword ptr [eax]
add byte ptr [eax+3Bh], cl
ret
jne 00007FBF7DAF1FC6h
dec eax
and dword ptr [ebp+10h], 00000000h
dec eax
lea ecx, dword ptr [ebp+10h]
call dword ptr [00000C72h]
dec eax
mov eax, dword ptr [ebp+10h]
dec eax
mov dword ptr [ebp-10h], eax
call dword ptr [00000C6Ch]
mov eax, eax
dec eax
xor dword ptr [ebp-10h], eax
call dword ptr [00000C68h]
mov eax, eax
dec eax
lea ecx, dword ptr [ebp+18h]
dec eax
xor dword ptr [ebp-10h], eax
call dword ptr [00000C60h]
mov eax, dword ptr [ebp+18h]
dec eax
lea ecx, dword ptr [ebp-10h]
dec eax
shl eax, 20h
dec eax
xor eax, dword ptr [ebp+18h]
dec eax
xor eax, dword ptr [ebp-10h]
dec eax
xor eax, ecx
dec eax
mov ecx, FFFFFFFFh

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x77b600xae0.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x786400x78.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x7c0000x1e0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x7a0000x162c.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x7d0000x88.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x75a500x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x759100x140.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x550000x1c8.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x53ca80x53e008a0d48659f0bdbd8c2e9c40de25cc78bFalse0.4704964605067064zlib compressed data6.3426238815631475IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x550000x23c820x23e007feb8789fcf895a6bb73b874f1cdf05fFalse0.19467280052264807data5.537335828517521IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x790000x9880x40007824aabf5584761e622ac6f3740b743False0.28125data1.9960757905032578IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x7a0000x162c0x1800c5a147b633af90be704668fde3536649False0.4680989583333333data5.4194036167168145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x7c0000x1e00x200a45c9f3af11d3a147c7d0d31ebf6c386False0.53125data4.724728911998389IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x7d0000x880x200324810a75e926d4a86afc3abb4a7f60aFalse0.26953125data1.6700245515623973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_MANIFEST0x7c0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

Imports

DLLImport
KERNEL32.dllCloseHandle, ReleaseMutex, WaitForSingleObject, CreateMutexA, GetSystemInfo, VirtualAlloc, VirtualFree, IsDebuggerPresent, InitializeSListHead, DisableThreadLibraryCalls, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext
VCRUNTIME140.dllmemcpy, memmove, memset, strchr, __C_specific_handler, __std_type_info_destroy_list, memcmp
api-ms-win-crt-string-l1-1-0.dlltolower, isspace, isupper, isalpha, iscntrl, ispunct, isprint, isalnum, isxdigit, isdigit, islower, isgraph, toupper
api-ms-win-crt-heap-l1-1-0.dllfree, malloc
api-ms-win-crt-runtime-l1-1-0.dll_initialize_onexit_table, _execute_onexit_table, _cexit, _seh_filter_dll, _initterm_e, _initialize_narrow_environment, _initterm, _configure_narrow_argv

Exports

NameOrdinalAddress
pcre2_callout_enumerate_1610x18004d710
pcre2_code_copy_1620x18000cde0
pcre2_code_copy_with_tables_1630x18000ce50
pcre2_code_free_1640x18000cf60
pcre2_compile_1650x18000cfc0
pcre2_compile_context_copy_1660x18000ed10
pcre2_compile_context_create_1670x18000ed60
pcre2_compile_context_free_1680x18000ee50
pcre2_config_1690x18000eaa0
pcre2_convert_context_copy_16100x18000ee60
pcre2_convert_context_create_16110x18000eea0
pcre2_convert_context_free_16120x18000ee50
pcre2_converted_pattern_free_16130x1800109f0
pcre2_dfa_match_16140x180016aa0
pcre2_general_context_copy_16150x18000ef50
pcre2_general_context_create_16160x18000ef90
pcre2_general_context_free_16170x18000ee50
pcre2_get_error_message_16180x180017980
pcre2_get_mark_16190x18004d390
pcre2_get_match_data_size_16200x18004d3a0
pcre2_get_ovector_count_16210x18004d3b0
pcre2_get_ovector_pointer_16220x18004d3c0
pcre2_get_startchar_16230x18004d3d0
pcre2_jit_compile_16240x18003afa0
pcre2_jit_free_unused_memory_16250x18003b100
pcre2_jit_match_16260x18003b1e0
pcre2_jit_stack_assign_16270x18003b3c0
pcre2_jit_stack_create_16280x18003b3d0
pcre2_jit_stack_free_16290x18003b570
pcre2_maketables_16300x180040710
pcre2_maketables_free_16310x1800409f0
pcre2_match_16320x18004bf20
pcre2_match_context_copy_16330x18000f010
pcre2_match_context_create_16340x18000f070
pcre2_match_context_free_16350x18000ee50
pcre2_match_data_create_16360x18004d3e0
pcre2_match_data_create_from_pattern_16370x18004d430
pcre2_match_data_free_16380x18004d4a0
pcre2_pattern_convert_16390x180010a10
pcre2_pattern_info_16400x18004da10
pcre2_serialize_decode_16410x18004e230
pcre2_serialize_encode_16420x18004e490
pcre2_serialize_free_16430x1800109f0
pcre2_serialize_get_number_of_codes_16440x18004e6d0
pcre2_set_bsr_16450x18000f170
pcre2_set_callout_16460x18000f190
pcre2_set_character_tables_16470x18000f1a0
pcre2_set_compile_extra_options_16480x18000f1b0
pcre2_set_compile_recursion_guard_16490x18000f1c0
pcre2_set_depth_limit_16500x18000f1d0
pcre2_set_glob_escape_16510x18000f1e0
pcre2_set_glob_separator_16520x18000f230
pcre2_set_heap_limit_16530x18000f250
pcre2_set_match_limit_16540x18000f260
pcre2_set_max_pattern_length_16550x18000f270
pcre2_set_newline_16560x18000f280
pcre2_set_offset_limit_16570x18000f2d0
pcre2_set_parens_nest_limit_16580x18000f2e0
pcre2_set_recursion_limit_16590x18000f1d0
pcre2_set_recursion_memory_management_16600x18000f2f0
pcre2_set_substitute_callout_16610x18000f300
pcre2_substitute_16620x180051870
pcre2_substring_copy_byname_16630x180052d50
pcre2_substring_copy_bynumber_16640x180052e30
pcre2_substring_free_16650x1800109f0
pcre2_substring_get_byname_16660x180052f80
pcre2_substring_get_bynumber_16670x180053060
pcre2_substring_length_byname_16680x1800531d0
pcre2_substring_length_bynumber_16690x180053280
pcre2_substring_list_free_16700x1800109f0
pcre2_substring_list_get_16710x180053340
pcre2_substring_nametable_scan_16720x1800534a0
pcre2_substring_number_from_name_16730x180053610

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:14:14:30
Start date:27/05/2024
Path:C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):false
Commandline:loaddll64.exe "C:\Users\user\Desktop\pcre2-16.dll"
Imagebase:0x7ff6bd3d0000
File size:165'888 bytes
MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:1
Start time:14:14:30
Start date:27/05/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:2
Start time:14:14:30
Start date:27/05/2024
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",#1
Imagebase:0x7ff7ba150000
File size:289'792 bytes
MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:14:14:30
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_callout_enumerate_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:14:14:30
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",#1
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:8
Start time:14:14:31
Start date:27/05/2024
Path:C:\Windows\System32\WerFault.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\WerFault.exe -u -p 7336 -s 332
Imagebase:0x7ff7309e0000
File size:570'736 bytes
MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:9
Start time:14:14:31
Start date:27/05/2024
Path:C:\Windows\System32\WerFault.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\WerFault.exe -u -p 7320 -s 332
Imagebase:0x7ff7309e0000
File size:570'736 bytes
MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:10
Start time:14:14:33
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_code_copy_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:12
Start time:14:14:33
Start date:27/05/2024
Path:C:\Windows\System32\WerFault.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\WerFault.exe -u -p 7596 -s 324
Imagebase:0x7ff7309e0000
File size:570'736 bytes
MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:13
Start time:14:14:36
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_code_copy_with_tables_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:15
Start time:14:14:36
Start date:27/05/2024
Path:C:\Windows\System32\WerFault.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\WerFault.exe -u -p 7756 -s 324
Imagebase:0x7ff7309e0000
File size:570'736 bytes
MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:16
Start time:14:14:39
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_callout_enumerate_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:17
Start time:14:14:39
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_code_copy_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:18
Start time:14:14:39
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_code_copy_with_tables_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:19
Start time:14:14:39
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_number_from_name_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:21
Start time:14:14:39
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_nametable_scan_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:23
Start time:14:14:40
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_list_get_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:25
Start time:14:14:40
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_list_free_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:26
Start time:14:14:40
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_length_bynumber_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:27
Start time:14:14:40
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_length_byname_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:28
Start time:14:14:40
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_get_bynumber_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:29
Start time:14:14:40
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_get_byname_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:30
Start time:14:14:40
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_free_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:31
Start time:14:14:40
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_copy_bynumber_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:33
Start time:14:14:40
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_copy_byname_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:34
Start time:14:14:40
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substitute_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:35
Start time:14:14:40
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_substitute_callout_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:36
Start time:14:14:40
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_recursion_memory_management_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:37
Start time:14:14:40
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_recursion_limit_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:38
Start time:14:14:40
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_parens_nest_limit_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:41
Start time:14:14:40
Start date:27/05/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_offset_limit_16
Imagebase:0x7ff7ad270000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

Disassembly

Reset < >

    Non-executed Functions

    Function 00007FFE00530710 Relevance: 31.7, APIs: 21, Instructions: 208COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: islower$isalnumisdigitisspacetolower$isalphaiscntrlisgraphisprintispunctisupperisxdigitmallocmemsettoupper
    • String ID:
    • API String ID: 1053182613-0
    • Opcode ID: 83ce712c8bf2edfe638d6d8c8f5d83d20de13c59a51e4679e389614c21fc7cbb
    • Instruction ID: 08e1c200289cea07ecf65b2fd3a604391cf251a3ca1aef9be76efe6f27fef5cf
    • Opcode Fuzzy Hash: 83ce712c8bf2edfe638d6d8c8f5d83d20de13c59a51e4679e389614c21fc7cbb
    • Instruction Fuzzy Hash: 4381EB61B087924BEB254F75A8A037DA691FB55B44F04A13DCB8B837E6DF2CE549C310
    Function 00007FFE0050D6B0 Relevance: 30.1, Strings: 23, Instructions: 1386COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: ($@$@$x$y$y$y$y$y$y$z$z$z$z$z$z$z${${${${${${
    • API String ID: 0-1136408024
    • Opcode ID: 9c9fa1fd6b6155bc3eb1a9f45a009ed90e6d75c9bffd33b194b168c138350a23
    • Instruction ID: db91f2a7a3b7eecc5f728549494b4733ceaa830e46f6cd1faa756a5eafcf0d2f
    • Opcode Fuzzy Hash: 9c9fa1fd6b6155bc3eb1a9f45a009ed90e6d75c9bffd33b194b168c138350a23
    • Instruction Fuzzy Hash: 51D2B132A0868286EB70DB91E14177E77A4FB95784F544635EB8D07BA8CF3DEA41CB40
    Function 00007FFE00541870 Relevance: 19.5, APIs: 11, Strings: 1, Instructions: 1496COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: MARK
    • API String ID: 0-1356931013
    • Opcode ID: eeabc1b2ae7d39323477f8a8351461325076f1c45fae257190a3ee41701800cd
    • Instruction ID: 91e1a8e5e1f9529d5b7e533d7734d36a64a72d3904ab1478ef8199b2278ceeac
    • Opcode Fuzzy Hash: eeabc1b2ae7d39323477f8a8351461325076f1c45fae257190a3ee41701800cd
    • Instruction Fuzzy Hash: A8E28E72A18A6286EB208F65E4402ED77A1FB447ACF944135EF4D57BACDF38E851CB00
    Function 00007FFE00526D35 Relevance: 15.5, APIs: 5, Strings: 4, Instructions: 2007COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: memset
    • String ID: ($@$@${
    • API String ID: 2221118986-3422899031
    • Opcode ID: 63c0df0262cbbfe144d861a7c8eaf253bff2625080181ed1c136684a3f80a9be
    • Instruction ID: f13d7f01be0658d1a0ce3daa3e56a0f3a722d6bdb667c21fdf78e2aabcca60f6
    • Opcode Fuzzy Hash: 63c0df0262cbbfe144d861a7c8eaf253bff2625080181ed1c136684a3f80a9be
    • Instruction Fuzzy Hash: FA138B72A0878286EB74CFA1E4513A937A1FF95BA8F104635DB6D07BE8DF38E5418740
    Function 00007FFE005447F0 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
    • String ID:
    • API String ID: 313767242-0
    • Opcode ID: 4309554bc4b696511925be2cf520b00d17a8b14e29444498688d546f69b2ea88
    • Instruction ID: c56682bc772c71bfa464cba14af8229bc491471746d30c56a1be80f07b601c9f
    • Opcode Fuzzy Hash: 4309554bc4b696511925be2cf520b00d17a8b14e29444498688d546f69b2ea88
    • Instruction Fuzzy Hash: D9312C76609B818AEB748F60E8543ED7364FB84758F44443ADB4E47BA9EF38D548CB10
    Function 00007FFE004FD4EA Relevance: 12.9, APIs: 5, Strings: 3, Instructions: 936COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: memset
    • String ID: ERCP$ERCP$y
    • API String ID: 2221118986-3638064534
    • Opcode ID: 748d3744ba3b5b3886c56a16683e2b659091f7e9e37b2693df24cf32dafa259b
    • Instruction ID: c79687ffdb0d3a20a524ee02bca8fd486a29a86139a4b69cd3898604018ca8b0
    • Opcode Fuzzy Hash: 748d3744ba3b5b3886c56a16683e2b659091f7e9e37b2693df24cf32dafa259b
    • Instruction Fuzzy Hash: 3292AC32A08B928AEB648F6AD4446BD37B5FB48749F504136DF4D67BA8EF38E540C704
    Function 00007FFE004F3C40 Relevance: 8.7, APIs: 5, Instructions: 2411COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: memcpy
    • String ID:
    • API String ID: 3510742995-0
    • Opcode ID: f019e962fe32e3a430ddc7c151078abf3d803b5235f653eb24e133278a813fac
    • Instruction ID: ac09ee2c05fff5274fb9d59d6eeabe6f2ec5be307ac31dbd90ba92ce6334e088
    • Opcode Fuzzy Hash: f019e962fe32e3a430ddc7c151078abf3d803b5235f653eb24e133278a813fac
    • Instruction Fuzzy Hash: E4339D72A08B518AE760CF69D4406BD3BB5FB44799F218135DB4D67BA8DF38E980CB04
    Function 00007FFE0053169C Relevance: 8.0, APIs: 6, Instructions: 471COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: memcmp
    • String ID:
    • API String ID: 1475443563-0
    • Opcode ID: 77d3dec9597a87d558bf86ca708bc27886ed4c45e64fa7f4eeddff6afecf06cc
    • Instruction ID: 0589162a3197b57a849e766dcba6d7470439dca57c91675dff1e74bc0c4b338b
    • Opcode Fuzzy Hash: 77d3dec9597a87d558bf86ca708bc27886ed4c45e64fa7f4eeddff6afecf06cc
    • Instruction Fuzzy Hash: 21229072A08A9689EB748B15D158BBE73A9FB44BC4F455132DB8D03BA8DF7CE481C704
    Function 00007FFE0051BE97 Relevance: 7.9, Strings: 6, Instructions: 373COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: $ $VUUU$VUUU$VUUU$VUUU
    • API String ID: 0-2813730985
    • Opcode ID: 279a27db9e564d7b936ffbdaa2ac887cfa2341978f6022d98f286d605e95f88c
    • Instruction ID: 710848f2328da20f2b61ee4bd1270816ea60d4d822851211ac357e943cf7e517
    • Opcode Fuzzy Hash: 279a27db9e564d7b936ffbdaa2ac887cfa2341978f6022d98f286d605e95f88c
    • Instruction Fuzzy Hash: 94F1E532A0869586E730CF69E4807AD7BA2FB89798F544235DB4D97BACDF39D441CB00
    Function 00007FFE005443AC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
    • String ID:
    • API String ID: 2933794660-0
    • Opcode ID: 9c1e6e2c17b285965f2e321e05ef800007d3d16ade7b26cc0baeb5ccbded6520
    • Instruction ID: 4c46830eaee07ac752318b40ef5a38ae2ea40ab6dc3a55bf1d45f444db538ee8
    • Opcode Fuzzy Hash: 9c1e6e2c17b285965f2e321e05ef800007d3d16ade7b26cc0baeb5ccbded6520
    • Instruction Fuzzy Hash: 16111826B54F068AEB50CF60E8542B833A4FB59768F440E31DB6D477A8EF78D1588380
    Function 00007FFE0051B830 Relevance: 5.3, Strings: 4, Instructions: 268COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@$T$X
    • API String ID: 0-3440653067
    • Opcode ID: ff6fdba7c53ad06b32cc1a06e8442fb3c83abb38384ebc2ccb76f8dbfd9f304d
    • Instruction ID: b18e769a22976a3877618c3fd21d122339ed3d3411f294cf9da613588c3ad612
    • Opcode Fuzzy Hash: ff6fdba7c53ad06b32cc1a06e8442fb3c83abb38384ebc2ccb76f8dbfd9f304d
    • Instruction Fuzzy Hash: 74C16A3261828287E770CF11F551B9ABBA4FB94798F444236EB8907BA9CF7DE544CB40
    Function 00007FFE0050BF40 Relevance: 5.2, Strings: 3, Instructions: 1407COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: )$@$@
    • API String ID: 0-3524112375
    • Opcode ID: b91b7e28845d46ff5b723fd6bc0bac49373882b0776b2abafd7505e9da4f8bcc
    • Instruction ID: d5b911a1baf823af2e8517cc9ffd8d7fed0e56bcb88c3c548fa83dfbe702705c
    • Opcode Fuzzy Hash: b91b7e28845d46ff5b723fd6bc0bac49373882b0776b2abafd7505e9da4f8bcc
    • Instruction Fuzzy Hash: 65D2BD3260868286EB74CF90E1517BE77A0FB95798F504635EB9D07BA9CF3DE6408B40
    Function 00007FFE00523820 Relevance: 5.0, APIs: 1, Strings: 2, Instructions: 544COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: memset
    • String ID: @$@
    • API String ID: 2221118986-149943524
    • Opcode ID: 660527e56ae709fcf7f57da899178824502324a8fb2ee424e60001aa91bc358d
    • Instruction ID: 8de162327eeb9d106bd85ebd6c27b98531d75842eebd0027fb81b5070130fb69
    • Opcode Fuzzy Hash: 660527e56ae709fcf7f57da899178824502324a8fb2ee424e60001aa91bc358d
    • Instruction Fuzzy Hash: 3832BD3260869286EB708F51E0547AE77A4FF96B94F044235EB8D07BA9DF3DE645CB00
    Function 00007FFE0050BF3D Relevance: 4.6, Strings: 3, Instructions: 847COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: )$@$@
    • API String ID: 0-3524112375
    • Opcode ID: 210786823b0dd1ca6e38d47e4cfbd19937234b90e47e88baaef5014f3da80803
    • Instruction ID: e1f7fc66f681a8d38ce0c6c763e48a9a4cd0ae28bb8e89b621c3e00126f92d17
    • Opcode Fuzzy Hash: 210786823b0dd1ca6e38d47e4cfbd19937234b90e47e88baaef5014f3da80803
    • Instruction Fuzzy Hash: DA82B03260868186EB70CF51E0917BE7BA4FB95B84F504635EB8907BA9DF3DD641CB40
    Function 00007FFE00512E75 Relevance: 4.6, Strings: 3, Instructions: 833COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: '$@$@
    • API String ID: 0-1832718742
    • Opcode ID: 12e710accc89cf8933a05e924d4d5b2841feaaae7695e7f3f5d627c37577d36e
    • Instruction ID: e5d96819e3e7830d4d4f608b34e808e0fd0aaa727f1543b9a216b821c64b559f
    • Opcode Fuzzy Hash: 12e710accc89cf8933a05e924d4d5b2841feaaae7695e7f3f5d627c37577d36e
    • Instruction Fuzzy Hash: BE829A3260874286EB74CF51E4557AA36A1FB89B98F100635EF9D07BA9DF3DE640CB40
    Function 00007FFE00516590 Relevance: 4.4, Strings: 3, Instructions: 687COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@$c
    • API String ID: 0-3829975993
    • Opcode ID: d0a3862180b8a7ca22162ea9c75a041917f95b37861c06f9d7bec479001cb3e5
    • Instruction ID: b2c32d686f1c61c36beb89a6e1766b67cab8ff8f1e619e9ae1fad2575b0be556
    • Opcode Fuzzy Hash: d0a3862180b8a7ca22162ea9c75a041917f95b37861c06f9d7bec479001cb3e5
    • Instruction Fuzzy Hash: AC52BB32A0878286E770DF11E411BAA37A1FB89798F544634EB8D07BA9DF3DE544CB40
    Function 00007FFE00528F40 Relevance: 4.4, Strings: 3, Instructions: 678COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@$H
    • API String ID: 0-1223963385
    • Opcode ID: c007b5f123186d8c1d8e27a6cdb3eddd28009853565be648641ffae55c2a8589
    • Instruction ID: 03cb0c4a7f92c86b418f65760f2c6abf2e89d56222428e6243eada47a392c9b5
    • Opcode Fuzzy Hash: c007b5f123186d8c1d8e27a6cdb3eddd28009853565be648641ffae55c2a8589
    • Instruction Fuzzy Hash: E1629F3260878286EB74CF51E451BAA76A0FB957A8F440635EB9D07BE9CF3CE510CB44
    Function 00007FFE005095C0 Relevance: 4.3, Strings: 3, Instructions: 560COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@$_
    • API String ID: 0-3408377662
    • Opcode ID: 097a6b4ff35a91ce687de394daba5f8b802988fe789c4e8c0c69466f9c686078
    • Instruction ID: dfe1f72a86c3b60be09b7f6b2fe5404dd8383a8a5293c510e684b3ba0375cdcb
    • Opcode Fuzzy Hash: 097a6b4ff35a91ce687de394daba5f8b802988fe789c4e8c0c69466f9c686078
    • Instruction Fuzzy Hash: 06429F3260828286E7B4CF51E511BAE77A0FB85798F544235EB9D07BA9CF7DD604CB40
    Function 00007FFE0051581A Relevance: 4.1, Strings: 3, Instructions: 345COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@$@
    • API String ID: 0-1177533131
    • Opcode ID: bc20ca175d75d85e474d30c6e371bbeec987ed723fbd952a96801e9adb76dcdf
    • Instruction ID: 4d5d5cc28eb890db17d81f5f70781df3ce0d4ab3fd66dc4dd9a631038bbab5dd
    • Opcode Fuzzy Hash: bc20ca175d75d85e474d30c6e371bbeec987ed723fbd952a96801e9adb76dcdf
    • Instruction Fuzzy Hash: 08F19B32608B81C2EB74CB01E4517AA73A2FB85B94F548635DFAD07BA9EF3DD5448740
    Function 00007FFE00515747 Relevance: 4.1, Strings: 3, Instructions: 321COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@$@
    • API String ID: 0-1177533131
    • Opcode ID: e7b02428895e7050a34dade3500a74704471e1075fc58d90dfb172ce23a7ca75
    • Instruction ID: 631cf19d647fd6699d792f74ba46c84b9f89ffa73399fe8e81a5492080861124
    • Opcode Fuzzy Hash: e7b02428895e7050a34dade3500a74704471e1075fc58d90dfb172ce23a7ca75
    • Instruction Fuzzy Hash: E6E18832608B81C6EB708F11E4417AA77A1FB89B98F548635DB9D07BA8EF7DD444CB40
    Function 00007FFE00515AB4 Relevance: 4.1, Strings: 3, Instructions: 319COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@$@
    • API String ID: 0-1177533131
    • Opcode ID: 695206c0a3da1703da5a8be3da93acfdf8147e0ce5f09397063154069881aa58
    • Instruction ID: 3d87ac5609f319b33d835f9902d81df686927f01e236b87fa0750ed6f451c1e7
    • Opcode Fuzzy Hash: 695206c0a3da1703da5a8be3da93acfdf8147e0ce5f09397063154069881aa58
    • Instruction Fuzzy Hash: 0FE17B32608B81C2EB748F01E4517AA77A1FB85B98F548635DBAD07BA9EF3CD444CB40
    Function 00007FFE0052A610 Relevance: 4.0, Strings: 3, Instructions: 232COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: $@$@
    • API String ID: 0-3743272326
    • Opcode ID: 685402b92af7b4770fee53494314010b9d3df4b0745040be6dca401a022181f5
    • Instruction ID: 38460ee5f1ffb1ded3c8dbb68eb832d3a59238213f31c83dab37b42c7bb56600
    • Opcode Fuzzy Hash: 685402b92af7b4770fee53494314010b9d3df4b0745040be6dca401a022181f5
    • Instruction Fuzzy Hash: EE91C032A086928BE7708F61E5007BAB6A0FF96784F554134DB8D43BA9EF3CE541CB01
    Function 00007FFE0051DDA0 Relevance: 4.0, Strings: 3, Instructions: 216COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: ($@$@
    • API String ID: 0-4016932423
    • Opcode ID: 9a91344f8892d02d3a2d3df8ddcca92dada2c8d86b678025d142599691bf91bb
    • Instruction ID: 3789f7e0e44a919940a21f922a9b30a62c77b598b4c2ef3a6095d0413a625b55
    • Opcode Fuzzy Hash: 9a91344f8892d02d3a2d3df8ddcca92dada2c8d86b678025d142599691bf91bb
    • Instruction Fuzzy Hash: 4DA19A3260838286E770DF51E512BA977A1FB94798F484234EB9D07BA9CF7CE544CB44
    Function 00007FFE0051AA7E Relevance: 3.9, Strings: 3, Instructions: 151COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@$|
    • API String ID: 0-1765852748
    • Opcode ID: e9a2fe68199ad9d18873c8cc2f224dc0b4b7e0103c641864fc91c7d85266c1d5
    • Instruction ID: b597b5fa647bf61a48876fdd7ddf74cfb36125f0929fa5d69de3deda69bf178c
    • Opcode Fuzzy Hash: e9a2fe68199ad9d18873c8cc2f224dc0b4b7e0103c641864fc91c7d85266c1d5
    • Instruction Fuzzy Hash: 6751AC72A0924186F7718B50F511BAE76A2FB80B98F104235DF8907FADCF7DDA468B00
    Function 00007FFE0051B5B5 Relevance: 3.9, Strings: 3, Instructions: 139COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@$@
    • API String ID: 0-1177533131
    • Opcode ID: 13f70c3cedc67e596f2fc45b6b40fe4102afacc5b5bd8a4d9a18f0192abc29a1
    • Instruction ID: 3b785f3ecfb98f09f1102a8174acf798c30c834060668a2bc61bcc0a345c4517
    • Opcode Fuzzy Hash: 13f70c3cedc67e596f2fc45b6b40fe4102afacc5b5bd8a4d9a18f0192abc29a1
    • Instruction Fuzzy Hash: A451AB7260938186F7708F11F511BAA76A2FB81B98F104235EB8D07FA8CF7DD9468B40
    Function 00007FFE00519240 Relevance: 3.8, Strings: 2, Instructions: 1303COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 4083000e2d9a5cba92ae5b0bb08d9e6dbd57f5f4ff38d4d4c614bd0fb94b314a
    • Instruction ID: e7f1ae085992e9e00fbe947d3ea816ec3d54e9dcb4efd5aa0c8d5c6d318a21ce
    • Opcode Fuzzy Hash: 4083000e2d9a5cba92ae5b0bb08d9e6dbd57f5f4ff38d4d4c614bd0fb94b314a
    • Instruction Fuzzy Hash: 0BC2CD72A0869286FB708F51E5117BA77A2FB84B88F044135EB8D07BA8DF7DE545CB01
    Function 00007FFE0050A3F0 Relevance: 3.7, Strings: 2, Instructions: 1218COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 1f10710203e7ee326c2deaa2532c157302002cc9b2e5b64db5450b49b8bb5907
    • Instruction ID: 4edc85a34b597fa4412995ece1d1babb16cd008167bce1a81323e5b43e3319de
    • Opcode Fuzzy Hash: 1f10710203e7ee326c2deaa2532c157302002cc9b2e5b64db5450b49b8bb5907
    • Instruction Fuzzy Hash: 87C29C3260878182EB749F51E1907AEB7A1FB99B94F104235EB9D07BA9DF3DD641CB00
    Function 00007FFE00506ECA Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 667COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 496c7b27fa07165bdb65cf8a36a644ba64e3456f347cf564a13b3a6c718e6170
    • Instruction ID: 11e24cb61171f7d2ef2ba88a55da1499ae587ad9fbd513ea3891eebc35dc7eec
    • Opcode Fuzzy Hash: 496c7b27fa07165bdb65cf8a36a644ba64e3456f347cf564a13b3a6c718e6170
    • Instruction Fuzzy Hash: 26528F62E0C68686EB708BA995043BD63A1FB58784F144136DB4D47BACEF7CFA81C750
    Function 00007FFE0053BF20 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 466COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: ERCP
    • API String ID: 0-1384759551
    • Opcode ID: ee6f18d4476f39f9a6718525af19c852fd04c3ef77bc8133d1966e1aed02175a
    • Instruction ID: 129f240dc02930060803fff7e8f6438438d89b725605f2583644b2a7d1e0e2b7
    • Opcode Fuzzy Hash: ee6f18d4476f39f9a6718525af19c852fd04c3ef77bc8133d1966e1aed02175a
    • Instruction Fuzzy Hash: 8B126C76A08B818AEB748F69A8043AE37A4FB45794F104235EF9D977A8DF38D951C700
    Function 00007FFE005170F0 Relevance: 3.3, Strings: 2, Instructions: 799COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: dc695eddafb06c00a8ad09ae619b1fd8c50b6472f09670a17a4ce5cdd0268738
    • Instruction ID: 2aad012935860c81f2c55d77ec4ee9af778a8b36fba1f79aff0de190bc3b7f92
    • Opcode Fuzzy Hash: dc695eddafb06c00a8ad09ae619b1fd8c50b6472f09670a17a4ce5cdd0268738
    • Instruction Fuzzy Hash: CB72BE3260878686EB70DF11E451BAA37A4FB89B98F444635EB9D07BA9DF3CD504CB40
    Function 00007FFE0050F100 Relevance: 3.3, Strings: 2, Instructions: 775COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 086642b5b916f711ed3c3d1df3da7eeb4799aae946a1ff661c88741b43fba61f
    • Instruction ID: ac5dd40cb31825890aa7cd3cfdff1a8f34a27b75bced1c1aaeaf86d2236b6805
    • Opcode Fuzzy Hash: 086642b5b916f711ed3c3d1df3da7eeb4799aae946a1ff661c88741b43fba61f
    • Instruction Fuzzy Hash: E5728D3260824286E774CF51E451B6E77A0FB89B88F544239EB8D47BA8DF7DE644CB40
    Function 00007FFE00514FB0 Relevance: 3.2, Strings: 2, Instructions: 748COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 52c85f4ad9f0d7f78716c1d35ea532fb26d8fe4c7f74fe5351564be83a2581a8
    • Instruction ID: f0f551a16aa786ce24ea3d69df3459a2500ac5790a1a66f3596a1b1ba60007df
    • Opcode Fuzzy Hash: 52c85f4ad9f0d7f78716c1d35ea532fb26d8fe4c7f74fe5351564be83a2581a8
    • Instruction Fuzzy Hash: D272A872608B8182EB74CF01E4417AA77A1FB89B98F504635EF9D07BA9EF3DD5448B40
    Function 00007FFE0052B3D0 Relevance: 3.1, APIs: 2, Instructions: 104memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtualmalloc
    • String ID:
    • API String ID: 3732003558-0
    • Opcode ID: a1fa5b27d0da14d7fcbd32f9e631178abb5d75d37bcff9526382abdd3e1e3d05
    • Instruction ID: f72c296497f713596bfd0af425bc254276b88d3d17db361042392ebe109af872
    • Opcode Fuzzy Hash: a1fa5b27d0da14d7fcbd32f9e631178abb5d75d37bcff9526382abdd3e1e3d05
    • Instruction Fuzzy Hash: BF417972B09B0286EF289B26E44436963A2FF58F94F484534DB9D4B7A9EF3CE4508740
    Function 00007FFE005170C9 Relevance: 3.0, Strings: 2, Instructions: 541COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: cf0b615149abdc856c08fbaad6ddc9f843c33e21ef00d54f83193b2b9746d69f
    • Instruction ID: 179c7f3b5d090e6977fa195167ff16c63301e012023aa14180e5b3b46242c4be
    • Opcode Fuzzy Hash: cf0b615149abdc856c08fbaad6ddc9f843c33e21ef00d54f83193b2b9746d69f
    • Instruction Fuzzy Hash: 74328E3261878686EB70CF11E452BAA77A0FB89798F444635EB9D07BA9DF3CD105CB40
    Function 00007FFE00522E10 Relevance: 3.0, Strings: 2, Instructions: 514COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 7b06d0d37f0d4a8c877cc3af7f1f89140ae26f9bf819ed917eecf4a18ba1a348
    • Instruction ID: b60b2dd21c1955068e533abd091afebb987ed780f8f7e4ee3c916c258acae921
    • Opcode Fuzzy Hash: 7b06d0d37f0d4a8c877cc3af7f1f89140ae26f9bf819ed917eecf4a18ba1a348
    • Instruction Fuzzy Hash: B232AA3260878286EB74CF51E851BAA37A0FB95798F444635DF9907BA8DF3CE604CB40
    Function 00007FFE005240B0 Relevance: 3.0, Strings: 2, Instructions: 513COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: b016747b8ecf13043913d2a88751b8ac089a6dbc22bf03163ca9caa536ebf36e
    • Instruction ID: 28894453c2e1facc767232ec3848964fd24eddcb4db87e74c6ee05c35c382982
    • Opcode Fuzzy Hash: b016747b8ecf13043913d2a88751b8ac089a6dbc22bf03163ca9caa536ebf36e
    • Instruction Fuzzy Hash: 6B329D3260878286EB74CF51E451BAA37A0FB95798F444635EBAD07BA8CF3CE514CB40
    Function 00007FFE00524DB0 Relevance: 2.9, Strings: 2, Instructions: 396COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: d0cf7668e7a49677289d99d6a0303a074f485a3f78852b6e9eadecf70307efd7
    • Instruction ID: f98b6a34c1edbd08e5621e4bb7b0c455735e22f68a153ebdc1e9913ba8043727
    • Opcode Fuzzy Hash: d0cf7668e7a49677289d99d6a0303a074f485a3f78852b6e9eadecf70307efd7
    • Instruction Fuzzy Hash: 8502CD3260878286E770CF61E841BAE77A4FB95798F045634DB8907BA9DF7CE505CB40
    Function 00007FFE00517F73 Relevance: 2.9, Strings: 2, Instructions: 371COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 535df526cc43aa9577aec55e32534824e475fcf7ba49cde1d7da0d71deb766c1
    • Instruction ID: 470ace6f37b4141ed5f2fdea02f6c961f7e2bc35ac334892e858d4f80163ff02
    • Opcode Fuzzy Hash: 535df526cc43aa9577aec55e32534824e475fcf7ba49cde1d7da0d71deb766c1
    • Instruction Fuzzy Hash: 4DF1B23260834286E774DF52F415BAA76A1FF95B94F144235EB9E07BA9CF3CE1008B44
    Function 00007FFE00512890 Relevance: 2.9, Strings: 2, Instructions: 367COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: ef622310d2d134bee2903db48e879db4e07c47dcee406edf16e7cb8e1b5d3bd1
    • Instruction ID: 34923124d50d14aca755021c20b002fd007162dddd9ec288401a5edeeb7430f3
    • Opcode Fuzzy Hash: ef622310d2d134bee2903db48e879db4e07c47dcee406edf16e7cb8e1b5d3bd1
    • Instruction Fuzzy Hash: 13027B32A08B418AE760CF61E4407AE37A5FB98788F104539DB8D07BA8DF7DD565CB80
    Function 00007FFE005159D5 Relevance: 2.8, Strings: 2, Instructions: 326COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 43989bb8d40e45bd3d6d3be747cc6a9c637739fef1da32bc7291dc45ad1e3328
    • Instruction ID: 00432ff3987bff57fbf0253533b35e4909bd0ef95ae3cc70ea0a9b1d194d5d51
    • Opcode Fuzzy Hash: 43989bb8d40e45bd3d6d3be747cc6a9c637739fef1da32bc7291dc45ad1e3328
    • Instruction Fuzzy Hash: 0DE18932608B81C6EB748F01E4457AA73A1FB85B98F548635DB9D07BA8EF7DD444CB40
    Function 00007FFE0051594D Relevance: 2.8, Strings: 2, Instructions: 309COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 00072b982ea804d0050e3070ec6456e11a20d680515e3b91069e4d2986020877
    • Instruction ID: c5ce7d9a22f31cc68375262c0b1673a17eb734eb410f6eebff15a2e9a7d4bbea
    • Opcode Fuzzy Hash: 00072b982ea804d0050e3070ec6456e11a20d680515e3b91069e4d2986020877
    • Instruction Fuzzy Hash: 78E17936608B81C2EB74CF01E4417AA73A1FB89B98F548635DB9D07BA9EF7CD5448B40
    Function 00007FFE00515B4C Relevance: 2.8, Strings: 2, Instructions: 303COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 34ad34448bfc7fd4a21a8e733847566bb7ae90c64377e9895c078b8691a0a194
    • Instruction ID: d271994e9ca563e686b4a456329e1486ab73bc9461e8633b2b42f677cbfe84bd
    • Opcode Fuzzy Hash: 34ad34448bfc7fd4a21a8e733847566bb7ae90c64377e9895c078b8691a0a194
    • Instruction Fuzzy Hash: ADD18A36608B81C2EB74CB05E4517AA73A2FB85B98F548635DF9D07BA8EF3DD4448B40
    Function 00007FFE00515922 Relevance: 2.8, Strings: 2, Instructions: 292COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 2123d243684e4ef4fefa803c265cbff0b4628c4f6fadf17dacf4cff5b266e880
    • Instruction ID: 09bc9703c2aff691ab97dd26d3fff7a4ef06c5cf403a60137724dfd254e8c225
    • Opcode Fuzzy Hash: 2123d243684e4ef4fefa803c265cbff0b4628c4f6fadf17dacf4cff5b266e880
    • Instruction Fuzzy Hash: C3D18936608B81C2EB748B01E4417AA73A2FB85B98F548635DF9D07BA9EF7DD444CB40
    Function 00007FFE0051593D Relevance: 2.8, Strings: 2, Instructions: 287COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 521b5ca19e494d2673b527e53e5008d08317581fe097bbb6f2ece3c01df148de
    • Instruction ID: 6bf3f448144b56eecfad6702ec8dbedac03a5c145f24312425c853a71ea8f8cf
    • Opcode Fuzzy Hash: 521b5ca19e494d2673b527e53e5008d08317581fe097bbb6f2ece3c01df148de
    • Instruction Fuzzy Hash: 20D18A36608B81C2EB74CB01E4417AA73A2FB85B98F548635DF9D07BA8EF3DD4448B40
    Function 00007FFE00515902 Relevance: 2.8, Strings: 2, Instructions: 287COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: fd8394da4efa022ad70ebfe6cf4ebb90756d8a3fcf5190acb2c0106133af518a
    • Instruction ID: 80b125d0744d129d033a544b216126df8bf5ad53941e94bd0dc937161db9700b
    • Opcode Fuzzy Hash: fd8394da4efa022ad70ebfe6cf4ebb90756d8a3fcf5190acb2c0106133af518a
    • Instruction Fuzzy Hash: F6D18A36608B81C2EB74CB01E4417AA73A2FB85B98F548635DF9D07BA9EF3DD4448B40
    Function 00007FFE00515912 Relevance: 2.8, Strings: 2, Instructions: 287COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: bae25887cafda70998fa7de05b78b7779f69c3d0c124c81e25b40f936ece9ed2
    • Instruction ID: 8c486530a2d357689ad9e0e33c9b8e147aff9deeaac45e9f901ab33f1699055f
    • Opcode Fuzzy Hash: bae25887cafda70998fa7de05b78b7779f69c3d0c124c81e25b40f936ece9ed2
    • Instruction Fuzzy Hash: DFD18A36608B81C2EB74CB01E4417AA73A2FB85B98F548635DF9D07BA8EF3DD4448B40
    Function 00007FFE00515AA2 Relevance: 2.8, Strings: 2, Instructions: 287COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: a9b4a3c9a7a508130ae19db2e1103faec738dc7298f151b4d08a64fd1ddda954
    • Instruction ID: c745ba1dc49b59b68451ecfcd41a10efaee63a37b911474ef2a255cbd7c03170
    • Opcode Fuzzy Hash: a9b4a3c9a7a508130ae19db2e1103faec738dc7298f151b4d08a64fd1ddda954
    • Instruction Fuzzy Hash: D1D18A36608B81C2EB74CB01E4417AA73A2FB85B98F548635DF9D07BA8EF3DD4448B40
    Function 00007FFE00515805 Relevance: 2.8, Strings: 2, Instructions: 287COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 8aca3c459e4cd4fa7e263c41f8e6058bd597b403058e69caad948514683aaa8e
    • Instruction ID: e8169ba3eafa9e3c4fc56656f828616358b398db09f6f39ec7fff45cc105aef1
    • Opcode Fuzzy Hash: 8aca3c459e4cd4fa7e263c41f8e6058bd597b403058e69caad948514683aaa8e
    • Instruction Fuzzy Hash: A4D18A36608B81C2EB74CB01E4417AA73A2FB85B98F548635DF9D07BA8EF3DD4448B40
    Function 00007FFE005157F5 Relevance: 2.8, Strings: 2, Instructions: 287COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 413fe9b5deacabe099ed7273e87fd469e1f032dfe5806a9c65c288f90f02ef79
    • Instruction ID: 3c2d105c9c5b9590c43b6a22d79feb384ca694dac32da76fa382f4384d104819
    • Opcode Fuzzy Hash: 413fe9b5deacabe099ed7273e87fd469e1f032dfe5806a9c65c288f90f02ef79
    • Instruction Fuzzy Hash: 04D18A36608B81C2EB74CB01E4417AA73A2FB85B98F548635DF9D07BA8EF3DD4448B40
    Function 00007FFE00515B8C Relevance: 2.8, Strings: 2, Instructions: 286COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 9d66e9edf963141716c99f7b7c956955f497eed4bfceffa68e7a062c63dcb07e
    • Instruction ID: 549474058c0f23242937fb406f971fdebd434c80ee0f38f9b280405a37b13715
    • Opcode Fuzzy Hash: 9d66e9edf963141716c99f7b7c956955f497eed4bfceffa68e7a062c63dcb07e
    • Instruction Fuzzy Hash: 59D18A36608B81C2EB748B01E4417AA73A2FB85B98F548635DF9D07BA8EF3DD4448B40
    Function 00007FFE00509FA0 Relevance: 2.8, Strings: 2, Instructions: 278COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: c8bc3ab8c3c468731dc8e65940a02997da0567a75c46590dbe3277c41b08fceb
    • Instruction ID: 3b35af4f223ccf426e04960a2e23bd1d003722647a741399e4aa8c95212535f7
    • Opcode Fuzzy Hash: c8bc3ab8c3c468731dc8e65940a02997da0567a75c46590dbe3277c41b08fceb
    • Instruction Fuzzy Hash: 61C1BB3260874282EA748F51E4116AE32A0FB94BA8F544735DFAD0BBE9DF3DE640C741
    Function 00007FFE0052BCE0 Relevance: 2.8, Strings: 2, Instructions: 276COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 6af3a92f2299482f4e863793964e2b4d7fc37cb50dfa518808cb90d8519300bf
    • Instruction ID: 09539a8a1806840f3ff08d58b06f808a8d91c52d6c346e86314e650b76ead798
    • Opcode Fuzzy Hash: 6af3a92f2299482f4e863793964e2b4d7fc37cb50dfa518808cb90d8519300bf
    • Instruction Fuzzy Hash: 4DC1D03260828286E770CF50E455BAE7BA0FF95798F444235EB9907BA9CF3CE544CB44
    Function 00007FFE00524960 Relevance: 2.8, Strings: 2, Instructions: 265COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 55d5296313e052a495c4af2c7e147c97307564541a2449ecabbe28f4244b0dc3
    • Instruction ID: a0d084bf479e53b014ea19076686aac22f989679103a8f0b79327633b5c0e9f5
    • Opcode Fuzzy Hash: 55d5296313e052a495c4af2c7e147c97307564541a2449ecabbe28f4244b0dc3
    • Instruction Fuzzy Hash: 47C1B83260878286EBB0CF51F441BAA77A0FB95798F544235EB9907BA9DF3CE544CB04
    Function 00007FFE0050FD80 Relevance: 2.8, Strings: 2, Instructions: 256COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: 0$@
    • API String ID: 0-1545510068
    • Opcode ID: a4716fa7dfd32b1a74946c8663ea4eaac6ef0c5e6abf4907a186ea401987d82e
    • Instruction ID: 646157cb4c51d8fb15cebf3eb5baa0b8298469a703e7385f82194f3ad2d26ee3
    • Opcode Fuzzy Hash: a4716fa7dfd32b1a74946c8663ea4eaac6ef0c5e6abf4907a186ea401987d82e
    • Instruction Fuzzy Hash: E5C17B7260834686E730DF11F405AAE77A4FB89B88F444235EB8907BA9DF3CE654CB44
    Function 00007FFE00511FA9 Relevance: 2.7, Strings: 2, Instructions: 235COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 4c8ac34b2200f3e55692f93bf69d9cf3a32c08d2a44d75d4b82efc84a0607b1e
    • Instruction ID: ef63cdc8038cc7a69f1e37f54166b2a0f8b5fbd245a9a1ede94974279c8f205e
    • Opcode Fuzzy Hash: 4c8ac34b2200f3e55692f93bf69d9cf3a32c08d2a44d75d4b82efc84a0607b1e
    • Instruction Fuzzy Hash: 1CA1AB3260874282EB74CB41E5517AA72A2FF94BA8F044735EB6907BE9CF3DE551C740
    Function 00007FFE00516692 Relevance: 2.7, Strings: 2, Instructions: 228COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 149277b7db968dcf1a4331854bb3e5ab6133d1683873de82c9c14bf6eb1db9f7
    • Instruction ID: 5f7095507e6d34a7ad2aa76701c95d1aac8e2e1eb178a98a94824c5639fa5f19
    • Opcode Fuzzy Hash: 149277b7db968dcf1a4331854bb3e5ab6133d1683873de82c9c14bf6eb1db9f7
    • Instruction Fuzzy Hash: 86A1CF3260874286EB74DF01E451BAA37A1FB85798F544A35DB9D0BBA8DF3DE504CB40
    Function 00007FFE0051669E Relevance: 2.7, Strings: 2, Instructions: 227COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 8392e72da9446385c28b27da76e4747879c3f5812d29fa89955b4d5925f51c42
    • Instruction ID: 055a5c4594976cc048379c5bba296aa7f7fab3d349d10039349275679834e09f
    • Opcode Fuzzy Hash: 8392e72da9446385c28b27da76e4747879c3f5812d29fa89955b4d5925f51c42
    • Instruction Fuzzy Hash: 91A1BE3260874286EB74DF01E411BAA37A1FB85798F544A35EB9D0BBA8DF3DE544CB40
    Function 00007FFE0051667F Relevance: 2.7, Strings: 2, Instructions: 227COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 835e1adbb2d106528817fc731d2cb9d1a1fdf8a106a96da5a2320f47830acae3
    • Instruction ID: 899fff0b5f0e57c71023edbd0a5307cce1ebbf3a35c056db2b37587072e20eaa
    • Opcode Fuzzy Hash: 835e1adbb2d106528817fc731d2cb9d1a1fdf8a106a96da5a2320f47830acae3
    • Instruction Fuzzy Hash: 9FA1CE3260874286EB74DF01E451BAA37A1FB85798F140A35EB9D0BBA8DF3DE504CB40
    Function 00007FFE00516687 Relevance: 2.7, Strings: 2, Instructions: 227COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: a2697c4370920d1b2271655e40065ea57cd50b018392c4f8e68f64aaa40ae3b0
    • Instruction ID: 1f64165c90c867358a9f10eaf098101ff0b441a1cf968f3e612f83c26c1bd901
    • Opcode Fuzzy Hash: a2697c4370920d1b2271655e40065ea57cd50b018392c4f8e68f64aaa40ae3b0
    • Instruction Fuzzy Hash: E9A1CE3260874286EB74DF01E451BAA37A1FB85798F540A35EB9D0BBA8DF7DE504CB40
    Function 00007FFE0052C1E0 Relevance: 2.7, Strings: 2, Instructions: 222COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: b2c45fe6b8167c7792b698a0dc45c0f56cd07424b8f902460c4201f1035b5bab
    • Instruction ID: 070fdc3e45e07d5efeaa16ffe6efdf500406154dd114b3d390d9a8fee696d733
    • Opcode Fuzzy Hash: b2c45fe6b8167c7792b698a0dc45c0f56cd07424b8f902460c4201f1035b5bab
    • Instruction Fuzzy Hash: FEA19A7261828287E7B0CF51F541BAA7BA0FB95798F444634EB8907BA9CF7CE504CB44
    Function 00007FFE0051AD0E Relevance: 2.7, Strings: 2, Instructions: 216COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 04f53467a50cbdbe7f820a0756a64c1dc86c7b5f8d12b64990dfd33d80d2b0e9
    • Instruction ID: 5d5eea21d935fc4a48367c57d4298293500aac0edb1ebb97a55456a3ae0f62ee
    • Opcode Fuzzy Hash: 04f53467a50cbdbe7f820a0756a64c1dc86c7b5f8d12b64990dfd33d80d2b0e9
    • Instruction Fuzzy Hash: 7391C07360968187E774CF10E550BAA77A6FB84B98F508235DB8907BA8DF3DE951CB00
    Function 00007FFE0051EE20 Relevance: 2.7, Strings: 2, Instructions: 203COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: fe10d4ed4ae3f122ff1fc2864a84599733d47174749e12b1b53ec8c01697be20
    • Instruction ID: 79ed5aa13ac847ec957830e021fb9d79c96e4f46b5c7a2fbf08a90199e23e96f
    • Opcode Fuzzy Hash: fe10d4ed4ae3f122ff1fc2864a84599733d47174749e12b1b53ec8c01697be20
    • Instruction Fuzzy Hash: 55915A3260878186E770DF10E552B9A77A0FB847A8F444735EBA907BE9DF7CE5048B44
    Function 00007FFE00508070 Relevance: 2.7, Strings: 2, Instructions: 197COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: b3620e92556efc345febb927313b9b52f929657ce847d363cc878e74e791837c
    • Instruction ID: b1d0217fec45939d479d27e37e6dada7496ee0f2fe5762d162fc65eb5d6cd078
    • Opcode Fuzzy Hash: b3620e92556efc345febb927313b9b52f929657ce847d363cc878e74e791837c
    • Instruction Fuzzy Hash: F0819B32608682C6E7708F61E550B3E76A1FB94B88F048135EF8A477A9DF7CD951CB40
    Function 00007FFE0051B14F Relevance: 2.7, Strings: 2, Instructions: 183COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: e53546d34c8a9edc2c8e931334457b3fe88ba670bafc35e2d85c1da9c60da84a
    • Instruction ID: c7ace9f07e4aae91afef04494e679e7fa2118ad4131f99ea882aa05cc61a9e6f
    • Opcode Fuzzy Hash: e53546d34c8a9edc2c8e931334457b3fe88ba670bafc35e2d85c1da9c60da84a
    • Instruction Fuzzy Hash: B0819B7260868182F770DB50F515BAA76A5FB80BA8F104235DBA907FE8CF7DDA45CB04
    Function 00007FFE0051F4C0 Relevance: 2.7, Strings: 2, Instructions: 183COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: bdbad10776c2dd7d5011ec56af0445890da23030e2e6bc75ceb806f93c9973d6
    • Instruction ID: a759c9c964a77a7976ff75c5b6548f8b70e649ddb9c328073479948d065f0a56
    • Opcode Fuzzy Hash: bdbad10776c2dd7d5011ec56af0445890da23030e2e6bc75ceb806f93c9973d6
    • Instruction Fuzzy Hash: EF818A7261878186EB70CF11E451BAA37A0FB847A8F444635EBA907BE8DF7CE544CB44
    Function 00007FFE00518672 Relevance: 2.7, Strings: 2, Instructions: 183COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: bc968d5055c134b3c0e9daff122a361c02ff45622163ee8c31c78c24327891aa
    • Instruction ID: cd5964f1af2491097730aa69543128000dc09fe9b42d5ac4e9d05169c2c2c8bc
    • Opcode Fuzzy Hash: bc968d5055c134b3c0e9daff122a361c02ff45622163ee8c31c78c24327891aa
    • Instruction Fuzzy Hash: C971CF3270824246E770DF62A851BBA7691FF89B94F540635EB9E07BEACF3CE5008744
    Function 00007FFE0051B38F Relevance: 2.7, Strings: 2, Instructions: 173COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 24c5b6ff48f5f9a65d9a6921523b684f6c3eae5e0e4fd347e98918cd32a3408e
    • Instruction ID: a42adde81594304d43a47c09860d35234830c861e5d1a042780ab7fe04cdecdd
    • Opcode Fuzzy Hash: 24c5b6ff48f5f9a65d9a6921523b684f6c3eae5e0e4fd347e98918cd32a3408e
    • Instruction Fuzzy Hash: 3471BF7260868182FB70DB50F515BAA76A5FB80BA8F104235DB9D07FE8CF7DDA458B04
    Function 00007FFE00508830 Relevance: 2.7, Strings: 2, Instructions: 172COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$_
    • API String ID: 0-2246572305
    • Opcode ID: 85e65c8a26b8e8fb6f64c072fa276a607d3e89ed43df6489fe7a58bdcae1b684
    • Instruction ID: 8997862e2353319a87ae162c80341f3a81b7051c38a2eb0562a1f1e353a7d7b5
    • Opcode Fuzzy Hash: 85e65c8a26b8e8fb6f64c072fa276a607d3e89ed43df6489fe7a58bdcae1b684
    • Instruction Fuzzy Hash: FF815F32A0429187E7B1DF62E511BAD77A0FB91788F048536DB8807B69DF7DA608CF11
    Function 00007FFE0052B5C0 Relevance: 2.7, Strings: 2, Instructions: 164COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 181e5f6123a5a6c67b8cdd3b7ea4c92db06e2a1f56f5d4dfcdb9e5f59dadd25d
    • Instruction ID: 40419afab1bc51cd674b01bfdb49e64624ede74b667c079f1fec7d06e9893178
    • Opcode Fuzzy Hash: 181e5f6123a5a6c67b8cdd3b7ea4c92db06e2a1f56f5d4dfcdb9e5f59dadd25d
    • Instruction Fuzzy Hash: 7571687260878286E7B09F51F441BAA7BA0FB94798F444635EB8907BA9CF3CE544CB44
    Function 00007FFE0051F7E0 Relevance: 2.7, Strings: 2, Instructions: 162COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: cb3422ee1a0205d416c1dd3c3e868d6b53f6d4e34ab2c7d19e8026de2626f0de
    • Instruction ID: 25a3e226dde419e06b8fd4f495d08919e939c72916bc14dfbe6f04a0e7abdf1a
    • Opcode Fuzzy Hash: cb3422ee1a0205d416c1dd3c3e868d6b53f6d4e34ab2c7d19e8026de2626f0de
    • Instruction Fuzzy Hash: 44719D3260878287E7B0DF21E451BAA77A0FB84798F444235EB9907BA8CF7CE554CB44
    Function 00007FFE0051AF9D Relevance: 2.7, Strings: 2, Instructions: 159COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 3faea7185dfdb36979ab869d9ea90c01f5bbff29461ca9d6817e704efead8feb
    • Instruction ID: 735d925821cce839a46efe9f9469a87cd9ac940bd1340a274b2e2a58e72b9174
    • Opcode Fuzzy Hash: 3faea7185dfdb36979ab869d9ea90c01f5bbff29461ca9d6817e704efead8feb
    • Instruction Fuzzy Hash: CE618C7260928186F7709F51F515BAA76A1FB80B88F104231DB8C07FA9CF7DEA55CB01
    Function 00007FFE0052B8B0 Relevance: 2.6, Strings: 2, Instructions: 149COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 6ba439df8936eb08234dd2b0cc34998f5e8ca6aa22b7ff4348df991b62ccb7ad
    • Instruction ID: 50f4e7e404c2853f095e3ec10f2ca1b2062e639d860cfef8ca7915a6e16ff711
    • Opcode Fuzzy Hash: 6ba439df8936eb08234dd2b0cc34998f5e8ca6aa22b7ff4348df991b62ccb7ad
    • Instruction Fuzzy Hash: 2F617A3260878287E7B0CF51E4507AA77A0FB857A8F044234EB9917BA8CF7DE544CB45
    Function 00007FFE0051F240 Relevance: 2.6, Strings: 2, Instructions: 145COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 9203955ce47736a95e9045091cc570b8a7d9d2d6e9ae1b0d6e3774e434508269
    • Instruction ID: 6ca5d3e64afde7d0eb38367dd35cb48abbf894f835cf6e99670a4310fe4e723e
    • Opcode Fuzzy Hash: 9203955ce47736a95e9045091cc570b8a7d9d2d6e9ae1b0d6e3774e434508269
    • Instruction Fuzzy Hash: B3617C3260878186E770CF11E452BAA77A0FB847A8F444635EBA907BE9CF7CE5548B40
    Function 00007FFE0052A170 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: f5699b38770f93904a1c94848f79affce5581719005dbb4797c88e46ffd65125
    • Instruction ID: 44c63719fa565b252089f08b7b231e973c6bebf17009eaa346d787ad27849f80
    • Opcode Fuzzy Hash: f5699b38770f93904a1c94848f79affce5581719005dbb4797c88e46ffd65125
    • Instruction Fuzzy Hash: 51616A3250878287E770CF51E441BAABBA0FB95798F444235EB8A07BA9CF7DE504CB41
    Function 00007FFE0051FAB0 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 51ca019b28e02c498059287f36a7690273c67ea41e35ca033cdde328b5b45ef1
    • Instruction ID: 5730017e852738dcdd27be784d27e0bffcc4c7d09ddfff64a4a3e4c8b97dfb04
    • Opcode Fuzzy Hash: 51ca019b28e02c498059287f36a7690273c67ea41e35ca033cdde328b5b45ef1
    • Instruction Fuzzy Hash: 4D61AE7260838187E770CF11E451B9A77A0FB84B98F484635EB9907BA9DF3CE544CB44
    Function 00007FFE0051E8F0 Relevance: 2.6, Strings: 2, Instructions: 138COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @$@
    • API String ID: 0-149943524
    • Opcode ID: 53c14de4d8da93b82b9ddfc55f86951706401d4280f1a75537f214baeca31453
    • Instruction ID: 2245bce884d5ed72efbf0ea37b6239661eaba5dede46812e5a3c1769c1316343
    • Opcode Fuzzy Hash: 53c14de4d8da93b82b9ddfc55f86951706401d4280f1a75537f214baeca31453
    • Instruction Fuzzy Hash: 8C615C7251828287E7B0CF50E542B9A7BA0FB94788F444235EB8907BA9CF7DE548CF05
    Function 00007FFE0051DB70 Relevance: 2.6, Strings: 2, Instructions: 127COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: $@
    • API String ID: 0-1077428164
    • Opcode ID: 288b7dc3efebf8fb1719b2b043de86542461e241dfd865dc43e7f325ed2f4353
    • Instruction ID: be70b82c11739c1ba585850975f06c6f791d435af0ccd6290fdd7de5d10e41d8
    • Opcode Fuzzy Hash: 288b7dc3efebf8fb1719b2b043de86542461e241dfd865dc43e7f325ed2f4353
    • Instruction Fuzzy Hash: 8A514B326087818AE770CF60F445BAA77A0FB85798F484634EB9907B9DCF7CE6448B44
    Function 00007FFE004FAFE8 Relevance: 1.9, Strings: 1, Instructions: 678COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: pla
    • API String ID: 0-1481491495
    • Opcode ID: e38cea7cf4bb4e853e571e839450c38bd431c4dc13032bea545f4d42cc22521c
    • Instruction ID: d6c7c31077830e75337a99fc82d69a7898e97827bfd7309b9b7f5a37c84a2e97
    • Opcode Fuzzy Hash: e38cea7cf4bb4e853e571e839450c38bd431c4dc13032bea545f4d42cc22521c
    • Instruction Fuzzy Hash: C862B072E08641CBE720CF55D4806BE7BA0FB44799F514036EB8DA7BA8DB78E845CB44
    Function 00007FFE00500D60 Relevance: 1.7, APIs: 1, Instructions: 462COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: memcpy
    • String ID:
    • API String ID: 3510742995-0
    • Opcode ID: 547e16ddbdc22cd305199dd0be932c851faad7c44b7d1e0836176bca0ae2abfc
    • Instruction ID: d4bb43d73ff1eda1f41bff9e0f7e24230e960fa200a4de99d300cab57ac6a4a0
    • Opcode Fuzzy Hash: 547e16ddbdc22cd305199dd0be932c851faad7c44b7d1e0836176bca0ae2abfc
    • Instruction Fuzzy Hash: A312FE32A18A918AE724CFA9D4403BD77B1F744758F448135EF5A97BA8DF39EA41C700
    Function 00007FFE0052A980 Relevance: 1.7, Strings: 1, Instructions: 421COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @
    • API String ID: 0-2766056989
    • Opcode ID: f03534844c81a4e9bda33f36141da5c8f7aff5ce7123266b92dc3065ef8d7775
    • Instruction ID: de0c240d9e8d27ea6b5fa1c662fefd58912303c7a14ce442ca3b40d24147c7b0
    • Opcode Fuzzy Hash: f03534844c81a4e9bda33f36141da5c8f7aff5ce7123266b92dc3065ef8d7775
    • Instruction Fuzzy Hash: F8F1BF72A1C65287E730CF91E480A7AB7A5FB95B84F100135EB8E47FA9DB3DE5458B00
    Function 00007FFE00511292 Relevance: 1.5, Strings: 1, Instructions: 215COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @
    • API String ID: 0-2766056989
    • Opcode ID: a0ae4f28042dcb46f02a741e1cbd5a318eede3c75a04bf16b0060c62e4a50953
    • Instruction ID: 436703019f4d53130f0d81006e1a039f396f5dec06cbd67b600a06395dea26bd
    • Opcode Fuzzy Hash: a0ae4f28042dcb46f02a741e1cbd5a318eede3c75a04bf16b0060c62e4a50953
    • Instruction Fuzzy Hash: DC812432A18A6286EB748B15D4147FE32A6FB84F84F514132EF4A47BA8DF7CD941C740
    Function 00007FFE00510BBB Relevance: 1.4, Strings: 1, Instructions: 186COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @
    • API String ID: 0-2766056989
    • Opcode ID: 07ec135b57dfa32398a24829b905e34b76bae3380a9d521299f95ab267ec22b0
    • Instruction ID: b57dcbf6875d70b5078105402b832a478b34263a3417032a52492e3639b6deba
    • Opcode Fuzzy Hash: 07ec135b57dfa32398a24829b905e34b76bae3380a9d521299f95ab267ec22b0
    • Instruction Fuzzy Hash: 1F71C272A086824AE7709F56A440BABB7E1FB857D4F140235EB8947BEDDF7CE5408B40
    Function 00007FFE0052C5D0 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @
    • API String ID: 0-2766056989
    • Opcode ID: 24c3d77b74154eda30b5843042b9a19e41db942404719a1c98a4ccc235752871
    • Instruction ID: ad88e3ab170ad535d5221987a89f2a527592341b5450c8de66e79bf18d9a307a
    • Opcode Fuzzy Hash: 24c3d77b74154eda30b5843042b9a19e41db942404719a1c98a4ccc235752871
    • Instruction Fuzzy Hash: 06619A3261835186E730CF51E5506AE7BA5FB95B98F404225EB9807BE9CF7CE544CB80
    Function 00007FFE0051054D Relevance: 1.4, Strings: 1, Instructions: 124COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @
    • API String ID: 0-2766056989
    • Opcode ID: fb39693db7b85c370aa050d7b89607435c8bfb80467c2c722c28f9c5fc3e9824
    • Instruction ID: 2e8fe0fa43f0479b3b290380ffabba3efdd09370395ee8ae8648b38af5f97cb4
    • Opcode Fuzzy Hash: fb39693db7b85c370aa050d7b89607435c8bfb80467c2c722c28f9c5fc3e9824
    • Instruction Fuzzy Hash: 4451A232A1824187E770CF51F451BAABAA4FBC5B94F00163AAF9903FA9CF7CD1508B44
    Function 00007FFE0052DEC0 Relevance: .4, Instructions: 438COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: aa34abd7ac7b39de4110b9eadcd94f3600734ab8229a3bd4c62ae039dab1d780
    • Instruction ID: f59d98d7d747406f621dea31eaf4c0ec52f8a072a6be1eaa3fd5473e47f2e66d
    • Opcode Fuzzy Hash: aa34abd7ac7b39de4110b9eadcd94f3600734ab8229a3bd4c62ae039dab1d780
    • Instruction Fuzzy Hash: 1712AC32A0828186EB748F55E44176E3BA1FFA6B58F048234DB8D47BA8DF7DE445CB40
    Function 00007FFE00520290 Relevance: .4, Instructions: 400COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 616bf7c653fbc065a8f840c102cee8b55b7bb86ab1719ce5e3b431ec984d49c0
    • Instruction ID: a5306a037b04a9b0ece09fa360b05b5537de066faf8063377eaf3c8961f06189
    • Opcode Fuzzy Hash: 616bf7c653fbc065a8f840c102cee8b55b7bb86ab1719ce5e3b431ec984d49c0
    • Instruction Fuzzy Hash: 20F1D132A0A68286EB708B6594407BA76D0EFA6754F485634DB9C477FEDF3CF8448B40
    Function 00007FFE00521960 Relevance: .3, Instructions: 315COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: eb540aa7b8810f5f815ee2e28be85131f97d8860c9dbac8a789b687985d5320a
    • Instruction ID: 758c25394f5f0f302f543261e8cda77c079aaf9f6e6e95aff5ada440b9e258f9
    • Opcode Fuzzy Hash: eb540aa7b8810f5f815ee2e28be85131f97d8860c9dbac8a789b687985d5320a
    • Instruction Fuzzy Hash: 89D19432A0869287E7708F65A44166B7BD4FFA6784F544131DB8C47BA9EF3CE9408B44
    Function 00007FFE005214E0 Relevance: .3, Instructions: 291COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f5f07973667624be70af09a506421dde8084ac4c10be3242983735eefe8aa547
    • Instruction ID: ce00f688543f070b5d658fe53ac3f85ce2e50f8d3a899630de6da260d7191bf8
    • Opcode Fuzzy Hash: f5f07973667624be70af09a506421dde8084ac4c10be3242983735eefe8aa547
    • Instruction Fuzzy Hash: BEC1A332A0CA8286EB708B9594507AA76D0EFB6B54F484235DF9D47BE9DF3CE444CB04
    Function 00007FFE0052ED60 Relevance: .2, Instructions: 221COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 214b28e33231e9f1e7fe83b054d455f836f4b0bafabe7208a19c0c2351c04cc4
    • Instruction ID: 2adc057d415e52140b114165a41ceb2e6712b62e2898a45458d52fc284c9951c
    • Opcode Fuzzy Hash: 214b28e33231e9f1e7fe83b054d455f836f4b0bafabe7208a19c0c2351c04cc4
    • Instruction Fuzzy Hash: 2781CF33A0868186E7318F55A901A69B7A5FF95B94F484131EF8D47BA9CF7CE851CB00
    Function 00007FFE005115D0 Relevance: .2, Instructions: 220COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 25d8bca02e6a90c4b05ad6d8717261286d4bd72d4d522ce643f073bdcd9d5bf4
    • Instruction ID: f96dd8f5e7475893b6ebb0c74a751885177ff01ff7d39e8023644d98ac8b3a7c
    • Opcode Fuzzy Hash: 25d8bca02e6a90c4b05ad6d8717261286d4bd72d4d522ce643f073bdcd9d5bf4
    • Instruction Fuzzy Hash: 7891BB32A08B4182EB749F51E4417A977A0FB85BA4F044635EBAD0BBE9DF3CE1508B44
    Function 00007FFE005256B0 Relevance: .0, Instructions: 32COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f8686d76c8a7a67023d190ff0718aced05de7a49f61466ce9d16730286e73e68
    • Instruction ID: 5e51284b1f10e3a5d0d73ffaf97dfc0fc4f777b12c83676c7fa3e79cffd487ff
    • Opcode Fuzzy Hash: f8686d76c8a7a67023d190ff0718aced05de7a49f61466ce9d16730286e73e68
    • Instruction Fuzzy Hash: 46E09271B2C0664BFBB8463C9413BA935C08714304F80C83DE94AC3FD2E96EE8500E00
    Function 00007FFE004F8890 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 227COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: memcpytolower$isspace
    • String ID: adlam$b$bidiclass$d$script$scriptextensions$scx
    • API String ID: 513881215-1682159380
    • Opcode ID: ecc38faefef610c96030bdb3aadcca456263691b75986430069b888e06413051
    • Instruction ID: 8c3ec0d2c37c4481ef9da2254ef13f250792d4421a498ade375eb493f3b5e119
    • Opcode Fuzzy Hash: ecc38faefef610c96030bdb3aadcca456263691b75986430069b888e06413051
    • Instruction Fuzzy Hash: 959193A2A0868692EB60CF15E5442B973A0FF44795F844036EB4D5B7BDEF7CE844C705
    Function 00007FFE00544050 Relevance: 15.2, APIs: 10, Instructions: 228COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
    • String ID:
    • API String ID: 190073905-0
    • Opcode ID: 17126bcbd27a70bf73919cd00637babdaea1d5003b5f7f41a6e1e81594a3b2c4
    • Instruction ID: 8369136edaf69c47760e9c07e15a7b19adda07852db468e3c961de633384d59e
    • Opcode Fuzzy Hash: 17126bcbd27a70bf73919cd00637babdaea1d5003b5f7f41a6e1e81594a3b2c4
    • Instruction Fuzzy Hash: B181A220E9C64386FA749B65A4453F92290EF95BA8F044535EB4D477BEDF3CE885CB00
    Function 00007FFE00530460 Relevance: 10.6, APIs: 7, Instructions: 118synchronizationmemoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: Mutex$Release$AllocCloseCreateHandleObjectSingleVirtualWait
    • String ID:
    • API String ID: 2186635378-0
    • Opcode ID: dd321e34c4265832c6a7e7c0b64babc1e6128130b7d890e1f3c14ad5fff7401b
    • Instruction ID: fe8a898c5d4a3324270f6479d1b6d43fa9f1f601ae404ea179eb4afcb6491c25
    • Opcode Fuzzy Hash: dd321e34c4265832c6a7e7c0b64babc1e6128130b7d890e1f3c14ad5fff7401b
    • Instruction Fuzzy Hash: 7A513B32B09B4286EB248F21E95026973A8FF48BA4B584635DBAD477F9DF3CD560C340
    Function 00007FFE005003D0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 238COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: islower
    • String ID: (*NUL)
    • API String ID: 3326879001-3733867117
    • Opcode ID: fe721f56ee6a70651e6eadb4aa8e1fd2a3ee369c38e4ded178ffcdc165898dcd
    • Instruction ID: fa998ec18e9ec15b0986aa911abde3c1ae3354524fb1c90937ae49436ef21482
    • Opcode Fuzzy Hash: fe721f56ee6a70651e6eadb4aa8e1fd2a3ee369c38e4ded178ffcdc165898dcd
    • Instruction Fuzzy Hash: B8A1D322A0C68686EB718B65E4503BE77A1FB85B94F449031DB8E877E9DF3CD645CB00
    Function 00007FFE0053E210 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 180COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: memcpy
    • String ID: "$ERCP$S2RP
    • API String ID: 3510742995-542803940
    • Opcode ID: ab55170ef176e228ce4b80b6d00674af709037c1f2d7026c7dac6a402bebab88
    • Instruction ID: 2fef920ea347470c5ce3d4f5066b1dce18b12ff128c0e073cbe4c616d0fa0ce4
    • Opcode Fuzzy Hash: ab55170ef176e228ce4b80b6d00674af709037c1f2d7026c7dac6a402bebab88
    • Instruction Fuzzy Hash: 9971B366E08B8187EB608B28D50626D33A0FB98B58F159235DF9C037A6EF38E5D5C300
    Function 00007FFE00537DC2 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 128COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: x$x
    • API String ID: 0-177600594
    • Opcode ID: 6c46d8908839aa9ce24983bd70dc707400f2b66ba850df41f065606b75bed3cf
    • Instruction ID: 351491e520dd216c4b40df7f243ca12a77218f16dccbce81d83a8aa487821be2
    • Opcode Fuzzy Hash: 6c46d8908839aa9ce24983bd70dc707400f2b66ba850df41f065606b75bed3cf
    • Instruction Fuzzy Hash: 17516F72A18BD58AD7B0CF15E1486AE73A9FB48B84F455432DB8D43BA8DF78D445C700
    Function 00007FFE00537D85 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 119COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: memcpy
    • String ID: x
    • API String ID: 3510742995-2363233923
    • Opcode ID: 5965ce49c8854f5a333cc840b4e8478a91765ea7e6ad27deebd5658754f3da4c
    • Instruction ID: e2931db4323d2a80473a3fcc94c8dd056050257ba4aa0292e2044110260e45c6
    • Opcode Fuzzy Hash: 5965ce49c8854f5a333cc840b4e8478a91765ea7e6ad27deebd5658754f3da4c
    • Instruction Fuzzy Hash: 34519172618BD58ADBA0CF15E1886AE73A9F748BC4F454032DB8D43BA8DF78D445C700
    Function 00007FFE0052FCE0 Relevance: 6.1, APIs: 4, Instructions: 95synchronizationCOMMON
    Download Yara Rule
    APIs
    • CreateMutexA.KERNEL32(?,?,?,00007FFE00507F00,?,?,?,00007FFE004FCF7E), ref: 00007FFE0052FD03
    • CloseHandle.KERNEL32(?,?,?,00007FFE00507F00,?,?,?,00007FFE004FCF7E), ref: 00007FFE0052FD19
    • WaitForSingleObject.KERNEL32(?,?,?,00007FFE00507F00,?,?,?,00007FFE004FCF7E), ref: 00007FFE0052FD2B
    • VirtualFree.KERNEL32(?,?,?,00007FFE00507F00,?,?,?,00007FFE004FCF7E), ref: 00007FFE0052FE38
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: CloseCreateFreeHandleMutexObjectSingleVirtualWait
    • String ID:
    • API String ID: 4090943645-0
    • Opcode ID: f812a500035ec2ff709ab8d5a9cd304641914f4f32bf712e44a416c3003fa620
    • Instruction ID: bc3b1f9b37b671103871e17f316d8630d9ccf34778b3e78d0a824f09b0957685
    • Opcode Fuzzy Hash: f812a500035ec2ff709ab8d5a9cd304641914f4f32bf712e44a416c3003fa620
    • Instruction Fuzzy Hash: 4B410876A09F4282EBA5CB95E95017833B8FF59B94B104A39DB5E43378DF38D4A1C380
    Function 00007FFE0052B100 Relevance: 6.0, APIs: 4, Instructions: 49synchronizationCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: CloseCreateFreeHandleMutexObjectSingleVirtualWait
    • String ID:
    • API String ID: 4090943645-0
    • Opcode ID: 361c7cc941da1d551131ae4800ccd6ba8ca2322f64ac80382056045576cbedbd
    • Instruction ID: 66db92939a7a1b1d76b8b095f5b6abc67a78f7e6aa10c6d91151da724b8fc92b
    • Opcode Fuzzy Hash: 361c7cc941da1d551131ae4800ccd6ba8ca2322f64ac80382056045576cbedbd
    • Instruction Fuzzy Hash: 9B212725A0AE0282FA788F55986427523A5FF99B58F184934DB5D473B8EF3CE461C380
    Function 00007FFE005317C6 Relevance: 5.2, APIs: 4, Instructions: 165COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: memcmp
    • String ID:
    • API String ID: 1475443563-0
    • Opcode ID: 6bc38bdc0f0bbba80c81f16b405a7d88026b317543f9dc5eaf2c97add6cd3a1d
    • Instruction ID: 2cc7b8b87e84cd5f9f87d690c2821c480c4f73c7d0af903f5c23397b7aacc655
    • Opcode Fuzzy Hash: 6bc38bdc0f0bbba80c81f16b405a7d88026b317543f9dc5eaf2c97add6cd3a1d
    • Instruction Fuzzy Hash: 0771B372708B9689EB608F15D558BBA73A9FB04BC0F095131DB4D57BA8EE7CE441C344
    Function 00007FFE0053171E Relevance: 5.2, APIs: 4, Instructions: 160COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: memcmp
    • String ID:
    • API String ID: 1475443563-0
    • Opcode ID: 5f1e79f53f12840d4c7ad9915a57fe011791bb9e1748f04c1653416cad76cf65
    • Instruction ID: 3e7860954e4766a179f05ee2de6fc67cc52b5b5b576ed85553fd13bb2c0ce0d4
    • Opcode Fuzzy Hash: 5f1e79f53f12840d4c7ad9915a57fe011791bb9e1748f04c1653416cad76cf65
    • Instruction Fuzzy Hash: 14618172A08F9689EB608B16D558BBA73A9FB14BC4F095031DB4D57BA8EE3CE441C344
    Function 00007FFE005316BF Relevance: 5.2, APIs: 4, Instructions: 160COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: memcmp
    • String ID:
    • API String ID: 1475443563-0
    • Opcode ID: e41e481e6c6f8e011105eef5b708588502e52f42f35a0ac5c1449302a1e53e6e
    • Instruction ID: 8de9a77ab54f47f4108a4200876a79afb4a1bb37d91a91ef8f915882f536614f
    • Opcode Fuzzy Hash: e41e481e6c6f8e011105eef5b708588502e52f42f35a0ac5c1449302a1e53e6e
    • Instruction Fuzzy Hash: E7619172A08F9689EB608B16D558BBA73A9FB04BC4F095031DB4D57BA8EE7CE440C344
    Function 00007FFE0053172B Relevance: 5.2, APIs: 4, Instructions: 159COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: memcmp
    • String ID:
    • API String ID: 1475443563-0
    • Opcode ID: 5ccdb563847e82fddb488700acbcaf0f71af1a17f3b4d37d2ec2d1ebbb616916
    • Instruction ID: 3f44d21e8f92c46f93312afbf44a212c5f3e98e01cb2fea5033fd87fe7f21312
    • Opcode Fuzzy Hash: 5ccdb563847e82fddb488700acbcaf0f71af1a17f3b4d37d2ec2d1ebbb616916
    • Instruction Fuzzy Hash: 6161A272B08F9689EB608B16D558BBA73A9FB04BC0F095131CB4D57BA8EE3CE440C344
    Function 00007FFE005316F4 Relevance: 5.2, APIs: 4, Instructions: 159COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: memcmp
    • String ID:
    • API String ID: 1475443563-0
    • Opcode ID: 5770c877a3fe556e456d634dd9106413b29069ca30e4b62e1aa5a6c91d003319
    • Instruction ID: 7f2b3ea020706f833ea50ccfe6863630337ae6b8ef166e41f78ae60c6c3ce0b9
    • Opcode Fuzzy Hash: 5770c877a3fe556e456d634dd9106413b29069ca30e4b62e1aa5a6c91d003319
    • Instruction Fuzzy Hash: A861A272B08F9689EB608B16D558BBA73A9FB04BC4F495031DB4D57BA8EE3CE440C344
    Function 00007FFE00531796 Relevance: 5.2, APIs: 4, Instructions: 159COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: memcmp
    • String ID:
    • API String ID: 1475443563-0
    • Opcode ID: fe7ad5f7d52aead43e8ad524dfe4b46d57824bc64b47f704b7450f939ad62151
    • Instruction ID: 37e0cc76658a12062edabefbefbb0e2b60f14cdacd1d80902dd169aad83735ea
    • Opcode Fuzzy Hash: fe7ad5f7d52aead43e8ad524dfe4b46d57824bc64b47f704b7450f939ad62151
    • Instruction Fuzzy Hash: 4061A372B08F9689EB608B16D558BBA73A9FB04BC4F095031CB4D57BA8EE7CE440C344
    Function 00007FFE0053175E Relevance: 5.2, APIs: 4, Instructions: 159COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: memcmp
    • String ID:
    • API String ID: 1475443563-0
    • Opcode ID: eb950af2c08d4ff9bc1e3d670601e7342073d8edeef5f0e2785ad28625a98052
    • Instruction ID: 7948a35e4aaa14335ed59541bf68e0f97bfc8b12e667eb5f9e5a6fb483fd16f0
    • Opcode Fuzzy Hash: eb950af2c08d4ff9bc1e3d670601e7342073d8edeef5f0e2785ad28625a98052
    • Instruction Fuzzy Hash: 2361A072A08F9689EB608B16D518BBA73A9FB04BC4F495131CB4D57BA8EE7CE441C344
    Function 00007FFE00538CD3 Relevance: 5.2, APIs: 4, Instructions: 152COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: memcmpmemcpy
    • String ID:
    • API String ID: 1784268899-0
    • Opcode ID: 4d3493d02d0612286349f756c5f202740e06981e2f5e3c3a6b9e4e6baec33d8e
    • Instruction ID: 415627f313e72995894dd29fc9b68d7ff21b6decbddbef5758546a49938f0142
    • Opcode Fuzzy Hash: 4d3493d02d0612286349f756c5f202740e06981e2f5e3c3a6b9e4e6baec33d8e
    • Instruction Fuzzy Hash: 43519172609B968AEB60CB15D548BFA7369FB48BD0F464432DB8D43BA8DF78D445C700
    Function 00007FFE0053741A Relevance: 5.1, APIs: 4, Instructions: 135COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2879850598.00007FFE004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE004F0000, based on PE: true
    • Associated: 00000000.00000002.2879828496.00007FFE004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00545000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879958469.00007FFE00569000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2879982576.00007FFE0056A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe004f0000_loaddll64.jbxd
    Similarity
    • API ID: memcpy
    • String ID:
    • API String ID: 3510742995-0
    • Opcode ID: 979c27b86be1685e3159099ff59d10ce8bfc54446767b9cf128c4cb3e24c8b46
    • Instruction ID: 9d3e22c38dee486e962ae68096006210580680354791bca366239329907bf921
    • Opcode Fuzzy Hash: 979c27b86be1685e3159099ff59d10ce8bfc54446767b9cf128c4cb3e24c8b46
    • Instruction Fuzzy Hash: 22518D72A19F868ADB60CF25D5486AE73A5FB48BD0F455032DB8D43BA8DF38E454C700