Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vQu0zndLpi.dll

Overview

General Information

Sample name:vQu0zndLpi.dll
(renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:bef34611564f850070ab13288c6d52de24fbcfc2ede9323eb675d32a31413f18.dll.exe
Analysis ID:1572522
MD5:6b0b96b6ec7950943213da4f98fab1c7
SHA1:502b8b7c5888b476365345d029df4f1d80c381c2
SHA256:bef34611564f850070ab13288c6d52de24fbcfc2ede9323eb675d32a31413f18
Tags:45-66-248-99exenembo81pruser-JAMESWT_MHT
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

  • System is w10x64
  • loaddll64.exe (PID: 6464 cmdline: loaddll64.exe "C:\Users\user\Desktop\vQu0zndLpi.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6552 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 404 cmdline: rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • WerFault.exe (PID: 3708 cmdline: C:\Windows\system32\WerFault.exe -u -p 404 -s 464 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 776 cmdline: rundll32.exe C:\Users\user\Desktop\vQu0zndLpi.dll,xtart MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 504 cmdline: rundll32.exe C:\Users\user\Desktop\vQu0zndLpi.dll,start MD5: EF3179D498793BF4234F708D3BE28633)
      • rundll32.exe (PID: 6368 cmdline: rundll32.exe C:\Users\user\AppData\Local\Temp/tmpf193.dll,run C:\Users\user\Desktop\vQu0zndLpi.dll MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 3060 cmdline: rundll32.exe C:\Users\user\Desktop\vQu0zndLpi.dll,DllWinMain MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 280 cmdline: rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",xtart MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6120 cmdline: rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",start MD5: EF3179D498793BF4234F708D3BE28633)
      • rundll32.exe (PID: 5936 cmdline: rundll32.exe C:\Users\user\AppData\Local\Temp/tmpf193.dll,run C:\Users\user\Desktop\vQu0zndLpi.dll MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6052 cmdline: rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",DllWinMain MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 5764 cmdline: rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",UnInstall MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: C:\Users\user\AppData\Local\Temp\tmpf193.dllAvira: detection malicious, Label: TR/AVI.Agent.yfqhy
Source: C:\Users\user\AppData\Local\Temp\tmpf193.dllReversingLabs: Detection: 83%
Source: vQu0zndLpi.dllReversingLabs: Detection: 34%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.0% probability
Source: vQu0zndLpi.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Source: Binary string: D:\bamboo\home\xml-data\build-dir\WSP-MASTER-SOURCES\bin\x64\Release\wsc.pdbd source: rundll32.exe, 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.2177541208.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2246763943.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmp, vQu0zndLpi.dll
Source: Binary string: D:\bamboo\home\xml-data\build-dir\WSP-MASTER-SOURCES\bin\x64\Release\wsc.pdb source: rundll32.exe, 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.2177541208.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2246763943.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmp, vQu0zndLpi.dll

Networking

barindex
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 45.66.248.99 443Jump to behavior
Source: Joe Sandbox ViewASN Name: FREERANGECLOUDCA FREERANGECLOUDCA
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: unknownTCP traffic detected without corresponding DNS query: 45.66.248.99
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001F8D4A83C80 recv,9_2_000001F8D4A83C80
Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36A3AF04_2_00007FFDA36A3AF0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA363A3C04_2_00007FFDA363A3C0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36AC3604_2_00007FFDA36AC360
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36743E04_2_00007FFDA36743E0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA365A3204_2_00007FFDA365A320
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36463104_2_00007FFDA3646310
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36491D74_2_00007FFDA36491D7
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA368C1904_2_00007FFDA368C190
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36C42484_2_00007FFDA36C4248
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA367B0B04_2_00007FFDA367B0B0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36881504_2_00007FFDA3688150
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36830E04_2_00007FFDA36830E0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36887C04_2_00007FFDA36887C0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA366B7A04_2_00007FFDA366B7A0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA367A8204_2_00007FFDA367A820
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36237E04_2_00007FFDA36237E0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36BE6DC4_2_00007FFDA36BE6DC
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36626D04_2_00007FFDA36626D0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36766C04_2_00007FFDA36766C0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36397504_2_00007FFDA3639750
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36877004_2_00007FFDA3687700
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36AC5C84_2_00007FFDA36AC5C8
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA363F5B04_2_00007FFDA363F5B0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36535904_2_00007FFDA3653590
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36736004_2_00007FFDA3673600
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36505304_2_00007FFDA3650530
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36764F04_2_00007FFDA36764F0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA3665C504_2_00007FFDA3665C50
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36B5C404_2_00007FFDA36B5C40
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA3688C004_2_00007FFDA3688C00
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA3673BE04_2_00007FFDA3673BE0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36A3BE44_2_00007FFDA36A3BE4
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36B8A844_2_00007FFDA36B8A84
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA3646B404_2_00007FFDA3646B40
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36389604_2_00007FFDA3638960
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA366DA504_2_00007FFDA366DA50
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36BDA2C4_2_00007FFDA36BDA2C
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36859F04_2_00007FFDA36859F0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA366F9F04_2_00007FFDA366F9F0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA367F9E04_2_00007FFDA367F9E0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA363B8904_2_00007FFDA363B890
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA367E8904_2_00007FFDA367E890
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36688804_2_00007FFDA3668880
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36B7F784_2_00007FFDA36B7F78
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36730404_2_00007FFDA3673040
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36BD0204_2_00007FFDA36BD020
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36680104_2_00007FFDA3668010
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36A2FF04_2_00007FFDA36A2FF0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36BFF584_2_00007FFDA36BFF58
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36C1D904_2_00007FFDA36C1D90
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36BBE084_2_00007FFDA36BBE08
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA3634D304_2_00007FFDA3634D30
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001F8D4A8826A9_2_000001F8D4A8826A
Source: C:\Windows\System32\rundll32.exeCode function: 13_2_000001C46B8E826A13_2_000001C46B8E826A
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\tmpf193.dll C9920E995FBC98CD3883EF4C4520300D5E82BAB5D2A5C781E9E9FE694A43E82F
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFDA36258A0 appears 187 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFDA36ADFA8 appears 176 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFDA362A750 appears 88 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFDA3629980 appears 49 times
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 404 -s 464
Source: vQu0zndLpi.dllBinary or memory string: OriginalFilenamewsc.dllB" vs vQu0zndLpi.dll
Source: classification engineClassification label: mal76.evad.winDLL@25/6@0/1
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA367A4B0 CreateToolhelp32Snapshot,GetLastError,4_2_00007FFDA367A4B0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA363A3C0 timeGetTime,CoCreateInstance,timeGetTime,timeGetTime,4_2_00007FFDA363A3C0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA363EA90 LoadResource,LockResource,SizeofResource,4_2_00007FFDA363EA90
Source: C:\Windows\System32\rundll32.exeMutant created: NULL
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess404
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_03
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\fd8585bb-bf54-4ffe-b9f9-19469cc3e4aaJump to behavior
Source: vQu0zndLpi.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vQu0zndLpi.dll,xtart
Source: vQu0zndLpi.dllReversingLabs: Detection: 34%
Source: rundll32.exeString found in binary or memory: /launch
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\vQu0zndLpi.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vQu0zndLpi.dll,xtart
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",#1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 404 -s 464
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vQu0zndLpi.dll,start
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\Temp/tmpf193.dll,run C:\Users\user\Desktop\vQu0zndLpi.dll
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vQu0zndLpi.dll,DllWinMain
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",xtart
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",start
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",DllWinMain
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",UnInstall
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\Temp/tmpf193.dll,run C:\Users\user\Desktop\vQu0zndLpi.dll
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vQu0zndLpi.dll,xtartJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vQu0zndLpi.dll,startJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vQu0zndLpi.dll,DllWinMainJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",xtartJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",startJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",DllWinMainJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",UnInstallJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",#1Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\Temp/tmpf193.dll,run C:\Users\user\Desktop\vQu0zndLpi.dllJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\Temp/tmpf193.dll,run C:\Users\user\Desktop\vQu0zndLpi.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: vQu0zndLpi.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: vQu0zndLpi.dllStatic file information: File size 1138176 > 1048576
Source: vQu0zndLpi.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: vQu0zndLpi.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: vQu0zndLpi.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: vQu0zndLpi.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: vQu0zndLpi.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: vQu0zndLpi.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: vQu0zndLpi.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Source: vQu0zndLpi.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\bamboo\home\xml-data\build-dir\WSP-MASTER-SOURCES\bin\x64\Release\wsc.pdbd source: rundll32.exe, 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.2177541208.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2246763943.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmp, vQu0zndLpi.dll
Source: Binary string: D:\bamboo\home\xml-data\build-dir\WSP-MASTER-SOURCES\bin\x64\Release\wsc.pdb source: rundll32.exe, 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.2177541208.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2246763943.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmp, vQu0zndLpi.dll
Source: vQu0zndLpi.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: vQu0zndLpi.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: vQu0zndLpi.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: vQu0zndLpi.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: vQu0zndLpi.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36A3E90 LoadLibraryA,GetProcAddressForCaller,4_2_00007FFDA36A3E90
Source: vQu0zndLpi.dllStatic PE information: real checksum: 0x11082c should be: 0x11773c
Source: tmpf193.dll.9.drStatic PE information: real checksum: 0x7024 should be: 0x7b45
Source: vQu0zndLpi.dllStatic PE information: section name: _RDATA
Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\tmpf193.dllJump to dropped file
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA3678440 FreeLibrary,FreeLibrary,GetModuleHandleExW,FreeLibrary,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,4_2_00007FFDA3678440
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 3600000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 14400000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 32400000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 57600000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 90000000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 3600000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 14400000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 32400000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 57600000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 90000000Jump to behavior
Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmpf193.dllJump to dropped file
Source: C:\Windows\System32\rundll32.exeAPI coverage: 0.7 %
Source: C:\Windows\System32\loaddll64.exe TID: 4416Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3700Thread sleep time: -3300000s >= -30000sJump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3700Thread sleep time: -3600000s >= -30000sJump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3700Thread sleep time: -14400000s >= -30000sJump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3700Thread sleep time: -32400000s >= -30000sJump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3700Thread sleep time: -57600000s >= -30000sJump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3700Thread sleep time: -90000000s >= -30000sJump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5920Thread sleep time: -3300000s >= -30000sJump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5920Thread sleep time: -3600000s >= -30000sJump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5920Thread sleep time: -14400000s >= -30000sJump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5920Thread sleep time: -32400000s >= -30000sJump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5920Thread sleep time: -57600000s >= -30000sJump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5920Thread sleep time: -90000000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 3600000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 14400000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 32400000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 57600000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 90000000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 3600000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 14400000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 32400000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 57600000Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 90000000Jump to behavior
Source: Amcache.hve.8.drBinary or memory string: VMware
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: rundll32.exe, 00000009.00000002.2176752182.000001F8D486F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe, 0000000D.00000002.2246588873.000001C46A028000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllii
Source: Amcache.hve.8.drBinary or memory string: vmci.sys
Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.drBinary or memory string: VMware20,1
Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36A0B94 GetLastError,IsDebuggerPresent,OutputDebugStringW,4_2_00007FFDA36A0B94
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36A0B94 GetLastError,IsDebuggerPresent,OutputDebugStringW,4_2_00007FFDA36A0B94
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36A3E90 LoadLibraryA,GetProcAddressForCaller,4_2_00007FFDA36A3E90
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA3621C00 GetProcessHeap,4_2_00007FFDA3621C00
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36A9A28 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FFDA36A9A28

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 45.66.248.99 443Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",#1Jump to behavior
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA3676C20 SetEntriesInAclW,LocalFree,LocalAlloc,LocalFree,GetLastError,LocalFree,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,4_2_00007FFDA3676C20
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36763B0 AllocateAndInitializeSid,GetLastError,4_2_00007FFDA36763B0
Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,4_2_00007FFDA36CA388
Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,4_2_00007FFDA36CA458
Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,4_2_00007FFDA36C06B8
Source: C:\Windows\System32\rundll32.exeCode function: try_get_function,GetLocaleInfoW,4_2_00007FFDA36C0C4C
Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_00007FFDA36CAA74
Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_00007FFDA36CA898
Source: C:\Windows\System32\rundll32.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,4_2_00007FFDA36CA038
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFDA36A2FA8 GetSystemTimeAsFileTime,4_2_00007FFDA36A2FA8
Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
111
Process Injection
21
Virtualization/Sandbox Evasion
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
12
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API
Boot or Logon Initialization Scripts1
DLL Side-Loading
111
Process Injection
LSASS Memory141
Security Software Discovery
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information
Security Account Manager21
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information
NTDS1
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32
LSA Secrets12
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading
Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1572522 Sample: vQu0zndLpi.exe Startdate: 10/12/2024 Architecture: WINDOWS Score: 76 33 Antivirus detection for dropped file 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 AI detected suspicious sample 2->39 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 1 8->10         started        14 rundll32.exe 8->14         started        17 cmd.exe 1 8->17         started        19 6 other processes 8->19 dnsIp5 31 45.66.248.99, 443, 49708, 49709 FREERANGECLOUDCA Russian Federation 10->31 29 C:\Users\user\AppData\Local\...\tmpf193.dll, PE32+ 10->29 dropped 21 rundll32.exe 10->21         started        41 System process connects to network (likely due to code injection or exploit) 14->41 23 rundll32.exe 14->23         started        25 rundll32.exe 17->25         started        file6 signatures7 process8 process9 27 WerFault.exe 23 16 25->27         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
vQu0zndLpi.dll34%ReversingLabsWin64.Downloader.ZLoader
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\tmpf193.dll100%AviraTR/AVI.Agent.yfqhy
C:\Users\user\AppData\Local\Temp\tmpf193.dll83%ReversingLabsWin64.Trojan.Interlock
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.8.drfalse
    high
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    45.66.248.99
    unknownRussian Federation
    53356FREERANGECLOUDCAtrue
    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1572522
    Start date and time:2024-12-10 16:44:09 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 5m 28s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:19
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:vQu0zndLpi.dll
    (renamed file extension from exe to dll, renamed because original name is a hash value)
    Original Sample Name:bef34611564f850070ab13288c6d52de24fbcfc2ede9323eb675d32a31413f18.dll.exe
    Detection:MAL
    Classification:mal76.evad.winDLL@25/6@0/1
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 4
    • Number of non-executed functions: 221
    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 52.168.117.173, 40.126.32.136, 13.107.246.63, 52.149.20.212
    • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size exceeded maximum capacity and may have missing disassembly code.
    • VT rate limit hit for: vQu0zndLpi.dll
    TimeTypeDescription
    10:45:05API Interceptor34x Sleep call for process: rundll32.exe modified
    10:45:08API Interceptor1x Sleep call for process: WerFault.exe modified
    10:45:11API Interceptor1x Sleep call for process: loaddll64.exe modified
    No context
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    FREERANGECLOUDCAjklarm5.elfGet hashmaliciousUnknownBrowse
    • 216.24.208.32
    Jaws.exeGet hashmaliciousStealcBrowse
    • 45.66.248.237
    Setup-Pro.exeGet hashmaliciousStealc, VidarBrowse
    • 45.66.249.162
    forest.exeGet hashmaliciousUnknownBrowse
    • 45.66.249.249
    forest.exeGet hashmaliciousUnknownBrowse
    • 45.66.249.249
    arm.elfGet hashmaliciousMirai, MoobotBrowse
    • 23.129.35.4
    SecuriteInfo.com.Trojan.PWS.Siggen3.33653.31886.3628.exeGet hashmaliciousRaccoon Stealer v2Browse
    • 193.142.147.59
    SecuriteInfo.com.Trojan.PackedNET.2334.3801.19434.exeGet hashmaliciousPureLog Stealer, Raccoon Stealer v2, SmokeLoaderBrowse
    • 193.142.147.59
    Setup.exeGet hashmaliciousAsyncRAT, HTMLPhisher, Clipboard Hijacker, Phorpiex, PureLog Stealer, Raccoon Stealer v2, RedLineBrowse
    • 193.142.147.59
    http://www.brookskushman.comGet hashmaliciousUnknownBrowse
    • 45.66.248.122
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    C:\Users\user\AppData\Local\Temp\tmpf193.dlllK1DKi27B4.dllGet hashmaliciousUnknownBrowse
      7ffbfc130000.conhost2.dll.dllGet hashmaliciousUnknownBrowse
        nPyo7vtpRl.dllGet hashmaliciousUnknownBrowse
          rdl3kBqbTy.dllGet hashmaliciousUnknownBrowse
            nPyo7vtpRl.dllGet hashmaliciousUnknownBrowse
              rdl3kBqbTy.dllGet hashmaliciousUnknownBrowse
                7ff6c1d70000.xxtlz.exeGet hashmaliciousUnknownBrowse
                  VOqg4bXfFS.dllGet hashmaliciousUnknownBrowse
                    tZlDJKdfV6.dllGet hashmaliciousUnknownBrowse
                      Y1kJT9dEK1.dllGet hashmaliciousUnknownBrowse
                        Process:C:\Windows\System32\WerFault.exe
                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.8165978015413434
                        Encrypted:false
                        SSDEEP:96:AMFnF6Fi9yKynsj6s4RvFm+qlf1BQXIDcQLc6wcEicw3MXaXz+HbHgSQgJj27h83:RNKi9ynuu0l04mjOvzuiF1Z24lO8g/3
                        MD5:6C14B4FE0A89E3150641D45F22FDACE9
                        SHA1:66F34C9A841DEF3A8D2315D82720C0149602832E
                        SHA-256:420155904420D64B2DD8D890CE5E66C0519C88802D5806CD8DACE17E93C090CE
                        SHA-512:E65C50E6DEEEF47154758FD066481CF601B97D20006205FF26642FF239B31B688BE5AAEE6C0CE6C8E97F9AFD0787141836DD7A24173BCFCA2E117C648AA35BDF
                        Malicious:false
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.3.1.9.1.0.2.8.9.6.5.6.9.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.3.1.9.1.0.3.5.9.9.6.9.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.4.6.b.9.2.5.2.-.3.f.3.5.-.4.b.9.6.-.9.6.9.6.-.2.b.8.d.3.c.7.b.c.c.e.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.5.9.d.6.c.3.-.3.3.b.0.-.4.e.9.9.-.b.8.c.4.-.8.c.c.d.5.f.e.e.a.6.0.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.v.Q.u.0.z.n.d.L.p.i...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.9.4.-.0.0.0.1.-.0.0.1.5.-.f.4.3.3.-.d.b.7.9.1.a.4.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.
                        Process:C:\Windows\System32\WerFault.exe
                        File Type:Mini DuMP crash report, 14 streams, Tue Dec 10 15:45:03 2024, 0x1205a4 type
                        Category:dropped
                        Size (bytes):567610
                        Entropy (8bit):1.4623863133537793
                        Encrypted:false
                        SSDEEP:384:X/4RqW1lIYPP33qYhSkcfIBc5bgEIscmPiC/h7oRZ33sur3S8Ff0N2EdzDxo6V:yq+P33DhSkcfXDiOh7oRZ33so3KxzC6V
                        MD5:CE44B5F6E0D7197C002BA8B6CA6688AE
                        SHA1:54D8908928A5A9D1EF5823CD9A06007305ED657A
                        SHA-256:E66C540713F1A90A81AC0A716E074DAF442852C6E8DF952D4F48F6B7F763DDC4
                        SHA-512:4706EC3795C94FD0C28BB47A7CDB40C5E7A93846631B8EFF40AECD22BC2044C8DFE67E28EFCFA045233A39A1A2AB9DE54C5B0D16AF7AE388388CD61DDC0B460E
                        Malicious:false
                        Preview:MDMP..a..... ........aXg........................................X-..........T.......8...........T...........X..............H...........4...............................................................................eJ..............Lw......................T............aXg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        Process:C:\Windows\System32\WerFault.exe
                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8718
                        Entropy (8bit):3.7044200649980454
                        Encrypted:false
                        SSDEEP:192:R6l7wVeJ2Mhu8a6YXru0gmfp9npD089bKtkfqum:R6lXJT26Yb1gmfp9TKOfa
                        MD5:511390FE73F08A721D8EE4785721220A
                        SHA1:38576A63AA3083939C98EFCE6DC4E8D176D9B80B
                        SHA-256:B7DAF0E1614307C8AA60247DC7C95B32BEDE2CF5DEE5105CCEDE490DF4C0EA3C
                        SHA-512:65D74C2110863F64E5A9ED70689A8B57CB74D8B86E357F1A81F71C088B449F6C0BA99A5AFFEBAE3F01B0BEFB6E11C2EECE290F486EE829928D38DDABA74C024D
                        Malicious:false
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.4.<./.P.i.d.
                        Process:C:\Windows\System32\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4759
                        Entropy (8bit):4.4863842114209485
                        Encrypted:false
                        SSDEEP:48:cvIwWl8zs9Jg771I9mCcWpW8VYjnYm8M4JCY9CY1+AK6Fgmyq85mYgAsxKxptSTz:uIjfXI7oV7VTJ7Vf2mSzRpoOud
                        MD5:944C30509588E500A104DF50F6A108FC
                        SHA1:49585B651B68AB9F65888AF1338C650509B55F5F
                        SHA-256:B6C143DA5EEE98D88509C1C84D83DC98A919B8487D39D2D0D133F9F61BF61967
                        SHA-512:F254EB4DEDB4D7FEE9DC4EB98E1C45D25BA51ED9F1B59DCFD9687071C6BA8D09A8AE0A1BB711F4D390D5D96A0F31A99518BAC01433E8EDD92F9E3D7077A8030F
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="625367" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):2560
                        Entropy (8bit):1.257085001705468
                        Encrypted:false
                        SSDEEP:12:etGSGQwU8O0ay2Y8qS6gK/H/ffk6Om2BXp:etGScU8O0ay2vqS6p/H/QvBXp
                        MD5:634A9AF8D3F2FA0D38820D577FB0FBEB
                        SHA1:CD6E84A3C4F81FC9DF8B82449DB8B2E87130E3FD
                        SHA-256:C9920E995FBC98CD3883EF4C4520300D5E82BAB5D2A5C781E9E9FE694A43E82F
                        SHA-512:ABCA2E016FF5A53395F95BA75C96F5BFA102086E92A8E2647BD2584A75E4A81A59596848D1ABFAB8E37981A6ADB021A35074D4DC99868CC30C9C4E2A4666C50A
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 83%
                        Joe Sandbox View:
                        • Filename: lK1DKi27B4.dll, Detection: malicious, Browse
                        • Filename: 7ffbfc130000.conhost2.dll.dll, Detection: malicious, Browse
                        • Filename: nPyo7vtpRl.dll, Detection: malicious, Browse
                        • Filename: rdl3kBqbTy.dll, Detection: malicious, Browse
                        • Filename: nPyo7vtpRl.dll, Detection: malicious, Browse
                        • Filename: rdl3kBqbTy.dll, Detection: malicious, Browse
                        • Filename: 7ff6c1d70000.xxtlz.exe, Detection: malicious, Browse
                        • Filename: VOqg4bXfFS.dll, Detection: malicious, Browse
                        • Filename: tZlDJKdfV6.dll, Detection: malicious, Browse
                        • Filename: Y1kJT9dEK1.dll, Detection: malicious, Browse
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....f....r.....&"...(.....................................................@......$p....`... ...................................... ..?....0......................................................................................`0.. ............................text...p........................... ..`.edata..?.... ......................@..@.idata.......0......................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        Process:C:\Windows\System32\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):1835008
                        Entropy (8bit):4.469500637909571
                        Encrypted:false
                        SSDEEP:6144:7zZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNMjDH5S:3ZHtYZWOKnMM6bFpaj4
                        MD5:E33C6FCA5C006424C2D8E78B7D6F5CA9
                        SHA1:273A08ABD6FCE8B0A9278C0EF5E7427F934EFD91
                        SHA-256:80888B56AB46A9784D1713C58B51C58BE2E1785B616EAA4F585CCB05860DBAC8
                        SHA-512:3C498277F40E3876500B52ACD7CAC5AD7E8CBD74BB92A67BE3C347CDCFC39FF84C3EDD086F9464FE02404B0149DE593D9BB208544AFE649F984D0F2E0D7204A1
                        Malicious:false
                        Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..$z.K................................................................................................................................................................................................................................................................................................................................................2N........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                        Entropy (8bit):6.476113305296515
                        TrID:
                        • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                        • Win64 Executable (generic) (12005/4) 10.17%
                        • Generic Win/DOS Executable (2004/3) 1.70%
                        • DOS Executable Generic (2002/1) 1.70%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                        File name:vQu0zndLpi.dll
                        File size:1'138'176 bytes
                        MD5:6b0b96b6ec7950943213da4f98fab1c7
                        SHA1:502b8b7c5888b476365345d029df4f1d80c381c2
                        SHA256:bef34611564f850070ab13288c6d52de24fbcfc2ede9323eb675d32a31413f18
                        SHA512:f80bbffc22aa041eb1ccbb39f390fd322ab2b701b30d83e6872b68bc85b8c645d076b7216c5da6eab159fc9074bfc2c8410db6a6ce2e1c658868086dc88c6951
                        SSDEEP:24576:D+XUNkTrLLAhpLJdqhQZE8cpKPpo1MsAVHB+FYiY25r3wai:iXUNuAhpXqa+8cpKBgZAZBvig
                        TLSH:7C356B1767F805A8E8B6D178897B5806F736B41587309AEF02D0226B1F77BE08E7E711
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.........................5...............................................................a...J.......J.......J..............
                        Icon Hash:7ae282899bbab082
                        Entrypoint:0x180083a90
                        Entrypoint Section:.text
                        Digitally signed:true
                        Imagebase:0x180000000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF
                        Time Stamp:0x66FA53D2 [Mon Sep 30 07:31:30 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:6
                        OS Version Minor:0
                        File Version Major:6
                        File Version Minor:0
                        Subsystem Version Major:6
                        Subsystem Version Minor:0
                        Import Hash:767132e147d9da374bf0eb60457b20e1
                        Signature Valid:
                        Signature Issuer:
                        Signature Validation Error:
                        Error Number:
                        Not Before, Not After
                          Subject Chain
                            Version:
                            Thumbprint MD5:
                            Thumbprint SHA-1:
                            Thumbprint SHA-256:
                            Serial:
                            Instruction
                            dec eax
                            sub esp, 28h
                            cmp edx, 01h
                            jne 00007F2D84C83106h
                            dec eax
                            mov edx, ecx
                            dec eax
                            add edx, 001013B8h
                            call 00007F2D84C8313Dh
                            dec sp
                            movd mm5, eax
                            mov eax, 00000001h
                            dec eax
                            add esp, 28h
                            ret
                            dec eax
                            sub esp, 28h
                            dec sp
                            movd eax, mm5
                            dec eax
                            add esp, 28h
                            ret
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            dec eax
                            sub esp, 28h
                            call 00007F2D84C830D3h
                            mov edx, 00001BD8h
                            dec eax
                            mov ecx, eax
                            call 00007F2D84C837AFh
                            call eax
                            xor eax, eax
                            dec eax
                            add esp, 28h
                            ret
                            int3
                            dec eax
                            mov dword ptr [esp+10h], ebx
                            dec eax
                            mov dword ptr [esp+08h], ecx
                            push ebp
                            push esi
                            push edi
                            inc ecx
                            push esp
                            inc ecx
                            push ebp
                            inc ecx
                            push esi
                            inc ecx
                            push edi
                            dec eax
                            lea ebp, dword ptr [esp-27h]
                            dec eax
                            sub esp, 00000100h
                            inc ebp
                            xor esp, esp
                            dec eax
                            mov ebx, edx
                            mov dword ptr [esp+20h], 4C682648h
                            mov dword ptr [esp+24h], 436D2A5Fh
                            mov dword ptr [esp+28h], 4F4D674Fh
                            mov dword ptr [esp+2Ch], 75352979h
                            inc sp
                            mov dword ptr [esp+50h], esp
                            mov byte ptr [esp+30h], 00000000h
                            mov dword ptr [esp+38h], 0065006Bh
                            mov dword ptr [esp+3Ch], 006E0072h
                            mov dword ptr [esp+40h], 00000065h
                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0xede800x8c.rdata
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xedf0c0xdc.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1010000x196ec.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0xf80000x744c.pdata
                            IMAGE_DIRECTORY_ENTRY_SECURITY0xfcc000x4dc8
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x11b0000x156c.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0xd93300x70.rdata
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0xd95000x28.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xd93a00x138.rdata
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0xb70000x5f8.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000xb572c0xb5800fc6ea9a56a230231c4bb1fdc5ef08421False0.4668183970385675data6.386830917577598IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0xb70000x383b60x38400ec611e4019790695ac7d6d148ac88116False0.3645833333333333data4.902790895501739IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0xf00000x749c0x580068b698e4c7307e6be67b30c865614f37False0.15185546875data4.497462253406015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .pdata0xf80000x744c0x760027d6cbc5cf6ad3575f8a0f04a40429a3False0.4889433262711864PEX Binary Archive5.836748779718831IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            _RDATA0x1000000xf40x2003becaaa5faf69c9c92c0abf64cce14d9False0.3046875data2.4434385797190123IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .rsrc0x1010000x196ec0x19800a2add8433692a7f4ef3e303d8b906d10False0.5730602787990197data7.1419435849845465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x11b0000x156c0x160094db310f1ca40a2e184b4684ec88d3dfFalse0.37659801136363635data5.401573591665021IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0x1010e80x2d0dataEnglishUnited States0.46805555555555556
                            RT_ANICURSOR0x1013b80x191b2data0.5751210689071707
                            RT_MANIFEST0x11a56c0x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727
                            DLLImport
                            RPCRT4.dllUuidToStringW, UuidCreate, RpcStringFreeW
                            KERNEL32.dllLoadLibraryExW, SizeofResource, LockResource, LoadResource, FindResourceExW, FindResourceW, EnterCriticalSection, ReleaseSemaphore, LeaveCriticalSection, InitializeCriticalSection, WaitForThreadpoolTimerCallbacks, GetCurrentThreadId, CloseThreadpoolWait, WaitForThreadpoolWaitCallbacks, CloseThreadpoolTimer, CloseHandle, SetThreadpoolTimer, SetThreadpoolWait, CreateSemaphoreW, MultiByteToWideChar, GetModuleHandleW, WideCharToMultiByte, LocalFree, DeleteCriticalSection, GetCurrentProcessId, CreateFileW, GetFileTime, FileTimeToSystemTime, GetSystemTime, CreateProcessW, DeleteProcThreadAttributeList, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, GetExitCodeProcess, CreateThreadpoolWait, CreateThreadpoolTimer, CreateEventW, ResetEvent, LocalAlloc, CreateThread, OpenProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, WriteConsoleW, FreeEnvironmentStringsW, GetEnvironmentStringsW, DecodePointer, RaiseException, InitializeCriticalSectionEx, WaitForSingleObject, SetEvent, GetLastError, VerSetConditionMask, VerifyVersionInfoW, GetModuleHandleExW, Sleep, GetProcAddress, LoadLibraryW, GetModuleFileNameW, FreeLibrary, GetProcessHeap, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, HeapDestroy, FormatMessageA, SetStdHandle, ExitProcess, GetCommandLineW, RtlUnwind, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, ReadConsoleW, GetConsoleMode, GetConsoleOutputCP, WriteFile, GetFileType, GetStdHandle, ReadFile, SetConsoleCtrlHandler, FreeLibraryAndExitThread, ExitThread, FlushFileBuffers, GetFileSizeEx, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, TlsFree, LCMapStringW, IsDebuggerPresent, OutputDebugStringW, GetStringTypeW, WaitForSingleObjectEx, GetExitCodeThread, InitializeSRWLock, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryEnterCriticalSection, FindClose, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, SetEndOfFile, SetFilePointerEx, GetFileInformationByHandleEx, QueryPerformanceCounter, QueryPerformanceFrequency, EncodePointer, LCMapStringEx, GetSystemTimeAsFileTime, GetCPInfo, InitializeCriticalSectionAndSpinCount, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, GetStartupInfoW, InitializeSListHead, RtlUnwindEx, RtlPcToFileHeader, InterlockedFlushSList, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue
                            USER32.dllAllowSetForegroundWindow
                            ADVAPI32.dllRevertToSelf, ImpersonateLoggedOnUser, OpenProcessToken, QueryServiceStatusEx, OpenSCManagerW, OpenServiceW, GetSecurityInfo, GetSidIdentifierAuthority, GetAce, GetSidSubAuthority, GetSidSubAuthorityCount, EqualSid, ConvertSidToStringSidW, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, SetEntriesInAclW, RegDeleteKeyW, FreeSid, CheckTokenMembership, AllocateAndInitializeSid, CloseServiceHandle, RegSetKeyValueW, RegOpenKeyExW, RegGetValueW, RegCloseKey
                            SHELL32.dllCommandLineToArgvW, SHGetKnownFolderPath
                            ole32.dllCoInitializeEx, CoUninitialize, CoSetProxyBlanket, CoTaskMemFree, CoCreateInstance
                            OLEAUT32.dllSysAllocString, VariantClear, SafeArrayCreate, VariantInit, SysStringLen, SysAllocStringLen, SysFreeString
                            SHLWAPI.dllPathRemoveFileSpecW, PathAppendW, PathIsRelativeW
                            WINMM.dlltimeGetTime
                            ntdll.dllRtlLookupFunctionEntry, RtlVirtualUnwind, RtlCaptureContext
                            NameOrdinalAddress
                            xtart10x180020ad0
                            start20x180020b00
                            DllWinMain40x18005b0b0
                            UnInstall30x18006cfe0
                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States
                            TimestampSource PortDest PortSource IPDest IP
                            Dec 10, 2024 16:45:05.840579033 CET49708443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:05.840605021 CET4434970845.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:05.842237949 CET49708443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:05.844288111 CET49708443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:05.844301939 CET4434970845.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:05.844369888 CET4434970845.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:05.949861050 CET49709443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:05.949893951 CET4434970945.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:05.950032949 CET49709443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:05.951869965 CET49709443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:05.951881886 CET4434970945.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:05.951931953 CET4434970945.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.059345007 CET49710443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.059364080 CET4434971045.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.059459925 CET49710443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.060062885 CET49710443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.060072899 CET4434971045.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.060147047 CET4434971045.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.168692112 CET49711443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.168724060 CET4434971145.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.170380116 CET49711443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.171083927 CET49711443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.171097994 CET4434971145.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.171155930 CET4434971145.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.278052092 CET49712443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.278088093 CET4434971245.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.278283119 CET49712443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.278942108 CET49712443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.278956890 CET4434971245.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.279017925 CET4434971245.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.387310028 CET49714443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.387334108 CET4434971445.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.390507936 CET49714443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.391201019 CET49714443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.391211987 CET4434971445.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.391274929 CET4434971445.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.496895075 CET49715443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.496997118 CET4434971545.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.497116089 CET49715443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.497711897 CET49715443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.497725010 CET4434971545.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.497767925 CET4434971545.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.607490063 CET49716443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.607517958 CET4434971645.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.607594967 CET49716443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.609503031 CET49716443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.609517097 CET4434971645.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.609554052 CET4434971645.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.716022968 CET49717443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.716044903 CET4434971745.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.716114044 CET49717443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.716697931 CET49717443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.716717958 CET4434971745.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.716751099 CET4434971745.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.827663898 CET49718443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.827696085 CET4434971845.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.827775955 CET49718443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.828356981 CET49718443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.828372002 CET4434971845.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.828416109 CET4434971845.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.935189962 CET49720443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.935213089 CET4434972045.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.935333014 CET49720443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.935902119 CET49720443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:06.935914993 CET4434972045.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:06.935969114 CET4434972045.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:07.067049980 CET49721443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:07.067090988 CET4434972145.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:07.067150116 CET49721443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:07.080480099 CET49721443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:07.080496073 CET4434972145.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:07.080540895 CET4434972145.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:07.185355902 CET49723443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:07.185395956 CET4434972345.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:07.185477018 CET49723443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:07.346136093 CET49723443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:07.346153975 CET4434972345.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:07.346215963 CET4434972345.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:07.450315952 CET49724443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:07.450340986 CET4434972445.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:07.450395107 CET49724443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:07.453311920 CET49724443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:07.453330994 CET4434972445.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:07.453366041 CET4434972445.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:07.559309959 CET49725443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:07.559356928 CET4434972545.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:07.559439898 CET49725443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:07.560143948 CET49725443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:07.560162067 CET4434972545.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:07.560199976 CET4434972545.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:07.668941021 CET49726443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:07.668998003 CET4434972645.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:07.669071913 CET49726443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:07.670099974 CET49726443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:07.670121908 CET4434972645.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:07.670166016 CET4434972645.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:12.809901953 CET49729443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:12.809925079 CET4434972945.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:12.810008049 CET49729443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.032089949 CET49729443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.032105923 CET4434972945.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.032175064 CET4434972945.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.137530088 CET49730443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.137579918 CET4434973045.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.137641907 CET49730443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.139944077 CET49730443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.139955044 CET4434973045.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.140018940 CET4434973045.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.255021095 CET49731443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.255038977 CET4434973145.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.255109072 CET49731443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.257989883 CET49731443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.258002043 CET4434973145.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.258048058 CET4434973145.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.371676922 CET49737443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.371712923 CET4434973745.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.371779919 CET49737443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.372493029 CET49737443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.372508049 CET4434973745.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.372556925 CET4434973745.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.481081963 CET49738443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.481112003 CET4434973845.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.481184006 CET49738443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.482014894 CET49738443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.482028008 CET4434973845.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.482057095 CET4434973845.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.590694904 CET49739443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.590727091 CET4434973945.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.590792894 CET49739443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.591396093 CET49739443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.591408014 CET4434973945.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.591445923 CET4434973945.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.699862003 CET49740443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.699892998 CET4434974045.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.699970961 CET49740443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.700588942 CET49740443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.700599909 CET4434974045.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.700628042 CET4434974045.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.809340000 CET49741443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.809375048 CET4434974145.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.809493065 CET49741443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.810180902 CET49741443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.810194016 CET4434974145.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.810214996 CET4434974145.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.918675900 CET49742443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.918740034 CET4434974245.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.918808937 CET49742443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.919441938 CET49742443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:13.919451952 CET4434974245.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:13.919477940 CET4434974245.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:14.027982950 CET49743443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:14.028007984 CET4434974345.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:14.028175116 CET49743443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:14.029016972 CET49743443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:14.029030085 CET4434974345.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:14.029077053 CET4434974345.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:14.137492895 CET49744443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:14.137531042 CET4434974445.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:14.137617111 CET49744443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:14.138408899 CET49744443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:14.138422966 CET4434974445.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:14.138469934 CET4434974445.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:14.247046947 CET49745443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:14.247081041 CET4434974545.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:14.247189999 CET49745443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:14.247936964 CET49745443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:14.247951984 CET4434974545.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:14.248003960 CET4434974545.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:14.356344938 CET49746443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:14.356363058 CET4434974645.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:14.356434107 CET49746443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:14.357095957 CET49746443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:14.357105970 CET4434974645.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:14.357136965 CET4434974645.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:14.465466976 CET49747443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:14.465504885 CET4434974745.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:14.465583086 CET49747443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:14.466310978 CET49747443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:14.466325045 CET4434974745.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:14.466366053 CET4434974745.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:14.574966908 CET49748443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:14.575002909 CET4434974845.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:14.575141907 CET49748443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:14.576491117 CET49748443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:14.576504946 CET4434974845.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:14.576543093 CET4434974845.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:14.684241056 CET49749443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:14.684298992 CET4434974945.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:14.684384108 CET49749443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:14.685108900 CET49749443192.168.2.645.66.248.99
                            Dec 10, 2024 16:45:14.685125113 CET4434974945.66.248.99192.168.2.6
                            Dec 10, 2024 16:45:14.685170889 CET4434974945.66.248.99192.168.2.6

                            Click to jump to process

                            Click to jump to process

                            Click to dive into process behavior distribution

                            Click to jump to process

                            Target ID:0
                            Start time:10:45:02
                            Start date:10/12/2024
                            Path:C:\Windows\System32\loaddll64.exe
                            Wow64 process (32bit):false
                            Commandline:loaddll64.exe "C:\Users\user\Desktop\vQu0zndLpi.dll"
                            Imagebase:0x7ff66eb60000
                            File size:165'888 bytes
                            MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:1
                            Start time:10:45:02
                            Start date:10/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:2
                            Start time:10:45:02
                            Start date:10/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",#1
                            Imagebase:0x7ff7755b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:3
                            Start time:10:45:02
                            Start date:10/12/2024
                            Path:C:\Windows\System32\rundll32.exe
                            Wow64 process (32bit):false
                            Commandline:rundll32.exe C:\Users\user\Desktop\vQu0zndLpi.dll,xtart
                            Imagebase:0x7ff7429d0000
                            File size:71'680 bytes
                            MD5 hash:EF3179D498793BF4234F708D3BE28633
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:4
                            Start time:10:45:02
                            Start date:10/12/2024
                            Path:C:\Windows\System32\rundll32.exe
                            Wow64 process (32bit):false
                            Commandline:rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",#1
                            Imagebase:0x7ff7429d0000
                            File size:71'680 bytes
                            MD5 hash:EF3179D498793BF4234F708D3BE28633
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:8
                            Start time:10:45:02
                            Start date:10/12/2024
                            Path:C:\Windows\System32\WerFault.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\WerFault.exe -u -p 404 -s 464
                            Imagebase:0x7ff6def20000
                            File size:570'736 bytes
                            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:9
                            Start time:10:45:05
                            Start date:10/12/2024
                            Path:C:\Windows\System32\rundll32.exe
                            Wow64 process (32bit):false
                            Commandline:rundll32.exe C:\Users\user\Desktop\vQu0zndLpi.dll,start
                            Imagebase:0x7ff7429d0000
                            File size:71'680 bytes
                            MD5 hash:EF3179D498793BF4234F708D3BE28633
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:10
                            Start time:10:45:07
                            Start date:10/12/2024
                            Path:C:\Windows\System32\rundll32.exe
                            Wow64 process (32bit):false
                            Commandline:rundll32.exe C:\Users\user\AppData\Local\Temp/tmpf193.dll,run C:\Users\user\Desktop\vQu0zndLpi.dll
                            Imagebase:0x7ff7429d0000
                            File size:71'680 bytes
                            MD5 hash:EF3179D498793BF4234F708D3BE28633
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:11
                            Start time:10:45:08
                            Start date:10/12/2024
                            Path:C:\Windows\System32\rundll32.exe
                            Wow64 process (32bit):false
                            Commandline:rundll32.exe C:\Users\user\Desktop\vQu0zndLpi.dll,DllWinMain
                            Imagebase:0x7ff7429d0000
                            File size:71'680 bytes
                            MD5 hash:EF3179D498793BF4234F708D3BE28633
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:12
                            Start time:10:45:11
                            Start date:10/12/2024
                            Path:C:\Windows\System32\rundll32.exe
                            Wow64 process (32bit):false
                            Commandline:rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",xtart
                            Imagebase:0x7ff7429d0000
                            File size:71'680 bytes
                            MD5 hash:EF3179D498793BF4234F708D3BE28633
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:13
                            Start time:10:45:11
                            Start date:10/12/2024
                            Path:C:\Windows\System32\rundll32.exe
                            Wow64 process (32bit):false
                            Commandline:rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",start
                            Imagebase:0x7ff7429d0000
                            File size:71'680 bytes
                            MD5 hash:EF3179D498793BF4234F708D3BE28633
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:14
                            Start time:10:45:11
                            Start date:10/12/2024
                            Path:C:\Windows\System32\rundll32.exe
                            Wow64 process (32bit):false
                            Commandline:rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",DllWinMain
                            Imagebase:0x7ff7429d0000
                            File size:71'680 bytes
                            MD5 hash:EF3179D498793BF4234F708D3BE28633
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:15
                            Start time:10:45:11
                            Start date:10/12/2024
                            Path:C:\Windows\System32\rundll32.exe
                            Wow64 process (32bit):false
                            Commandline:rundll32.exe "C:\Users\user\Desktop\vQu0zndLpi.dll",UnInstall
                            Imagebase:0x7ff7429d0000
                            File size:71'680 bytes
                            MD5 hash:EF3179D498793BF4234F708D3BE28633
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:16
                            Start time:10:45:14
                            Start date:10/12/2024
                            Path:C:\Windows\System32\rundll32.exe
                            Wow64 process (32bit):false
                            Commandline:rundll32.exe C:\Users\user\AppData\Local\Temp/tmpf193.dll,run C:\Users\user\Desktop\vQu0zndLpi.dll
                            Imagebase:0x7ff7429d0000
                            File size:71'680 bytes
                            MD5 hash:EF3179D498793BF4234F708D3BE28633
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Reset < >

                              Execution Graph

                              Execution Coverage:0.2%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:86.7%
                              Total number of Nodes:15
                              Total number of Limit Nodes:5
                              execution_graph 45721 7ffda36a3e90 45724 7ffda36a3e50 _handle_error 45721->45724 45722 7ffda36a3f00 LoadLibraryA 45723 7ffda36a3e86 _handle_error 45722->45723 45722->45724 45724->45722 45724->45723 45725 7ffda36a3f44 GetProcAddressForCaller 45724->45725 45725->45724 45726 7ffda36a3be4 45735 7ffda36a41a0 45726->45735 45728 7ffda36a3bea VirtualAlloc 45729 7ffda36a3c40 _handle_error 45728->45729 45729->45729 45730 7ffda36a3d51 VirtualAlloc 45729->45730 45732 7ffda36a3e86 _handle_error 45730->45732 45733 7ffda36a3d6e _handle_error 45730->45733 45731 7ffda36a3f00 LoadLibraryA 45731->45732 45731->45733 45733->45731 45733->45732 45734 7ffda36a3f44 GetProcAddressForCaller 45733->45734 45734->45733 45736 7ffda36a41e4 _handle_error 45735->45736 45736->45728

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 7ffda36a2ff0-7ffda36a2ff7 1 7ffda36a3009-7ffda36a3b77 0->1 2 7ffda36a2ff9-7ffda36a3002 0->2 6 7ffda36a3b80-7ffda36a3b87 1->6 3 7ffda36a3005 2->3 4 7ffda36a3004 2->4 3->1 7 7ffda36a3b90-7ffda36a3b9b 6->7 7->7 8 7ffda36a3b9d-7ffda36a3ba0 7->8 8->6 9 7ffda36a3ba2-7ffda36a3ba6 8->9 10 7ffda36a3ba8-7ffda36a3bb5 call 7ffda36a4140 9->10 11 7ffda36a3bb7 9->11 13 7ffda36a3bbb-7ffda36a3be0 call 7ffda36a41a0 * 2 10->13 11->13 19 7ffda36a3bea-7ffda36a3c37 VirtualAlloc 13->19 20 7ffda36a3be5 call 7ffda36a41a0 13->20 21 7ffda36a3c40-7ffda36a3d43 19->21 20->19 21->21 22 7ffda36a3d49-7ffda36a3d68 call 7ffda36a3ff0 VirtualAlloc 21->22 25 7ffda36a3fcc 22->25 26 7ffda36a3d6e-7ffda36a3dc0 call 7ffda36a4020 22->26 28 7ffda36a3fce-7ffda36a3fe8 25->28 26->25 30 7ffda36a3dc6-7ffda36a3dd1 26->30 31 7ffda36a3dd5-7ffda36a3ddb 30->31 32 7ffda36a3dec-7ffda36a3def 31->32 33 7ffda36a3ddd-7ffda36a3de6 31->33 35 7ffda36a3e00-7ffda36a3e20 call 7ffda36a4020 32->35 36 7ffda36a3df1-7ffda36a3dfa 32->36 33->32 34 7ffda36a3de8 33->34 34->32 35->31 40 7ffda36a3e22-7ffda36a3e2d 35->40 36->35 37 7ffda36a3dfc 36->37 37->35 40->25 41 7ffda36a3e33-7ffda36a3e3c 40->41 42 7ffda36a3e42-7ffda36a3e4a 41->42 43 7ffda36a3ed3-7ffda36a3ee1 41->43 44 7ffda36a3e50-7ffda36a3e68 42->44 43->25 45 7ffda36a3ee7-7ffda36a3ef0 43->45 46 7ffda36a3eca-7ffda36a3ecd 44->46 47 7ffda36a3e6a 44->47 48 7ffda36a3f6c-7ffda36a3f76 call 7ffda36a4000 45->48 49 7ffda36a3ef2-7ffda36a3ef7 45->49 46->44 51 7ffda36a3ecf 46->51 52 7ffda36a3e70-7ffda36a3e84 47->52 59 7ffda36a3f78-7ffda36a3f89 48->59 60 7ffda36a3fa9-7ffda36a3fca 48->60 53 7ffda36a3f00-7ffda36a3f10 LoadLibraryA 49->53 51->43 55 7ffda36a3e86-7ffda36a3e8a 52->55 56 7ffda36a3ec2-7ffda36a3ec5 52->56 53->25 57 7ffda36a3f16-7ffda36a3f22 53->57 55->25 56->52 58 7ffda36a3ec7 56->58 61 7ffda36a3f5d-7ffda36a3f66 57->61 62 7ffda36a3f24-7ffda36a3f2e 57->62 58->46 59->60 64 7ffda36a3f8b 59->64 60->28 61->53 63 7ffda36a3f68 61->63 65 7ffda36a3f30-7ffda36a3f36 62->65 63->48 66 7ffda36a3f90-7ffda36a3fa7 64->66 68 7ffda36a3f38-7ffda36a3f3b 65->68 69 7ffda36a3f3d-7ffda36a3f41 65->69 66->60 70 7ffda36a3f44-7ffda36a3f56 GetProcAddressForCaller 68->70 69->70 70->65 72 7ffda36a3f58 70->72 72->61
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID: $=$.$3$H&hL$OgMO$_*mC$e$k$l$r$y)5u
                              • API String ID: 4275171209-280504472
                              • Opcode ID: ee0c046724718ef865d8e4251b446f8becd4280be52b503d284323da46b589d7
                              • Instruction ID: 01f5ada89d0028bc700859c20fff51408744d1425e05ebafece3b4b3b34c40b5
                              • Opcode Fuzzy Hash: ee0c046724718ef865d8e4251b446f8becd4280be52b503d284323da46b589d7
                              • Instruction Fuzzy Hash: 7BD1F332B0A28186EB14CF25A46437E7BB2FB45B88F586435EE4E57B4ADA3DD405C704

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 73 7ffda36a3af0-7ffda36a3b77 74 7ffda36a3b80-7ffda36a3b87 73->74 75 7ffda36a3b90-7ffda36a3b9b 74->75 75->75 76 7ffda36a3b9d-7ffda36a3ba0 75->76 76->74 77 7ffda36a3ba2-7ffda36a3ba6 76->77 78 7ffda36a3ba8-7ffda36a3bb5 call 7ffda36a4140 77->78 79 7ffda36a3bb7 77->79 81 7ffda36a3bbb-7ffda36a3be0 call 7ffda36a41a0 * 2 78->81 79->81 87 7ffda36a3bea-7ffda36a3c37 VirtualAlloc 81->87 88 7ffda36a3be5 call 7ffda36a41a0 81->88 89 7ffda36a3c40-7ffda36a3d43 87->89 88->87 89->89 90 7ffda36a3d49-7ffda36a3d68 call 7ffda36a3ff0 VirtualAlloc 89->90 93 7ffda36a3fcc 90->93 94 7ffda36a3d6e-7ffda36a3dc0 call 7ffda36a4020 90->94 96 7ffda36a3fce-7ffda36a3fe8 93->96 94->93 98 7ffda36a3dc6-7ffda36a3dd1 94->98 99 7ffda36a3dd5-7ffda36a3ddb 98->99 100 7ffda36a3dec-7ffda36a3def 99->100 101 7ffda36a3ddd-7ffda36a3de6 99->101 103 7ffda36a3e00-7ffda36a3e20 call 7ffda36a4020 100->103 104 7ffda36a3df1-7ffda36a3dfa 100->104 101->100 102 7ffda36a3de8 101->102 102->100 103->99 108 7ffda36a3e22-7ffda36a3e2d 103->108 104->103 105 7ffda36a3dfc 104->105 105->103 108->93 109 7ffda36a3e33-7ffda36a3e3c 108->109 110 7ffda36a3e42-7ffda36a3e4a 109->110 111 7ffda36a3ed3-7ffda36a3ee1 109->111 112 7ffda36a3e50-7ffda36a3e68 110->112 111->93 113 7ffda36a3ee7-7ffda36a3ef0 111->113 114 7ffda36a3eca-7ffda36a3ecd 112->114 115 7ffda36a3e6a 112->115 116 7ffda36a3f6c-7ffda36a3f76 call 7ffda36a4000 113->116 117 7ffda36a3ef2-7ffda36a3ef7 113->117 114->112 119 7ffda36a3ecf 114->119 120 7ffda36a3e70-7ffda36a3e84 115->120 127 7ffda36a3f78-7ffda36a3f89 116->127 128 7ffda36a3fa9-7ffda36a3fca 116->128 121 7ffda36a3f00-7ffda36a3f10 LoadLibraryA 117->121 119->111 123 7ffda36a3e86-7ffda36a3e8a 120->123 124 7ffda36a3ec2-7ffda36a3ec5 120->124 121->93 125 7ffda36a3f16-7ffda36a3f22 121->125 123->93 124->120 126 7ffda36a3ec7 124->126 129 7ffda36a3f5d-7ffda36a3f66 125->129 130 7ffda36a3f24-7ffda36a3f2e 125->130 126->114 127->128 132 7ffda36a3f8b 127->132 128->96 129->121 131 7ffda36a3f68 129->131 133 7ffda36a3f30-7ffda36a3f36 130->133 131->116 134 7ffda36a3f90-7ffda36a3fa7 132->134 136 7ffda36a3f38-7ffda36a3f3b 133->136 137 7ffda36a3f3d-7ffda36a3f41 133->137 134->128 138 7ffda36a3f44-7ffda36a3f56 GetProcAddressForCaller 136->138 137->138 138->133 140 7ffda36a3f58 138->140 140->129
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID: $=$.$3$H&hL$OgMO$_*mC$e$k$l$r$y)5u
                              • API String ID: 4275171209-280504472
                              • Opcode ID: 78d6874f3d14f96c59fd9a5633fcbe9d84fc910ba62e348fbfa17b918026231c
                              • Instruction ID: 2c52bbdb1c0f138f67241a86d7a051b28a1d55409c507f2925491059c22d8eb3
                              • Opcode Fuzzy Hash: 78d6874f3d14f96c59fd9a5633fcbe9d84fc910ba62e348fbfa17b918026231c
                              • Instruction Fuzzy Hash: 0B913B32B092C18AEB08CF35A42527E7BB6F785B88F589035DE8E57B4ADA3DD505C704

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 141 7ffda36a3be4-7ffda36a3c37 call 7ffda36a41a0 VirtualAlloc 144 7ffda36a3c40-7ffda36a3d43 141->144 144->144 145 7ffda36a3d49-7ffda36a3d68 call 7ffda36a3ff0 VirtualAlloc 144->145 148 7ffda36a3fcc 145->148 149 7ffda36a3d6e-7ffda36a3dc0 call 7ffda36a4020 145->149 151 7ffda36a3fce-7ffda36a3fe8 148->151 149->148 153 7ffda36a3dc6-7ffda36a3dd1 149->153 154 7ffda36a3dd5-7ffda36a3ddb 153->154 155 7ffda36a3dec-7ffda36a3def 154->155 156 7ffda36a3ddd-7ffda36a3de6 154->156 158 7ffda36a3e00-7ffda36a3e20 call 7ffda36a4020 155->158 159 7ffda36a3df1-7ffda36a3dfa 155->159 156->155 157 7ffda36a3de8 156->157 157->155 158->154 163 7ffda36a3e22-7ffda36a3e2d 158->163 159->158 160 7ffda36a3dfc 159->160 160->158 163->148 164 7ffda36a3e33-7ffda36a3e3c 163->164 165 7ffda36a3e42-7ffda36a3e4a 164->165 166 7ffda36a3ed3-7ffda36a3ee1 164->166 167 7ffda36a3e50-7ffda36a3e68 165->167 166->148 168 7ffda36a3ee7-7ffda36a3ef0 166->168 169 7ffda36a3eca-7ffda36a3ecd 167->169 170 7ffda36a3e6a 167->170 171 7ffda36a3f6c-7ffda36a3f76 call 7ffda36a4000 168->171 172 7ffda36a3ef2-7ffda36a3ef7 168->172 169->167 174 7ffda36a3ecf 169->174 175 7ffda36a3e70-7ffda36a3e84 170->175 182 7ffda36a3f78-7ffda36a3f89 171->182 183 7ffda36a3fa9-7ffda36a3fca 171->183 176 7ffda36a3f00-7ffda36a3f10 LoadLibraryA 172->176 174->166 178 7ffda36a3e86-7ffda36a3e8a 175->178 179 7ffda36a3ec2-7ffda36a3ec5 175->179 176->148 180 7ffda36a3f16-7ffda36a3f22 176->180 178->148 179->175 181 7ffda36a3ec7 179->181 184 7ffda36a3f5d-7ffda36a3f66 180->184 185 7ffda36a3f24-7ffda36a3f2e 180->185 181->169 182->183 187 7ffda36a3f8b 182->187 183->151 184->176 186 7ffda36a3f68 184->186 188 7ffda36a3f30-7ffda36a3f36 185->188 186->171 189 7ffda36a3f90-7ffda36a3fa7 187->189 191 7ffda36a3f38-7ffda36a3f3b 188->191 192 7ffda36a3f3d-7ffda36a3f41 188->192 189->183 193 7ffda36a3f44-7ffda36a3f56 GetProcAddressForCaller 191->193 192->193 193->188 195 7ffda36a3f58 193->195 195->184
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: AllocVirtual$AddressCallerLibraryLoadProc
                              • String ID: H&hL
                              • API String ID: 2360694132-2439674248
                              • Opcode ID: 44eba2a5a35923633fa71ece8ceb0c200e7e8fe66f1bd006b510c8ebb3f49db2
                              • Instruction ID: 420a671f71d303e2579be4b9f496bba24f98ee5bf0ef7a51a450db8a56bd540a
                              • Opcode Fuzzy Hash: 44eba2a5a35923633fa71ece8ceb0c200e7e8fe66f1bd006b510c8ebb3f49db2
                              • Instruction Fuzzy Hash: 06716833B062C146EF09CB34A42527E7BB6FB49B89B589036CE8E57B4ADA3CD501C714

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: AddressCallerLibraryLoadProc
                              • String ID:
                              • API String ID: 4215043672-0
                              • Opcode ID: d6f5452103803c5f2f3a319d01ce199cc0f0dfd00667f7ef54a4292edb0a6888
                              • Instruction ID: 4797fd1181750061ef4ea606cb33c7d6c480ae208fd2cb7a7bf5892ed96d0111
                              • Opcode Fuzzy Hash: d6f5452103803c5f2f3a319d01ce199cc0f0dfd00667f7ef54a4292edb0a6888
                              • Instruction Fuzzy Hash: 21415932F1669286EB50CF29E0503B977B2EB44B88F585831EF0D67786EE39E841C714
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: AddressProc$ErrorLast$_invalid_parameter_noinfo_noreturn$FreeLibrary$ExceptionFileHandleHeaderModuleRaise
                              • String ID: AddExtraFilesToDump$ConvertOldConfigToNewConfig$DeleteDump$EnableBdch$FreeDumpResponse$GetAPIVersion$GetProcAddress failed$GetSettings$GetSettingsFromFile$ListDumps$ReleaseBdchSettings$SaveSettingsToFile$SetSettings$SetWerText$SignalHandler$SubmitDump$SyncSettings$UninitBdch$bdch.dll$common
                              • API String ID: 907206834-249020477
                              • Opcode ID: 9a4ee575f4863204540a75201041e596e6dfa383fe2d785bef0209c871762e64
                              • Instruction ID: fcaf1ba299acc5f12f953197f8f0ebba240f13bf388fb49b542d42509457dd43
                              • Opcode Fuzzy Hash: 9a4ee575f4863204540a75201041e596e6dfa383fe2d785bef0209c871762e64
                              • Instruction Fuzzy Hash: 7C926162F06B528AFB00CF68E4A01EC73B6EF54748B485135EE4D32BA9EF399555C348
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: String$AllocFree$SleepTime_invalid_parameter_noinfotime$BlanketCreateInstanceProxy_invalid_parameter_noinfo_noreturn
                              • String ID: $-> %s$. Error: $Could not connect to the server. Error: $Could not create a locator instance. Error: $Could not delete subkey $Could not open the provider Registry key. Error: $Could not revert the impersonation. Error $Could not set the proxy blanket. Error: $Deleting subkey $OR instanceGuid='{6E88A883-0921-EEB8-778B-1E0044B97C8F}'$OR instanceGuid='{D5E94967-2F1B-E136-4D3B-25723F3E3632}'$OR instanceGuid='{EDD2C842-6574-E06E-6664-8C47C1ED7149}'$SELECT instanceGuid, __PATH FROM AntiSpywareProduct WHERE instanceGuid='{B5763A99-8435-6D40-83EB-2CA97758A9A5}' OR instanceGuid='{$SELECT instanceGuid, __PATH FROM AntiVirusProduct WHERE instanceGuid='{0E17DB7D-A20F-62CE-B95B-17DB0CDFE318}' OR instanceGuid='{AB$SELECT instanceGuid, __PATH FROM FireWallProduct WHERE instanceGuid='{362C5A58-E860-6396-9204-BEEEF20CA463}' OR instanceGuid='{93F$SOFTWARE\Microsoft\Security Center\Provider$Trying again with QUERY_INFORMATION rights.$WQL$helpers::cleanup::clear_old_wsc_guids$helpers::cleanup::details::clear_old_wsc_guids_from_registry$helpers::impersonation::begin$helpers::impersonation::end$root\SecurityCenter2$wsc_reporter::Init
                              • API String ID: 1086138936-561278520
                              • Opcode ID: dd7e7da5028aa909f53e2906595e3df0f9c68242a1b4cb8b7e165e502e67d7d7
                              • Instruction ID: 431e9bcb0bbf20b28bf8058bf597dd7f35eb576e9af0b9c8c372bd9d94904668
                              • Opcode Fuzzy Hash: dd7e7da5028aa909f53e2906595e3df0f9c68242a1b4cb8b7e165e502e67d7d7
                              • Instruction Fuzzy Hash: 34929F32B0AB8296FB20CF64D8603E96362FB44758F581635DA5D27B9ADF3ED144C348
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: CriticalSection$Leave$Enter$ObjectSingleWait$CurrentThread$ReleaseSemaphore
                              • String ID:
                              • API String ID: 2071811701-0
                              • Opcode ID: 108c2fc571f0403c0ae4151bbae7192262587a6409f44ddc6cdfa21276470fbc
                              • Instruction ID: 3ac1a08ce9fadd2f03a83206777991931d3537a3a2a8ade1745c40480ca7e0f0
                              • Opcode Fuzzy Hash: 108c2fc571f0403c0ae4151bbae7192262587a6409f44ddc6cdfa21276470fbc
                              • Instruction Fuzzy Hash: 5C32B532B09A4287F768CF25D56023937A2FB48B84F5C1136DA4E9B796DF3EE8518704
                              APIs
                                • Part of subcall function 00007FFDA36A3E90: LoadLibraryA.KERNELBASE ref: 00007FFDA36A3F07
                                • Part of subcall function 00007FFDA36A3E90: GetProcAddressForCaller.KERNELBASE ref: 00007FFDA36A3F47
                              • timeGetTime.WINMM(-> %s,win_fw_ownership::take_ownership_task,?,?,?,00007FFDA36396E5), ref: 00007FFDA363A40A
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                              • timeGetTime.WINMM ref: 00007FFDA363AC56
                              • timeGetTime.WINMM ref: 00007FFDA363AF00
                              • CoCreateInstance.OLE32(?,?,?,00007FFDA36396E5), ref: 00007FFDA363A537
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Timetime$_invalid_parameter_noinfo$AddressCallerCreateInstanceLibraryLoadProcSleep
                              • String ID: -> %s$Could not get an instance of the firewall policy. Error: $Could not get the Windows Firewall status for domain networks. Error: $Could not get the Windows Firewall status for private networks. Error: $Could not get the Windows Firewall status for public networks. Error: $Could not set the Windows Firewall status for domain networks. Error: $Could not set the Windows Firewall status for private networks. Error: $Could not set the Windows Firewall status for public networks. Error: $Firewall already enabled for all network types.$Saving Windows Firewall status.$Skipped saving Windows Firewall status.$WinFwInitialStat$WinFwSetStat$win_fw_ownership::enable_win_fw$win_fw_ownership::get_last_set_win_fw_status$win_fw_ownership::save_win_fw_status$win_fw_ownership::take_ownership_task
                              • API String ID: 3405590602-2346150944
                              • Opcode ID: c9d3474bf6ef8fb08b123b90f418204d7a29d2e4ab44f3653ecfff32b753bfe8
                              • Instruction ID: a58506d1ba70b05603e927082c90300c366046e0075acc2be3f332888dd628c8
                              • Opcode Fuzzy Hash: c9d3474bf6ef8fb08b123b90f418204d7a29d2e4ab44f3653ecfff32b753bfe8
                              • Instruction Fuzzy Hash: 69D25C32B0AB828AF720DF64D8A03E933A2FB44708F591135DA4D67B96DF3AD545C744
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: CloseHandle$ErrorLastSleep$CurrentEventFreeInfoLibraryOpenProcessSecurityThreadTimetime
                              • String ID: $Command line: $DllWinMain$Invalid command line$check_security_event err=$crash in $crash_handler::check_intentional_crash$crash_handler::enable failed; err= $failed to start; err=$get_parent_process failed; err=$get_parent_process_id failed$invalid security event$nullptr$process::open failed$sync::wait failed; err=
                              • API String ID: 3603222985-3427197465
                              • Opcode ID: 563237c25084c9a6043af411bbddca3a9d9b7920bde20101074ee879aacb59ed
                              • Instruction ID: 6a95ebaf94c60a06dd5d905a95e68842d9c3d088f00895d841492e6b7748e1f6
                              • Opcode Fuzzy Hash: 563237c25084c9a6043af411bbddca3a9d9b7920bde20101074ee879aacb59ed
                              • Instruction Fuzzy Hash: 1DA24E32A0E6C286F6709B14E4A03EAB3A2FB85340F586535D68D5379BDF3ED544CB48

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3209 7ffda3650530-7ffda36505e6 timeGetTime call 7ffda36adfa8 call 7ffda36ae08c call 7ffda36adfa8 3216 7ffda365068a-7ffda36506a1 call 7ffda364c0a0 3209->3216 3217 7ffda36505ec 3209->3217 3222 7ffda365082a-7ffda3650883 3216->3222 3223 7ffda36506a7-7ffda3650732 call 7ffda36278e0 3216->3223 3219 7ffda36505f1 call 7ffda3629020 3217->3219 3221 7ffda36505f6-7ffda3650608 3219->3221 3224 7ffda3650619-7ffda365066d call 7ffda3628d10 3221->3224 3225 7ffda365060a 3221->3225 3265 7ffda365088f-7ffda3650893 3222->3265 3266 7ffda3650885-7ffda365088d 3222->3266 3235 7ffda3650734 3223->3235 3236 7ffda365078c 3223->3236 3233 7ffda365066f 3224->3233 3234 7ffda3650685 3224->3234 3228 7ffda365060a call 7ffda3629020 3225->3228 3232 7ffda365060f-7ffda3650614 3228->3232 3232->3224 3237 7ffda3650670 3233->3237 3234->3216 3240 7ffda3650739 call 7ffda3629020 3235->3240 3238 7ffda365078e-7ffda3650794 3236->3238 3241 7ffda3650670 call 7ffda3629170 3237->3241 3242 7ffda36507cc-7ffda36507e5 3238->3242 3243 7ffda3650796-7ffda36507b0 3238->3243 3244 7ffda365073e-7ffda3650758 3240->3244 3249 7ffda3650675-7ffda3650683 3241->3249 3247 7ffda36507fb-7ffda3650825 call 7ffda3628760 call 7ffda36a0f94 3242->3247 3248 7ffda36507e7-7ffda36507fa call 7ffda36258a0 3242->3248 3250 7ffda36507b2 3243->3250 3251 7ffda36507c7 3243->3251 3245 7ffda3650769-7ffda3650772 3244->3245 3246 7ffda365075a 3244->3246 3255 7ffda3650774-7ffda365077b 3245->3255 3256 7ffda3650788-7ffda365078a 3245->3256 3253 7ffda365075a call 7ffda3629020 3246->3253 3273 7ffda3650f0c-7ffda3650f22 call 7ffda3628c20 3247->3273 3248->3247 3249->3234 3249->3237 3258 7ffda36507b2 call 7ffda3629170 3250->3258 3251->3242 3260 7ffda365075f-7ffda3650764 3253->3260 3255->3256 3262 7ffda365077d-7ffda3650786 3255->3262 3256->3238 3264 7ffda36507b7-7ffda36507c5 3258->3264 3260->3245 3262->3238 3264->3250 3264->3251 3268 7ffda3650897-7ffda365089e 3265->3268 3266->3268 3271 7ffda36508a4-7ffda365092f call 7ffda36278e0 3268->3271 3272 7ffda3650a28-7ffda3650b1e 3268->3272 3279 7ffda3650931 3271->3279 3280 7ffda3650989 3271->3280 3320 7ffda3650b53-7ffda3650b72 3272->3320 3321 7ffda3650b20-7ffda3650b27 3272->3321 3281 7ffda3650f25 call 7ffda36a2ff0 3273->3281 3283 7ffda3650936 call 7ffda3629020 3279->3283 3282 7ffda365098b-7ffda3650991 3280->3282 3285 7ffda3650f2a-7ffda3650f4a 3281->3285 3286 7ffda3650993-7ffda36509ad 3282->3286 3287 7ffda36509ca-7ffda36509e3 3282->3287 3288 7ffda365093b-7ffda3650955 3283->3288 3289 7ffda36509af 3286->3289 3290 7ffda36509c5 3286->3290 3294 7ffda36509f9-7ffda3650a23 call 7ffda3628760 call 7ffda36a0f94 3287->3294 3295 7ffda36509e5-7ffda36509f8 call 7ffda36258a0 3287->3295 3291 7ffda3650966-7ffda365096f 3288->3291 3292 7ffda3650957 3288->3292 3297 7ffda36509b0 3289->3297 3290->3287 3300 7ffda3650971-7ffda3650978 3291->3300 3301 7ffda3650985-7ffda3650987 3291->3301 3298 7ffda3650957 call 7ffda3629020 3292->3298 3313 7ffda3650ef2-7ffda3650ef9 3294->3313 3295->3294 3304 7ffda36509b0 call 7ffda3629170 3297->3304 3305 7ffda365095c-7ffda3650961 3298->3305 3300->3301 3302 7ffda365097a-7ffda3650983 3300->3302 3301->3282 3302->3282 3309 7ffda36509b5-7ffda36509c3 3304->3309 3305->3291 3309->3290 3309->3297 3313->3273 3315 7ffda3650efb-7ffda3650f0b 3313->3315 3315->3273 3325 7ffda3650b73-7ffda3650b77 3320->3325 3322 7ffda3650b39-7ffda3650b51 3321->3322 3323 7ffda3650b29-7ffda3650b2c 3321->3323 3322->3325 3323->3322 3327 7ffda3650b7d-7ffda3650b9e 3325->3327 3328 7ffda3650d5c-7ffda3650de7 call 7ffda36278e0 3325->3328 3327->3328 3334 7ffda3650ba4-7ffda3650c38 call 7ffda36278e0 3327->3334 3332 7ffda3650de9 3328->3332 3333 7ffda3650e3a 3328->3333 3335 7ffda3650ded call 7ffda3629020 3332->3335 3336 7ffda3650e3c-7ffda3650e44 3333->3336 3360 7ffda3650c3a 3334->3360 3361 7ffda3650c8b 3334->3361 3337 7ffda3650df2-7ffda3650e09 3335->3337 3339 7ffda3650e79-7ffda3650e92 3336->3339 3340 7ffda3650e46-7ffda3650e5f 3336->3340 3343 7ffda3650e0b 3337->3343 3344 7ffda3650e18-7ffda3650e20 3337->3344 3345 7ffda3650e94-7ffda3650ea7 call 7ffda36258a0 3339->3345 3346 7ffda3650ea8-7ffda3650ed0 call 7ffda3628760 call 7ffda36a0f94 3339->3346 3341 7ffda3650e61 3340->3341 3342 7ffda3650e75 3340->3342 3348 7ffda3650e61 call 7ffda3629170 3341->3348 3342->3339 3349 7ffda3650e0b call 7ffda3629020 3343->3349 3351 7ffda3650e22-7ffda3650e29 3344->3351 3352 7ffda3650e36-7ffda3650e38 3344->3352 3345->3346 3374 7ffda3650ed2-7ffda3650ed6 3346->3374 3355 7ffda3650e66-7ffda3650e73 3348->3355 3356 7ffda3650e10-7ffda3650e14 3349->3356 3351->3352 3358 7ffda3650e2b-7ffda3650e34 3351->3358 3352->3336 3355->3341 3355->3342 3356->3344 3358->3336 3364 7ffda3650c3e call 7ffda3629020 3360->3364 3362 7ffda3650c8d-7ffda3650c95 3361->3362 3365 7ffda3650ccb-7ffda3650cdb 3362->3365 3366 7ffda3650c97-7ffda3650cb1 3362->3366 3369 7ffda3650c43-7ffda3650c5c 3364->3369 3372 7ffda3650cdd-7ffda3650cf3 call 7ffda36258a0 3365->3372 3373 7ffda3650d29-7ffda3650d57 call 7ffda3628760 call 7ffda36a0f94 3365->3373 3370 7ffda3650cb3 3366->3370 3371 7ffda3650cc7 3366->3371 3375 7ffda3650c5e 3369->3375 3376 7ffda3650c6c-7ffda3650c75 3369->3376 3378 7ffda3650cb3 call 7ffda3629170 3370->3378 3371->3365 3372->3373 3389 7ffda3650cf5-7ffda3650d04 call 7ffda3633390 3372->3389 3373->3374 3374->3313 3381 7ffda3650ed8-7ffda3650edf 3374->3381 3382 7ffda3650c5e call 7ffda3629020 3375->3382 3376->3361 3377 7ffda3650c77-7ffda3650c7e 3376->3377 3377->3361 3383 7ffda3650c80-7ffda3650c89 3377->3383 3384 7ffda3650cb8-7ffda3650cc5 3378->3384 3381->3313 3387 7ffda3650ee1-7ffda3650ef1 3381->3387 3388 7ffda3650c63-7ffda3650c68 3382->3388 3383->3362 3384->3370 3384->3371 3387->3313 3388->3376 3389->3373 3396 7ffda3650d06-7ffda3650d1a call 7ffda36258a0 3389->3396 3396->3373 3399 7ffda3650d1c-7ffda3650d28 call 7ffda3660440 3396->3399 3399->3373
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3650572
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                                • Part of subcall function 00007FFDA3629170: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA362918A
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Sleep_invalid_parameter_noinfo$Timetime
                              • String ID: is started by broker=$-> %s$0$bd.process.broker$bd.process.broker.channel.spawner$bd::process_broker::is_started_by_broker$from$is_started_by_broker$method$module$no bus$no channel=bd.process.broker.channel.spawner$no reply received$pid$pid=$process_broker$process_broker_client$result$version
                              • API String ID: 2695549718-2130624740
                              • Opcode ID: 2181f06927e0e029315d811f794b0f694f43ad20be1b47743ad7c3cd8498611b
                              • Instruction ID: d8368c476dddd51f0275043bb7b4eb12f4bf6346ef8020ab57923fed31e2710c
                              • Opcode Fuzzy Hash: 2181f06927e0e029315d811f794b0f694f43ad20be1b47743ad7c3cd8498611b
                              • Instruction Fuzzy Hash: B1529C32B0AB828AFB10CF64D8A02E973B1FB85754F181136DA4D677AADF3AD545C704

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3402 7ffda36743e0-7ffda3674424 call 7ffda3675ac0 3405 7ffda3674644-7ffda3674667 3402->3405 3406 7ffda367442a-7ffda367448f call 7ffda36278e0 3402->3406 3410 7ffda367466d-7ffda3674671 3405->3410 3411 7ffda3674766-7ffda36747f2 call 7ffda362a750 3405->3411 3412 7ffda3674579-7ffda367458a 3406->3412 3413 7ffda3674495 3406->3413 3410->3411 3415 7ffda3674677-7ffda3674699 3410->3415 3422 7ffda36747f5-7ffda3674808 3411->3422 3416 7ffda367458e-7ffda36745c4 call 7ffda3628760 call 7ffda36a0f94 3412->3416 3417 7ffda3674499 call 7ffda3629020 3413->3417 3419 7ffda36746a0-7ffda36746a8 3415->3419 3445 7ffda36745f6-7ffda3674601 3416->3445 3446 7ffda36745c6-7ffda36745d0 3416->3446 3421 7ffda367449e-7ffda36744b0 3417->3421 3419->3419 3423 7ffda36746aa-7ffda3674710 call 7ffda362a750 call 7ffda363f270 3419->3423 3425 7ffda36744c1-7ffda36744c9 3421->3425 3426 7ffda36744b2 3421->3426 3429 7ffda367480e-7ffda3674885 call 7ffda36278e0 3422->3429 3430 7ffda3674aab-7ffda3674b22 call 7ffda36278e0 3422->3430 3468 7ffda3674712-7ffda367472b 3423->3468 3469 7ffda367474f-7ffda3674761 3423->3469 3427 7ffda36744df 3425->3427 3428 7ffda36744cb-7ffda36744d2 3425->3428 3433 7ffda36744b2 call 7ffda3629020 3426->3433 3435 7ffda36744e1-7ffda36744f4 3427->3435 3428->3427 3434 7ffda36744d4-7ffda36744dd 3428->3434 3453 7ffda367488b 3429->3453 3454 7ffda367494a-7ffda3674965 3429->3454 3457 7ffda3674bea-7ffda3674c05 3430->3457 3458 7ffda3674b28 3430->3458 3440 7ffda36744b7-7ffda36744bc 3433->3440 3434->3435 3441 7ffda367450b-7ffda3674529 3435->3441 3442 7ffda36744f6 3435->3442 3440->3425 3441->3416 3452 7ffda367452b-7ffda367453e call 7ffda36258a0 3441->3452 3451 7ffda36744f6 call 7ffda3629170 3442->3451 3448 7ffda3674d1b-7ffda3674d25 3445->3448 3449 7ffda3674607-7ffda3674620 3445->3449 3446->3445 3456 7ffda36745d2-7ffda36745ec 3446->3456 3465 7ffda3674d28 call 7ffda36a2ff0 3448->3465 3460 7ffda3674d15-7ffda3674d1a call 7ffda36a3010 3449->3460 3461 7ffda3674626-7ffda3674639 3449->3461 3464 7ffda36744fb-7ffda3674509 3451->3464 3452->3416 3487 7ffda3674540-7ffda3674553 call 7ffda36258a0 3452->3487 3467 7ffda367488f call 7ffda3629020 3453->3467 3462 7ffda367496c-7ffda3674970 3454->3462 3456->3445 3463 7ffda3674c0c-7ffda3674c10 3457->3463 3459 7ffda3674b2c call 7ffda3629020 3458->3459 3472 7ffda3674b31-7ffda3674b43 3459->3472 3460->3448 3473 7ffda367463f 3461->3473 3474 7ffda3674d46-7ffda3674d4b call 7ffda36a9c5c 3461->3474 3475 7ffda3674d58-7ffda3674d8a call 7ffda3649130 call 7ffda36a5df0 3462->3475 3476 7ffda3674976-7ffda3674979 3462->3476 3477 7ffda3674dbe-7ffda3674df0 call 7ffda3649130 call 7ffda36a5df0 3463->3477 3478 7ffda3674c16-7ffda3674c19 3463->3478 3464->3441 3464->3442 3480 7ffda3674d2d-7ffda3674d3f 3465->3480 3482 7ffda3674894-7ffda36748a6 3467->3482 3470 7ffda367472d-7ffda3674740 3468->3470 3471 7ffda3674746-7ffda367474b call 7ffda36a3010 3468->3471 3469->3422 3470->3471 3488 7ffda3674d52-7ffda3674d57 call 7ffda36a9c5c 3470->3488 3471->3469 3490 7ffda3674b54-7ffda3674b5d 3472->3490 3491 7ffda3674b45 3472->3491 3473->3460 3516 7ffda3674d4c-7ffda3674d51 call 7ffda36a9c5c 3474->3516 3547 7ffda3674d8b-7ffda3674dbd call 7ffda3649130 call 7ffda36a5df0 3475->3547 3492 7ffda36749e1-7ffda3674a2b call 7ffda3628760 call 7ffda36a0f94 call 7ffda3670350 3476->3492 3493 7ffda367497b-7ffda3674995 call 7ffda3623550 3476->3493 3550 7ffda3674df1-7ffda3674e23 call 7ffda3649130 call 7ffda36a5df0 3477->3550 3484 7ffda3674c3d-7ffda3674c69 call 7ffda3628760 call 7ffda36a0f94 3478->3484 3485 7ffda3674c1b-7ffda3674c38 call 7ffda3669220 3478->3485 3496 7ffda36748b7-7ffda36748c0 3482->3496 3497 7ffda36748a8 3482->3497 3484->3550 3557 7ffda3674c6f-7ffda3674ca6 call 7ffda3670350 3484->3557 3485->3484 3487->3416 3534 7ffda3674555-7ffda3674568 call 7ffda36258a0 3487->3534 3488->3475 3511 7ffda3674b73 3490->3511 3512 7ffda3674b5f-7ffda3674b66 3490->3512 3508 7ffda3674b45 call 7ffda3629020 3491->3508 3575 7ffda3674a5d-7ffda3674a68 3492->3575 3576 7ffda3674a2d-7ffda3674a37 3492->3576 3535 7ffda36749b1-7ffda36749b5 3493->3535 3536 7ffda3674997-7ffda36749aa call 7ffda36258a0 3493->3536 3500 7ffda36748c2-7ffda36748c9 3496->3500 3501 7ffda36748d6 3496->3501 3498 7ffda36748a8 call 7ffda3629020 3497->3498 3515 7ffda36748ad-7ffda36748b2 3498->3515 3500->3501 3517 7ffda36748cb-7ffda36748d4 3500->3517 3518 7ffda36748d9-7ffda36748ec 3501->3518 3523 7ffda3674b4a-7ffda3674b4f 3508->3523 3527 7ffda3674b76-7ffda3674b89 3511->3527 3512->3511 3526 7ffda3674b68-7ffda3674b71 3512->3526 3515->3496 3516->3488 3517->3518 3530 7ffda36748ee 3518->3530 3531 7ffda3674905-7ffda367492c 3518->3531 3523->3490 3526->3527 3538 7ffda3674b8b 3527->3538 3539 7ffda3674ba5-7ffda3674bcc 3527->3539 3544 7ffda36748f0 3530->3544 3531->3462 3546 7ffda367492e-7ffda3674948 call 7ffda36258a0 3531->3546 3534->3416 3571 7ffda367456a-7ffda3674577 call 7ffda3623550 3534->3571 3535->3547 3552 7ffda36749bb-7ffda36749be 3535->3552 3536->3535 3553 7ffda3674b90 3538->3553 3539->3463 3540 7ffda3674bce-7ffda3674be8 call 7ffda36258a0 3539->3540 3540->3463 3556 7ffda36748f0 call 7ffda3629170 3544->3556 3546->3462 3547->3477 3552->3492 3563 7ffda36749c0-7ffda36749dc call 7ffda3669220 3552->3563 3564 7ffda3674b90 call 7ffda3629170 3553->3564 3567 7ffda36748f5-7ffda3674903 3556->3567 3583 7ffda3674cd8-7ffda3674ce3 3557->3583 3584 7ffda3674ca8-7ffda3674cb2 3557->3584 3563->3492 3574 7ffda3674b95-7ffda3674ba3 3564->3574 3567->3531 3567->3544 3571->3416 3574->3539 3574->3553 3575->3448 3582 7ffda3674a6e-7ffda3674a87 3575->3582 3576->3575 3581 7ffda3674a39-7ffda3674a53 3576->3581 3581->3575 3582->3460 3588 7ffda3674a8d-7ffda3674aa0 3582->3588 3583->3448 3590 7ffda3674ce5-7ffda3674cfe 3583->3590 3584->3583 3589 7ffda3674cb4-7ffda3674cce 3584->3589 3588->3516 3591 7ffda3674aa6 3588->3591 3589->3583 3590->3460 3592 7ffda3674d00-7ffda3674d13 3590->3592 3591->3460 3592->3460 3593 7ffda3674d40-7ffda3674d45 call 7ffda36a9c5c 3592->3593 3593->3474
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn$Sleep
                              • String ID: Failed to get REGPATH_PRODUCT_COMMON$\wsc\restart\$common$count$failed; err = $get_plugin $get_reg_path failed; err=$get_restart_count_from_reg err=$old counter; reset restart counter$productinfo$reg path $reg path is empty; can't check restart metricts$reg::get_qword_value failed$wsc_communicator_launcher_plg::check_restart_metrics$wsc_communicator_launcher_plg::get_reg_path$wsc_communicator_launcher_plg::get_restart_metrics
                              • API String ID: 3287135283-2481825956
                              • Opcode ID: 781f7098daaf994b01750fdf8bd54cc10ebc5a048332789970be7ca32d62cd69
                              • Instruction ID: 36890626975add3297fd4f2acefc087a3e8c60dcacc2e3e67e41331150880873
                              • Opcode Fuzzy Hash: 781f7098daaf994b01750fdf8bd54cc10ebc5a048332789970be7ca32d62cd69
                              • Instruction Fuzzy Hash: 69529232B0ABC289FB61CF24D8A93E93761FB44358F985235D68C167AADF39D584C704
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Time_invalid_parameter_noinfo_noreturntime$CreateInstance_invalid_parameter_noinfo$InitializeOpenSleepUninitialize
                              • String ID: $-> %s$Could not get the ProductInfoServ plugin. Error: $Could not get the product registry path.$Could not initialize COM. Error $Could not open the product registry key. Error: $Desktop$Ownership already taken. Exiting.$win_fw_ownership::initialize_reg_key_handle$win_fw_ownership::take_ownership_task
                              • API String ID: 1971581718-2182646875
                              • Opcode ID: c887be715c9478d9b2026457c304aeca7325f592e50bb2a49694401494335c58
                              • Instruction ID: 25023143befcd0f5f51a8dc99a8b36d6e7464926422de8849ece3a2527348ae4
                              • Opcode Fuzzy Hash: c887be715c9478d9b2026457c304aeca7325f592e50bb2a49694401494335c58
                              • Instruction Fuzzy Hash: 9E82A132B0AB828AFB209F24D8603E973A1FB85354F581235DA4C57BAADF3ED545C744
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3665C95
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                                • Part of subcall function 00007FFDA3628C20: timeGetTime.WINMM ref: 00007FFDA3628C76
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Time_invalid_parameter_noinfotime$Sleep
                              • String ID: -> %s$. Running without it.$Could not get the IGAL plugin. Error: $Could not get the ProductInfo plugin. Error: $Could not get the Virus Shield plugin. Error: $Could not load the Update communication client. Error: $Could not load the WSC communication peer. Error: $igal$updatecommclient$vshieldal$wsc_collector::initialize_plugins$wsc_communication_peer
                              • API String ID: 3401150693-223008801
                              • Opcode ID: 28c551a79c954c6ad755007fe97e2b2e1776b123be57f46ff364dfea7ccb6018
                              • Instruction ID: 45b62f835a19630003702af2cfefc6fc43cff3a826a59f4e2c0f1b606ea5b6d4
                              • Opcode Fuzzy Hash: 28c551a79c954c6ad755007fe97e2b2e1776b123be57f46ff364dfea7ccb6018
                              • Instruction Fuzzy Hash: 96C27032B06BC289FB608F24D8603E933A2FB44788F586135DA4C67B9ADF39D595C744
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Variant$Clear$InitSleepString
                              • String ID: Could not delete the instance. Error: $Could not enumerate the WMI instances. Error: $Could not execute the WMI query. Error: $Could not get the GUID property. Error: $Could not get the path property. Error: $Found old instance GUID: $The GUID's type is not BSTR.$The instance path is not a BSTR.$__PATH$helpers::cleanup::clear_old_wsc_guids$helpers::cleanup::details::clear_old_wsc_guids_from_wmi$instanceGuid
                              • API String ID: 4200116764-3864995593
                              • Opcode ID: ae23b41b72b578f0be7289f4915bf3498807025939845a9aafd6b3116b25ee85
                              • Instruction ID: a11034291aaca1da07e747dc76a317523439105230777f954437a05328e1eb4c
                              • Opcode Fuzzy Hash: ae23b41b72b578f0be7289f4915bf3498807025939845a9aafd6b3116b25ee85
                              • Instruction Fuzzy Hash: FAA27A32B0ABC28AF7208F64D8603E937A2FB44358F585135EA4C67B9ADF3AD544C744
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Create$InstanceVariant_invalid_parameter_noinfo$ArrayClearInitMtx_unlockSafeSleepTimetime
                              • String ID: -> %s$Could not allocate memory for the SafeArray.$Could not get an instance of the Firewall product. Error: $Could not get the registered Firewall products. Error: $Could not set the Firewall display name. Error: $Could not set the rule categories. Error: $Registering failed with error 0x%x$win_fw_ownership::register_ownership$win_fw_ownership::take_ownership_task
                              • API String ID: 3654207605-3596997424
                              • Opcode ID: c719a2fc17f73a5c1013247dc480f164bffdc1377bccda627e9884006178e37c
                              • Instruction ID: 7bfb12b73bd366640ec839a0cd137d27f07a30324f0bb72832b0a3c73b1f60d8
                              • Opcode Fuzzy Hash: c719a2fc17f73a5c1013247dc480f164bffdc1377bccda627e9884006178e37c
                              • Instruction Fuzzy Hash: 11729D32B0AB828AF720CF64D8602ED33A5FB84358F591135DA4D67BAADF3AD544C744
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Timetime$Mtx_unlock_invalid_parameter_noinfo$Sleep
                              • String ID: $ $-> %s$Antivirus$Could not get the Virus Shield settings. Error: $wsc_collector::OnCommunicationEstablished$wsc_collector::OnSettingsChanged$wsc_collector::OnSignatureInstalled
                              • API String ID: 1155266476-1221500984
                              • Opcode ID: 3cb3db4bbaf9c43e9a7a0cae9519ab9a39fda8cf2ad7019b5efdde453fb31a36
                              • Instruction ID: 82a9b6366afa9d783ef3fb45a3fc7282c2fb3f993bf6fb3027ea49def62cdf62
                              • Opcode Fuzzy Hash: 3cb3db4bbaf9c43e9a7a0cae9519ab9a39fda8cf2ad7019b5efdde453fb31a36
                              • Instruction Fuzzy Hash: 1142B432B0AB8186F710DB24E8602EA73B2FB843A4F581135EA5C53B96DF3ED455C744
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID:
                              • String ID: array$object$object key$object separator
                              • API String ID: 0-2277530871
                              • Opcode ID: 008b0625c3d1b28f1b65cb6b2ada3bafaa570eac885457e0a542ddb8ab17ca85
                              • Instruction ID: c21d8277ea61716aafe217c5afcc689af5ed4d20b84af9dec5d98a713fcd3fd2
                              • Opcode Fuzzy Hash: 008b0625c3d1b28f1b65cb6b2ada3bafaa570eac885457e0a542ddb8ab17ca85
                              • Instruction Fuzzy Hash: 8122A232B1AB8685FB218F24D4643ED2362EB45398F482631DA5D1BBD7DF7AD245C304
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$CreateInitializeInstanceMtx_unlockSleepTimeUninitializetime
                              • String ID: -> %s$Could not get an instance of the firewall policy. Error: $Could not initialize COM. Error $Could not set the Windows Firewall status for domain networks. Error: $Could not set the Windows Firewall status for private networks. Error: $Could not set the Windows Firewall status for public networks. Error: $Ownership was not taken in advance. Exiting.$win_fw_ownership::restore_ownership_task$win_fw_ownership::take_ownership_task
                              • API String ID: 2781143171-1643867041
                              • Opcode ID: a9248da32e63535bdddb4c0f0e718c210ba0f25e3500d6db8d6a354708bd0332
                              • Instruction ID: 1cc6812d861d5f626d6cedb07b79601790351c171c2ef57d6b7cdbb187546796
                              • Opcode Fuzzy Hash: a9248da32e63535bdddb4c0f0e718c210ba0f25e3500d6db8d6a354708bd0332
                              • Instruction Fuzzy Hash: 72727F32B0ABC28AF7209F64D8602ED37A2FB44358F581135DA4D67B9ADF3AE545C704
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3673C17
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                              • timeGetTime.WINMM ref: 00007FFDA3673D65
                              • timeGetTime.WINMM ref: 00007FFDA3673F61
                                • Part of subcall function 00007FFDA3673B50: CloseThreadpoolTimer.KERNEL32 ref: 00007FFDA3673B6F
                                • Part of subcall function 00007FFDA36A5DF0: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,Product,00007FFDA3643D13,?,?,?,00007FFDA362102E), ref: 00007FFDA36A5E34
                                • Part of subcall function 00007FFDA36A5DF0: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,Product,00007FFDA3643D13,?,?,?,00007FFDA362102E), ref: 00007FFDA36A5E7A
                              • _Mtx_unlock.LIBCPMT ref: 00007FFDA3673EDD
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Timetime$_invalid_parameter_noinfo$CloseExceptionFileHeaderMtx_unlockRaiseSleepThreadpoolTimer
                              • String ID: $ $ $-> %s$default_tp::set_timer failed; err=$reporter_type$wsc_communicator_launcher_plg::post_launched_event$wsc_communicator_launcher_plg::restart_wsc_communicator$wsc_communicator_launcher_plg::trigger_post_launched_event$wsc_telemetry::post_launch_reporter_result
                              • API String ID: 3229415455-3527686157
                              • Opcode ID: 3065ee379f0a618992cac15b9ea4c810741b47855ff5340c24d70299e74366bc
                              • Instruction ID: 4e1d95acf81a20f9ced90af0d18e9dbb152d023685fba25e64ef4010f8bea049
                              • Opcode Fuzzy Hash: 3065ee379f0a618992cac15b9ea4c810741b47855ff5340c24d70299e74366bc
                              • Instruction Fuzzy Hash: 6422C232B0AB818AF710DF60D8602E973B1FB84364F581232EA5C67BAADF39D545C744
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: CreateStringUuid$CloseErrorEventFreeHandleLast
                              • String ID: Local\$UuidCreate failed$UuidToString failed$create_security_event$event name
                              • API String ID: 354563649-871040882
                              • Opcode ID: 02c2bc4453da3b1fb5412d323f1400ec8fa032de20f78dbf26c1c788ace97e54
                              • Instruction ID: a9d24df5e59dbe650c4659239eb4fb2de60a06478f25c99b4c798173340edb53
                              • Opcode Fuzzy Hash: 02c2bc4453da3b1fb5412d323f1400ec8fa032de20f78dbf26c1c788ace97e54
                              • Instruction Fuzzy Hash: 04128122F0AB8189FB10DF64D8603ED7362FB44398F586231DA5C26B9ADF39E595C344
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                              • API String ID: 808467561-2761157908
                              • Opcode ID: 3d91c6d0b746b0fcd54473a934b820777907149af494f91929977dbf4fda6ab7
                              • Instruction ID: 42de95496ea543b37cff502da4cecece7a5d701e638960a6af09a9e9dd271c65
                              • Opcode Fuzzy Hash: 3d91c6d0b746b0fcd54473a934b820777907149af494f91929977dbf4fda6ab7
                              • Instruction Fuzzy Hash: 04B2E472F192824BF726DE69D4617FC37A2FB44344F486135DA0D67B8ADB3AA900CB44
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn$Sleep
                              • String ID: Failed to get REGPATH_PRODUCT_COMMON$\wsc\$common$failed; err = $get_plugin $get_reg_path failed; err=$productinfo$reg path $wsc_telemetry::get_wsc_reg_path
                              • API String ID: 3287135283-2246909796
                              • Opcode ID: b2739a428af6b0594d3b14e63e15c0d9be3eeca76a6a3e83bd742934fa19f4c8
                              • Instruction ID: dd7b34cedb4db00f910fe5a58517fa3e40a5b50fd2fc3763ffba6e022ac4e92b
                              • Opcode Fuzzy Hash: b2739a428af6b0594d3b14e63e15c0d9be3eeca76a6a3e83bd742934fa19f4c8
                              • Instruction Fuzzy Hash: 61528232B0ABC28AFB608F24D8A43E93761FB45358F586235D64D577AADF39D684C304
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: CloseErrorHandleLast$OpenProcess$ImpersonateLoggedSleepTokenUser
                              • String ID: Coudl not impersonate the process. Error $Could not open the process token. Error $Could not open the process. Error $helpers::impersonation::details::begin
                              • API String ID: 3462865037-865500394
                              • Opcode ID: f8f360c2ca2aa2271b876976111c115cc0d958f12e8fa007c91c7c4a5f34c78f
                              • Instruction ID: 9cfe680b6f4e7f0c57c9d69a964d495ce6997e36ea665489df76ca92746eb3fa
                              • Opcode Fuzzy Hash: f8f360c2ca2aa2271b876976111c115cc0d958f12e8fa007c91c7c4a5f34c78f
                              • Instruction Fuzzy Hash: 88F1B032B0AB8289F721CF24E8602E977A2FB84354F582535DA4D637A6DF3ED548C744
                              APIs
                                • Part of subcall function 00007FFDA36763B0: AllocateAndInitializeSid.ADVAPI32 ref: 00007FFDA367641D
                                • Part of subcall function 00007FFDA36763B0: GetLastError.KERNEL32 ref: 00007FFDA367642E
                              • SetEntriesInAclW.ADVAPI32 ref: 00007FFDA3676CE2
                                • Part of subcall function 00007FFDA36A5DF0: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,Product,00007FFDA3643D13,?,?,?,00007FFDA362102E), ref: 00007FFDA36A5E34
                                • Part of subcall function 00007FFDA36A5DF0: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,Product,00007FFDA3643D13,?,?,?,00007FFDA362102E), ref: 00007FFDA36A5E7A
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: AllocateEntriesErrorExceptionFileHeaderInitializeLastRaise
                              • String ID: InitializeSecurityDescriptor failed$LocalAlloc failed$SetEntriesInAcl failed$SetSecurityDescriptorDacl failed$create_security_event
                              • API String ID: 3643204505-1957490987
                              • Opcode ID: dd606d6ea33e51c0226fb3ec32f06237e0110f7565ac49ee6450bb437f7965d4
                              • Instruction ID: fcf029310d4ffda21fbf3f985f6a85b570c6165fc847ca3f221d063321a47650
                              • Opcode Fuzzy Hash: dd606d6ea33e51c0226fb3ec32f06237e0110f7565ac49ee6450bb437f7965d4
                              • Instruction Fuzzy Hash: 6FB19F22F19B8286F710DB24E5602BD7771FB98348F446235EA8D22B56EF3DE285C744
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Timetime$_invalid_parameter_noinfo$Mtx_unlockSleep_invalid_parameter_noinfo_noreturn
                              • String ID: $-> %s$base class init failed$h$provider init failed$windows_security_center_integration_epaas_module::Init$windows_security_center_integration_epaas_module::UnInit
                              • API String ID: 1087390966-1821382984
                              • Opcode ID: b1c725cca0de1b507d500728707159007c6175ec0f5ff6c1616553c47df2b889
                              • Instruction ID: 52d4f152dbcecb9ab5968e6a482e84ce43df956f515b2b602a9d3b1f1609ef69
                              • Opcode Fuzzy Hash: b1c725cca0de1b507d500728707159007c6175ec0f5ff6c1616553c47df2b889
                              • Instruction Fuzzy Hash: 98528E32E0AB818AF720CF64D8503E977A1FB84354F181235EA5C67BAADF3AE541C744
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn
                              • String ID: \\.\PIPE\local\msgbus\wsccommunicator$cl.wsccommunicator.actions$iservconfig.dll$unordered_map/set too long$wsc$wsccommunicator
                              • API String ID: 3668304517-3060933786
                              • Opcode ID: 77a8db13d92faf5919e25ce158af2588152f4e61cf470220682b60c4aefa4383
                              • Instruction ID: d5e7fb689f0c8f6ae7ace520aac276162d8f791c8b13802557b6e7dc9cdb368e
                              • Opcode Fuzzy Hash: 77a8db13d92faf5919e25ce158af2588152f4e61cf470220682b60c4aefa4383
                              • Instruction Fuzzy Hash: B232E133B16B8686FB10CF64D4602AD7362FB48788F586231EA4D23B96DF39D155C348
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn
                              • String ID: Could not get the communication bus.$Could not get the communication channel for actions.$Could not get the communication subscription for actions.$Unrecognized method name $cl.wsccommunicator.actions$method$module$wsc$wsc_status_communication_provider::initialize_communication$wsc_status_communication_provider::on_message_received
                              • API String ID: 3668304517-2444090562
                              • Opcode ID: da03e7042cdccaa05f364094ccfc12f00891f8cb89291596a489d3dba32092a8
                              • Instruction ID: ceba3b6cb4e4ed8f75d5f4af5c6119baa20ebc2ee99380e963668a79f98d88e7
                              • Opcode Fuzzy Hash: da03e7042cdccaa05f364094ccfc12f00891f8cb89291596a489d3dba32092a8
                              • Instruction Fuzzy Hash: 9142A232B0AB8289FB108F24D8603E977A2FB84794F181135EA4D677A6DF3ED554C748
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ConditionMask$CloseCreateErrorEventHandleInfoLastVerifyVersion
                              • String ID: create_event failed$create_security_event$event name $set_event failed
                              • API String ID: 4098182476-3123728954
                              • Opcode ID: eb57edee6bdb75806fbc704326dd3676b5ac3e00da072cbec6d2ed8889c7f96f
                              • Instruction ID: 8fcc759f5e95bee55f9094ada152a175289c287804a7326e0825411fc9d1d5b3
                              • Opcode Fuzzy Hash: eb57edee6bdb75806fbc704326dd3676b5ac3e00da072cbec6d2ed8889c7f96f
                              • Instruction Fuzzy Hash: 14029422F19B8185F760CF64E8543A97362FB84358F586231EA9C27B9ADF3DE584C704
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID:
                              • String ID: Full command line: $InitializeProcThreadAttributeList failed$UpdateProcThreadAttribute failed $build_wsc_communicator_cmdline$first call InitializeProcThreadAttributeList succeeded$process::create failed
                              • API String ID: 0-568338411
                              • Opcode ID: 289594a9bb77307a8b2f1b13e428a6dbbb3d37a34061b18ab44002eb67360bd3
                              • Instruction ID: c122e4785663a1ce562f79621ee0fc7e312bef38135befe3d9ca3946a5ad7849
                              • Opcode Fuzzy Hash: 289594a9bb77307a8b2f1b13e428a6dbbb3d37a34061b18ab44002eb67360bd3
                              • Instruction Fuzzy Hash: 93026122B19B8189F720DF74D8603ED7362FB94348F446236EA4C5AA9BDF39E654C304
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ErrorLast$CloseHandleProcess32$AddressCallerCreateCurrentFirstLibraryLoadNextProcProcessSnapshotToolhelp32
                              • String ID: Process32First failed$processes_iterator::increment failed
                              • API String ID: 2232280031-3103084010
                              • Opcode ID: 0bb5b39c8bfb574f99bb00628e46c6cd92de2880485d825e002d19ccf19a5f5d
                              • Instruction ID: 80b8467013496d8f26ae549763e8f8517007abfa8cc3bd3bf8e7e1675c5f9c53
                              • Opcode Fuzzy Hash: 0bb5b39c8bfb574f99bb00628e46c6cd92de2880485d825e002d19ccf19a5f5d
                              • Instruction Fuzzy Hash: 76425023E18BC582E6118B28D5012F97760F7A9B58F55E321DF9C22667EF39E2D6C700
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA366270D
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                                • Part of subcall function 00007FFDA3629170: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA362918A
                              • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA3662E16
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Sleep_invalid_parameter_noinfo$Time_invalid_parameter_noinfo_noreturntime
                              • String ID: -> %s$0$Could not get the communication bus.$Could not get the communication channel for actions.$Could not get the communication subscription for actions.$cl.vsserv.actions$wsc_command_communication_provider::initialize_communication
                              • API String ID: 1372000958-44104646
                              • Opcode ID: 3091c106b0fa1044cb689f7c780877ecc5dfdccf3e59f8b8ba25df72bd0ca39f
                              • Instruction ID: d22fd3ab7fd20367a1872ec146e92730940949c204740c7b01cc9ce76f059748
                              • Opcode Fuzzy Hash: 3091c106b0fa1044cb689f7c780877ecc5dfdccf3e59f8b8ba25df72bd0ca39f
                              • Instruction Fuzzy Hash: E422AE32B0AB828AF7208F24E8603E973A1FB84394F581135DA4C677AADF3ED555C744
                              APIs
                                • Part of subcall function 00007FFDA364BFA0: GetModuleHandleW.KERNEL32 ref: 00007FFDA364BFC2
                                • Part of subcall function 00007FFDA364BFA0: GetLastError.KERNEL32 ref: 00007FFDA364BFCD
                              • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA366BE7D
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ErrorHandleLastModuleSleep_invalid_parameter_noinfo_noreturn
                              • String ID: and bus $"$Could not add bus observer.$Could not get the communication bus for path $Could not get the communication channel.$cl.wsccommunicator.actions$nullptr$wsc_status_communication_peer::initialize_communication
                              • API String ID: 324006007-979510685
                              • Opcode ID: 211ff8ae994467acb9bfc455e482266fc9e6ea69c1f5302deae193688976201e
                              • Instruction ID: aab8ebdaef395ef1928805a08ce322aeea7833f4c7caef50bc47e982b48e232c
                              • Opcode Fuzzy Hash: 211ff8ae994467acb9bfc455e482266fc9e6ea69c1f5302deae193688976201e
                              • Instruction Fuzzy Hash: A512A132B0AB828AEB20CF25D8A03E933A1FB84794F585135DA4D277A6DF3ED155C744
                              APIs
                              • RegGetValueW.ADVAPI32 ref: 00007FFDA3688C6E
                              • _Xtime_get_ticks.LIBCPMT ref: 00007FFDA3688F52
                              • _Xtime_get_ticks.LIBCPMT ref: 00007FFDA3688F5A
                                • Part of subcall function 00007FFDA36A5DF0: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,Product,00007FFDA3643D13,?,?,?,00007FFDA362102E), ref: 00007FFDA36A5E34
                                • Part of subcall function 00007FFDA36A5DF0: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,Product,00007FFDA3643D13,?,?,?,00007FFDA362102E), ref: 00007FFDA36A5E7A
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Xtime_get_ticks$ExceptionFileHeaderRaiseValue
                              • String ID: hours.$get_last_sent_time_from_reg err=$last_event_time$post next event in $reg::get_qword_value failed$wsc_telemetry::should_post_event_with_timeout
                              • API String ID: 4266721116-998689194
                              • Opcode ID: 8879cc2a5034eadc006a7c8b54af347dddf49876a24a5cf739a58e7d886a198a
                              • Instruction ID: 301525c2394f2174d7ee795fa1ad20ecff9ec510c7569ef7a11b2480483f4656
                              • Opcode Fuzzy Hash: 8879cc2a5034eadc006a7c8b54af347dddf49876a24a5cf739a58e7d886a198a
                              • Instruction Fuzzy Hash: 7D126D32B0AB868AF760CB24D8603E973B2FB85344F585135DA8C67B9ADF39E545C704
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ErrorLast$CodeExitObjectProcessSingleSleepWait
                              • String ID: GetExitCodeProcess failed $get_exit_code failed; err=$sync::wait failed$wsc_communicator_launcher_plg::log_wsc_communicator_exit_code$wsccommunicator exit code=
                              • API String ID: 1043660891-1830431259
                              • Opcode ID: cdd646db7bf61e239641413bc6a71656aef3541698a17edffc492496c502d743
                              • Instruction ID: 8373ae9abec9b96e2a3487513d5671c77e6e00952b684b28fd2b5cf6da712238
                              • Opcode Fuzzy Hash: cdd646db7bf61e239641413bc6a71656aef3541698a17edffc492496c502d743
                              • Instruction Fuzzy Hash: C1F18532B0AB8189F720CF24D8602E977A1FB85354F581235EA8D67BA6DF3DE544C744
                              APIs
                              • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA36539C1
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                                • Part of subcall function 00007FFDA3653B60: timeGetTime.WINMM ref: 00007FFDA3653B90
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: SleepTime_invalid_parameter_noinfo_noreturntime
                              • String ID: $-> %s$No command line given.$wsc_command_communication_peer::process_command_line$wsc_command_communication_peer::update
                              • API String ID: 793901584-2339749392
                              • Opcode ID: cb0649358c915e1532cb199cc34696127b6a8273bc5b1d85e8efd3ca29c060fc
                              • Instruction ID: 37b252c4ac6a92e2a09e1f0035cdaaeb8ceb01177f4059c8999ec0a5de373a13
                              • Opcode Fuzzy Hash: cb0649358c915e1532cb199cc34696127b6a8273bc5b1d85e8efd3ca29c060fc
                              • Instruction Fuzzy Hash: 67C1B072B0AB8286F7108F24D4603B973A2FB80754F686535EA5C627DADF3EE441C748
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
                              • String ID:
                              • API String ID: 3939093798-0
                              • Opcode ID: bbb7f3e19c0f10db501dfb997f070466b95924cc3600a8e906c9abb46cdee489
                              • Instruction ID: e96c2038e6a4400a955a54821572d905accde18845149c9f92864a56319a95f3
                              • Opcode Fuzzy Hash: bbb7f3e19c0f10db501dfb997f070466b95924cc3600a8e906c9abb46cdee489
                              • Instruction Fuzzy Hash: A8716D22F166528AFB10AF68D8606F823B2BF44744F486135CE0D63796EF3EE845C358
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                              • String ID:
                              • API String ID: 1239891234-0
                              • Opcode ID: 6a27f66128d7df7926c9e3d01ca52b40ecb08c6ecb1bccf533f10e1c1f47362e
                              • Instruction ID: b91c7754d0f6fb68588eb6d789b9a57d89130fe039a031052a2ae67a47bfb6c5
                              • Opcode Fuzzy Hash: 6a27f66128d7df7926c9e3d01ca52b40ecb08c6ecb1bccf533f10e1c1f47362e
                              • Instruction Fuzzy Hash: 4531B132B09F8186EB20CF24E8502AE73B1FB88794F581136EA8D53B5ADF39D145CB00
                              APIs
                              Strings
                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FFDA36A0C17
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: DebugDebuggerErrorLastOutputPresentString
                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                              • API String ID: 389471666-631824599
                              • Opcode ID: 000b146ddc70b342f2dccb3601124c632b71dd2791de6bc41354debf00e65e30
                              • Instruction ID: 6e9fa9859f2c45ec1d420b82f746f0070c1a712a117d7be70f0a2f0678efbafc
                              • Opcode Fuzzy Hash: 000b146ddc70b342f2dccb3601124c632b71dd2791de6bc41354debf00e65e30
                              • Instruction Fuzzy Hash: 03116D32B15B82A7F7049B22DA643B932A2FF04745F486434CA4D52B52EF3EE0648718
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Sleep
                              • String ID: no event; acs reporter was previously launched successfully$no event; legacy reporter was successfully launched$reporter_type$was_last_reporter_legacy_signed err=$wsc_telemetry::should_post_launch_event
                              • API String ID: 3472027048-2828353041
                              • Opcode ID: 731fb0a7d5677233efd1a232cd7dfcfc28f7f827e317ae62892c56c01d8f83e9
                              • Instruction ID: ed5cd1d722d236c18d35ee800c471a86e878ff661146d95ecd546da32d3c9207
                              • Opcode Fuzzy Hash: 731fb0a7d5677233efd1a232cd7dfcfc28f7f827e317ae62892c56c01d8f83e9
                              • Instruction Fuzzy Hash: 8C128332B0ABC28AF761CF24D8A02E937A5FB85358F581235D64C56BABDF39D544C704
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn
                              • String ID: %
                              • API String ID: 3668304517-2567322570
                              • Opcode ID: 313953fc278976dd8f00d8b600abfc55176e1cf81721bd266acf7ed24a014219
                              • Instruction ID: 341e10ecbdd220b3859ec2d23269cc7a4b0a0d542e6498f3a05e218a166b276d
                              • Opcode Fuzzy Hash: 313953fc278976dd8f00d8b600abfc55176e1cf81721bd266acf7ed24a014219
                              • Instruction Fuzzy Hash: FF125522F09A8589FB258BA5D4203FD63B2EB55788F196131EE4C27B8ADF3DD445C305
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: AllocateErrorInitializeLast
                              • String ID: allocate_initialized_sid world sid failed
                              • API String ID: 650103560-1214771766
                              • Opcode ID: 27ee6a13ad4d00bcf9b0533b174d77050bcc6ed472551afb005b68510ed8a707
                              • Instruction ID: 073d23f1354c1a169e70fe240e8d94b2da9135f0105b8c579d7d56a8ff6ec275
                              • Opcode Fuzzy Hash: 27ee6a13ad4d00bcf9b0533b174d77050bcc6ed472551afb005b68510ed8a707
                              • Instruction Fuzzy Hash: 0C31AE33A1CB81C6E3608F24E45036EB3A5F798B44F556229EACC53B1ADF39E585CB44
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00007FFDA367A4D2
                              • GetLastError.KERNEL32 ref: 00007FFDA367A4E1
                                • Part of subcall function 00007FFDA36A5DF0: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,Product,00007FFDA3643D13,?,?,?,00007FFDA362102E), ref: 00007FFDA36A5E34
                                • Part of subcall function 00007FFDA36A5DF0: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,Product,00007FFDA3643D13,?,?,?,00007FFDA362102E), ref: 00007FFDA36A5E7A
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: CreateErrorExceptionFileHeaderLastRaiseSnapshotToolhelp32
                              • String ID: CreateToolhelp32Snapshot failed
                              • API String ID: 2145101893-3319542737
                              • Opcode ID: bbd869158f55333955de2d1d86978f4a165371d3e45981408354ec0f24e648ae
                              • Instruction ID: ee2ecb77969af0f157e78bd4816995630756bd0a28a2094c63a95788f0f255db
                              • Opcode Fuzzy Hash: bbd869158f55333955de2d1d86978f4a165371d3e45981408354ec0f24e648ae
                              • Instruction Fuzzy Hash: 15219232A29B8182E740CF14F4904AAB371FB84390F546235FA9E13BA9DF3DD585CB04
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: InfoLocaletry_get_function
                              • String ID: GetLocaleInfoEx
                              • API String ID: 2200034068-2904428671
                              • Opcode ID: cfc8c3811f721be62a342303cc07cc9773a432c1c0d5500baeb09ab1c772937f
                              • Instruction ID: 67a9b0ac06c0d0b597aaf983601db09c7064349202c85f7d2b7c9dc56c36c884
                              • Opcode Fuzzy Hash: cfc8c3811f721be62a342303cc07cc9773a432c1c0d5500baeb09ab1c772937f
                              • Instruction Fuzzy Hash: 3001D625B09B4181F7049B16B4104A9A362AF89BC0F5C5036DE4C27B57CF3DE941C748
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: SleepValue
                              • String ID: get_last_status_from_reg err=$no event; status did not change $status$wsc_telemetry::should_post_status_event
                              • API String ID: 1540188156-2234276386
                              • Opcode ID: efda87f589d3a7626da3c5582d503825388260b7709476c3628ce1a79ad6e412
                              • Instruction ID: e454a69145a03aa9dab464458c821c1fcc71688bac53724ec56dc57708c10174
                              • Opcode Fuzzy Hash: efda87f589d3a7626da3c5582d503825388260b7709476c3628ce1a79ad6e412
                              • Instruction Fuzzy Hash: 6EC1A332B0AB818AF750DF24D8602E977A1FB84354F582135EA8C63BAADF3DD545C744
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: memcpy_s
                              • String ID:
                              • API String ID: 1502251526-0
                              • Opcode ID: eb9087705620f05042c34dfc2556d76d6eed7c1a18d44c8083b321096b5a3d76
                              • Instruction ID: e01f5c4fb48e1c6d67e7cf70ec469ac212deefd95f710a76012831bd1cacd29f
                              • Opcode Fuzzy Hash: eb9087705620f05042c34dfc2556d76d6eed7c1a18d44c8083b321096b5a3d76
                              • Instruction Fuzzy Hash: FEC12572B5A28687FB24CF19E158AAAB792F784784F489134DB4E53745DB3EE801CF04
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Resource$LoadLockSizeof
                              • String ID:
                              • API String ID: 2853612939-0
                              • Opcode ID: 62dd3a226b472ab5d02af28fd7bb0af12591e5717391ffd6f4fc52c23465c411
                              • Instruction ID: a59d2e2b38350eeb0dfe0377c56bd414a795a76e9da97f89b1d0c8029a00c0ee
                              • Opcode Fuzzy Hash: 62dd3a226b472ab5d02af28fd7bb0af12591e5717391ffd6f4fc52c23465c411
                              • Instruction Fuzzy Hash: 3501C013B1BA0281FF594B11A5681B962A2AF44BD4F5C6430DA1F627D6DE3DE980C318
                              APIs
                              • _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36BDA62
                                • Part of subcall function 00007FFDA36A9C8C: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FFDA36A9C39), ref: 00007FFDA36A9C95
                                • Part of subcall function 00007FFDA36A9C8C: GetCurrentProcess.KERNEL32(?,?,?,?,00007FFDA36A9C39), ref: 00007FFDA36A9CBA
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
                              • String ID: -
                              • API String ID: 4036615347-2547889144
                              • Opcode ID: 7d1a8a7cc13bc29bd2936bf959044a4337356dc23ef8f3fc2fb1d89364c1c330
                              • Instruction ID: 4671e21fba94af3479719172bfef3079a67463094612987fc2f663966f77e7d3
                              • Opcode Fuzzy Hash: 7d1a8a7cc13bc29bd2936bf959044a4337356dc23ef8f3fc2fb1d89364c1c330
                              • Instruction Fuzzy Hash: 45912472B4978586F6708F259510369B7A2FB85BD0F485235DA8D1FB8ACB3ED4008F04
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID:
                              • String ID: $":
                              • API String ID: 0-230526031
                              • Opcode ID: cd813b11cd6d0fa46536a4103b3762bb317961ce0bd0c35d021b2dd0b4e14cfd
                              • Instruction ID: 69c3df0023e6242e049159a0753a05715903af90b56c3ccdf27e422dfa6bb863
                              • Opcode Fuzzy Hash: cd813b11cd6d0fa46536a4103b3762bb317961ce0bd0c35d021b2dd0b4e14cfd
                              • Instruction Fuzzy Hash: 33D14A26B49A8681EB14CF1AD1A43A977A2F788FC8F58A026CF4D17762DF3ED554C304
                              APIs
                                • Part of subcall function 00007FFDA36BC8B4: GetLastError.KERNEL32 ref: 00007FFDA36BC8C3
                                • Part of subcall function 00007FFDA36BC8B4: SetLastError.KERNEL32 ref: 00007FFDA36BC961
                              • EnumSystemLocalesW.KERNEL32(?,?,?,00007FFDA36CAB77,?,00000000,00000092,?,?,00000000,?,00007FFDA36BE88D), ref: 00007FFDA36CA426
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ErrorLast$EnumLocalesSystem
                              • String ID:
                              • API String ID: 2417226690-0
                              • Opcode ID: 83f3779ca669aad0204b3d5fe1cc97e6a72dcf72a1798b3a6d8fe8124d55de5e
                              • Instruction ID: 30a8385f47416b33c80810c7877032e32f7479426ab3e281d242446ccb730bd3
                              • Opcode Fuzzy Hash: 83f3779ca669aad0204b3d5fe1cc97e6a72dcf72a1798b3a6d8fe8124d55de5e
                              • Instruction Fuzzy Hash: FA112463B196458AFB109F19D0602BC7BA2FB90BE0F48A135CA2D533C1DE39D5D1C740
                              APIs
                                • Part of subcall function 00007FFDA36BC8B4: GetLastError.KERNEL32 ref: 00007FFDA36BC8C3
                                • Part of subcall function 00007FFDA36BC8B4: SetLastError.KERNEL32 ref: 00007FFDA36BC961
                              • EnumSystemLocalesW.KERNEL32(?,?,?,00007FFDA36CAB33,?,00000000,00000092,?,?,00000000,?,00007FFDA36BE88D), ref: 00007FFDA36CA4D6
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ErrorLast$EnumLocalesSystem
                              • String ID:
                              • API String ID: 2417226690-0
                              • Opcode ID: e23646fd2d227c76cbfce6104d9aead9322adb2579794ff5793e667d0a82b129
                              • Instruction ID: e6cf02ee82c6af0fd5120bb48fdfb931175015c5ff816305e23303137d048988
                              • Opcode Fuzzy Hash: e23646fd2d227c76cbfce6104d9aead9322adb2579794ff5793e667d0a82b129
                              • Instruction Fuzzy Hash: E701F572F0928246F7106F19E454BF976A3EB407A4F49E231D62C537C6CF6E9485C704
                              APIs
                              • EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FFDA36C0B0D,?,?,?,?,?,?,?,?,00000000,00007FFDA36C99CC), ref: 00007FFDA36C0707
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: EnumLocalesSystem
                              • String ID:
                              • API String ID: 2099609381-0
                              • Opcode ID: eeaf9a03c15e4adcec5978c7806dfe8be6071808b549b761d238188506e30799
                              • Instruction ID: 72b99d049163c1c354f34ef1b9c71f6e0af356d753189de67770471a279145db
                              • Opcode Fuzzy Hash: eeaf9a03c15e4adcec5978c7806dfe8be6071808b549b761d238188506e30799
                              • Instruction Fuzzy Hash: 9BF08176745B4982E700DF15E8606A97373FB99780F489035EA4DA3766CF3DD450C708
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID: as_reporter::register_to_wsc
                              • API String ID: 3215553584-929089643
                              • Opcode ID: 912d4b4789743c3ca43e96574a5cdafd5431de6c1ae656ae234e9b32b3465c11
                              • Instruction ID: b31ce28cdd73520b00971074273415f5d62d646231ade402a386304ddbbafcf3
                              • Opcode Fuzzy Hash: 912d4b4789743c3ca43e96574a5cdafd5431de6c1ae656ae234e9b32b3465c11
                              • Instruction Fuzzy Hash: 0D81F865F1A28246FB68DE1580246B926B2EF40744F8C7836DD49B7397CF2FE842874C
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID: 0
                              • API String ID: 3215553584-4108050209
                              • Opcode ID: ace04daab76ddb82c2a322ab16e9a1e91c8ae4a7e051475dad2933368f00b410
                              • Instruction ID: 4d465c5f73e883cd50c82d4b9d6bd034815ea7608bb08a88655d96c3a7140eef
                              • Opcode Fuzzy Hash: ace04daab76ddb82c2a322ab16e9a1e91c8ae4a7e051475dad2933368f00b410
                              • Instruction Fuzzy Hash: D561D411F0E6C646FA648E2950202B913B3DB41B44F4C2D31DD8AB779BCE2FE846976D
                              APIs
                                • Part of subcall function 00007FFDA36A31E8: EnterCriticalSection.KERNEL32(?,?,?,00007FFDA3621C90), ref: 00007FFDA36A31F8
                              • GetProcessHeap.KERNEL32 ref: 00007FFDA3621C40
                                • Part of subcall function 00007FFDA36A3188: EnterCriticalSection.KERNEL32(?,?,?,00007FFDA3621CF4), ref: 00007FFDA36A3198
                                • Part of subcall function 00007FFDA36A3188: LeaveCriticalSection.KERNEL32(?,?,?,00007FFDA3621CF4), ref: 00007FFDA36A31D8
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: CriticalSection$Enter$HeapLeaveProcess
                              • String ID:
                              • API String ID: 1391420675-0
                              • Opcode ID: 5bfc5cf73f66013d8b9d73dbfd1b23c8be147900df3fb1f0d38c65d35aa1de23
                              • Instruction ID: b21ee3793b4dab4e6025bbb3eba6fb46e904f0590aefe5716ad1715d7ecd73e9
                              • Opcode Fuzzy Hash: 5bfc5cf73f66013d8b9d73dbfd1b23c8be147900df3fb1f0d38c65d35aa1de23
                              • Instruction Fuzzy Hash: 1D31FD32F4AA8395FA10DB14E8A12B07376AF55350F981236E40C663F3DF7EA596C308
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7cf613b533c81987bd5512157ca6bf91d9d638a1bd22233a35f7463231cb28ed
                              • Instruction ID: 4f4c5e55d158770e0c7bfa31065d00c8a310ada6afe3961707db76892244bfb4
                              • Opcode Fuzzy Hash: 7cf613b533c81987bd5512157ca6bf91d9d638a1bd22233a35f7463231cb28ed
                              • Instruction Fuzzy Hash: C1627622F5AE4A85F6538F35A8315756366FF563C0F08A333E80E77756DF2EA4428608
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ErrorLastNameTranslatetry_get_function$CodePageValid_invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 3827717455-0
                              • Opcode ID: 8c5c8449dca8e6266ba19c0bb8fb56d6522d5fc2d1a1a5718314e3a75ee23f60
                              • Instruction ID: d91a18b08e34872eb998096cac6a9313f01a956ff677f217a7e9c3a57b9382ab
                              • Opcode Fuzzy Hash: 8c5c8449dca8e6266ba19c0bb8fb56d6522d5fc2d1a1a5718314e3a75ee23f60
                              • Instruction Fuzzy Hash: 26C1FB26B0A68185FB609F61A5303BA27A2FF84788F486035DE8D677D6DF3DE544CB04
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Concurrency::cancel_current_task$ExceptionFileHeaderRaise
                              • String ID:
                              • API String ID: 3750631505-0
                              • Opcode ID: 4aa142b4332cb3ea714155c55e66bc92a0b63af171d35289ef8c5183425ce066
                              • Instruction ID: a6dde01e20d0a55f370f0b5c38cec26433592daefcb5ac8e373010e4b8eca651
                              • Opcode Fuzzy Hash: 4aa142b4332cb3ea714155c55e66bc92a0b63af171d35289ef8c5183425ce066
                              • Instruction Fuzzy Hash: 65818136B06B4186FB14DF25C4602B833A3EB49BA4B18A539DB1E27786DF3ED445C305
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 93530646df29749afa91e61df2abb8bc8a6fb3876a88a40663f3942d3b996256
                              • Instruction ID: 499b604ad07e3e3dfea20b0fed654ca83707bd69576cbe31158cd66e084eb385
                              • Opcode Fuzzy Hash: 93530646df29749afa91e61df2abb8bc8a6fb3876a88a40663f3942d3b996256
                              • Instruction Fuzzy Hash: A95114A3B0568443DB248B49F842796F3A6FBD87C5F00A126EE8D57B28EB3CD580C700
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn
                              • String ID: object key$object separator
                              • API String ID: 3668304517-2279923633
                              • Opcode ID: 0160c675e81242f2c52e0f0eb889d2c93e3da8b7d016cb9cc27a39eaa72dfcad
                              • Instruction ID: cdad72dccfc527bfe2847a1d7d5acfc3eb59c4058e249816df81a04246d12e5b
                              • Opcode Fuzzy Hash: 0160c675e81242f2c52e0f0eb889d2c93e3da8b7d016cb9cc27a39eaa72dfcad
                              • Instruction Fuzzy Hash: 5802C332B5AB8646FB219B24D4643FD23A2EB46344F582631DA5D17BD7EF7AE140C304
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID:
                              • String ID: number overflow parsing '
                              • API String ID: 0-3802681121
                              • Opcode ID: 54b3be6625f04ec752b467e8b854f378ae8b6a7a8675f75cbdc24899f31a567d
                              • Instruction ID: 6aa62556fab0ed6ce01032c2860de54a9fdcfdda637f3ac85ceece572810f5a7
                              • Opcode Fuzzy Hash: 54b3be6625f04ec752b467e8b854f378ae8b6a7a8675f75cbdc24899f31a567d
                              • Instruction Fuzzy Hash: 4DC12562F5A78646FA10AB24C4653FD23A2EF06784F586931DA5D27BC7DF3EA140C308

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy
                              • String ID: value
                              • API String ID: 1346393832-494360628
                              • Opcode ID: bd01e95eced0215074c59f1b9a029d42b153e2b2afbcf9a5d0ff2bb183a3a8f1
                              • Instruction ID: 511add27c1cdfa3f51b22e7841558bf21880644c28c8e233783ff5b33f47c818
                              • Opcode Fuzzy Hash: bd01e95eced0215074c59f1b9a029d42b153e2b2afbcf9a5d0ff2bb183a3a8f1
                              • Instruction Fuzzy Hash: 1161C632F9AAC646FA20AB74D4653FD33A2EF47354F582A31D65D177C7DE2AA140C208

                              Control-flow Graph

                              APIs
                              • try_get_function.LIBVCRUNTIME ref: 00007FFDA36C112F
                              • try_get_function.LIBVCRUNTIME ref: 00007FFDA36C114E
                                • Part of subcall function 00007FFDA36C0734: GetProcAddress.KERNEL32(?,?,FFFFFFFF,00007FFDA36C0C26,?,?,0000142099110276,00007FFDA36BCA7A,?,?,0000142099110276,00007FFDA36AE9AD), ref: 00007FFDA36C088C
                              • try_get_function.LIBVCRUNTIME ref: 00007FFDA36C116D
                                • Part of subcall function 00007FFDA36C0734: LoadLibraryExW.KERNEL32(?,?,FFFFFFFF,00007FFDA36C0C26,?,?,0000142099110276,00007FFDA36BCA7A,?,?,0000142099110276,00007FFDA36AE9AD), ref: 00007FFDA36C07D7
                                • Part of subcall function 00007FFDA36C0734: GetLastError.KERNEL32(?,?,FFFFFFFF,00007FFDA36C0C26,?,?,0000142099110276,00007FFDA36BCA7A,?,?,0000142099110276,00007FFDA36AE9AD), ref: 00007FFDA36C07E5
                                • Part of subcall function 00007FFDA36C0734: LoadLibraryExW.KERNEL32(?,?,FFFFFFFF,00007FFDA36C0C26,?,?,0000142099110276,00007FFDA36BCA7A,?,?,0000142099110276,00007FFDA36AE9AD), ref: 00007FFDA36C0827
                              • try_get_function.LIBVCRUNTIME ref: 00007FFDA36C118C
                                • Part of subcall function 00007FFDA36C0734: FreeLibrary.KERNEL32(?,?,FFFFFFFF,00007FFDA36C0C26,?,?,0000142099110276,00007FFDA36BCA7A,?,?,0000142099110276,00007FFDA36AE9AD), ref: 00007FFDA36C0860
                              • try_get_function.LIBVCRUNTIME ref: 00007FFDA36C11AB
                              • try_get_function.LIBVCRUNTIME ref: 00007FFDA36C11CA
                              • try_get_function.LIBVCRUNTIME ref: 00007FFDA36C11E9
                              • try_get_function.LIBVCRUNTIME ref: 00007FFDA36C1208
                              • try_get_function.LIBVCRUNTIME ref: 00007FFDA36C1227
                              • try_get_function.LIBVCRUNTIME ref: 00007FFDA36C1246
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: try_get_function$Library$Load$AddressErrorFreeLastProc
                              • String ID: AreFileApisANSI$CompareStringEx$EnumSystemLocalesEx$GetDateFormatEx$GetLocaleInfoEx$GetTimeFormatEx$GetUserDefaultLocaleName$IsValidLocaleName$LCIDToLocaleName$LCMapStringEx$LocaleNameToLCID
                              • API String ID: 3255926029-3252031757
                              • Opcode ID: fef386772ac757913ea159840149b1bcdd51d7f778568774226ed40a49d65bca
                              • Instruction ID: b9735c9795f788116b54fa1e4598514aaaa6665bee09d0b06896733e21748b5c
                              • Opcode Fuzzy Hash: fef386772ac757913ea159840149b1bcdd51d7f778568774226ed40a49d65bca
                              • Instruction Fuzzy Hash: B2317961B0BA47A0F608DB54E8646E46323AF49384F986033D11D2B3A7DE7EA64DC758

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3596 7ffda365bb00-7ffda365bb57 3597 7ffda365bb5a 3596->3597 3598 7ffda365bb5f-7ffda365bb69 3597->3598 3599 7ffda365c37e 3598->3599 3600 7ffda365bb6f-7ffda365bb77 3598->3600 3603 7ffda365c381-7ffda365c384 3599->3603 3601 7ffda365bb7d-7ffda365c2f0 3600->3601 3602 7ffda365cd77-7ffda365cefa call 7ffda3629980 call 7ffda36563c0 call 7ffda364e8b0 call 7ffda3656fc0 call 7ffda3656050 call 7ffda36a51e4 * 2 3600->3602 3616 7ffda365c2f2-7ffda365c31c call 7ffda3648aa0 3601->3616 3617 7ffda365c31e-7ffda365c325 3601->3617 3610 7ffda365d14e-7ffda365d163 call 7ffda36570d0 3602->3610 3673 7ffda365cf00-7ffda365cf14 3602->3673 3605 7ffda365c38a 3603->3605 3606 7ffda365d14b 3603->3606 3608 7ffda365c3ae-7ffda365c3b5 3605->3608 3609 7ffda365c38c-7ffda365c392 3605->3609 3606->3610 3615 7ffda365c3b9-7ffda365c3ca 3608->3615 3609->3608 3614 7ffda365c394-7ffda365c3ac 3609->3614 3627 7ffda365d166 call 7ffda36a2ff0 3610->3627 3614->3615 3622 7ffda365c3e0-7ffda365c3e4 3615->3622 3623 7ffda365c3cc-7ffda365c3de 3615->3623 3616->3603 3618 7ffda365c351-7ffda365c37c call 7ffda3648aa0 3617->3618 3619 7ffda365c327-7ffda365c333 3617->3619 3618->3603 3625 7ffda365c343-7ffda365c34f call 7ffda3660b30 3619->3625 3626 7ffda365c335-7ffda365c341 3619->3626 3630 7ffda365c3e8-7ffda365c40a call 7ffda365d5a0 3622->3630 3623->3630 3625->3603 3626->3603 3634 7ffda365d16b-7ffda365d18d 3627->3634 3640 7ffda365c4e0-7ffda365c534 call 7ffda3656cd0 3630->3640 3641 7ffda365c410-7ffda365c418 call 7ffda3656cd0 3630->3641 3654 7ffda365d09f-7ffda365d149 call 7ffda3629af0 call 7ffda36563c0 call 7ffda364e8b0 call 7ffda3656fc0 call 7ffda3656050 call 7ffda3629b30 call 7ffda3645e80 call 7ffda3629b30 * 2 3640->3654 3655 7ffda365c53a-7ffda365c551 call 7ffda365e0e0 3640->3655 3651 7ffda365c41a-7ffda365c422 call 7ffda3656cd0 3641->3651 3652 7ffda365c427-7ffda365c42b 3641->3652 3651->3598 3652->3655 3657 7ffda365c431-7ffda365c4db call 7ffda3629af0 call 7ffda36563c0 call 7ffda364e8b0 call 7ffda3656fc0 call 7ffda3656050 call 7ffda3629b30 call 7ffda3645e80 call 7ffda3629b30 * 2 3652->3657 3654->3610 3655->3597 3657->3610 3657->3655 3676 7ffda365cf2f-7ffda365cf34 call 7ffda36a3010 3673->3676 3677 7ffda365cf16-7ffda365cf29 3673->3677 3676->3610 3677->3676 3681 7ffda365d18e-7ffda365d1ee call 7ffda36a9c5c * 16 3677->3681
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID:
                              • String ID: object$value
                              • API String ID: 0-4172411348
                              • Opcode ID: 6e8851bdb59026b07f7ea7988bad3f1c207c2acbd544fc7ed9e74b49dceea63d
                              • Instruction ID: 68ea2412244b03e6dda46b75504d5450ebd604604941d64af939b305f28604f6
                              • Opcode Fuzzy Hash: 6e8851bdb59026b07f7ea7988bad3f1c207c2acbd544fc7ed9e74b49dceea63d
                              • Instruction Fuzzy Hash: B291C322B5AAC655FA21DF24C8653FE23A2FF46384F482931EA4D16797DF3AD145C308

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: CommandLine_invalid_parameter_noinfo$ArgvTimetime
                              • String ID: bd.process.broker$bd.process.broker.channel.spawner$bd::process_broker::client::spawn_process_in_desktop$bd::process_broker::client::spawn_process_with_current_params$error$from$method$module$no reply$params$pid$process_broker$process_broker_client$spawn$task$version
                              • API String ID: 827290549-3244699996
                              • Opcode ID: 4923fe0b6e2c9ee17a4e2e9b2fa562de12de03fa93b65a2c0ad9d480a309e082
                              • Instruction ID: df3cb96948b16caa0b2ec955e1e8b8ca48235e6aef5579355f447576b4e6e362
                              • Opcode Fuzzy Hash: 4923fe0b6e2c9ee17a4e2e9b2fa562de12de03fa93b65a2c0ad9d480a309e082
                              • Instruction Fuzzy Hash: DF41D372A0AB8185F7209F20E8503EA73A2FB44784F545135EA9C67BAADF7DD248C744

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4376 7ffda3664b50-7ffda3664ba3 call 7ffda3631df0 4379 7ffda3664ba5 4376->4379 4380 7ffda3664ba8-7ffda3664baf 4376->4380 4379->4380 4381 7ffda3664bb0-7ffda3664bb9 4380->4381 4381->4381 4382 7ffda3664bbb-7ffda3664bf9 call 7ffda362a750 LoadLibraryW 4381->4382 4385 7ffda3664bff-7ffda3664c87 GetLastError call 7ffda3629980 4382->4385 4386 7ffda3664c8c-7ffda3664c9f GetProcAddress 4382->4386 4390 7ffda3664d48-7ffda3664d5c call 7ffda3654f30 4385->4390 4388 7ffda3664d3a-7ffda3664d44 4386->4388 4389 7ffda3664ca5-7ffda3664d38 GetLastError call 7ffda3629980 FreeLibrary 4386->4389 4388->4390 4389->4390 4396 7ffda3664d5e-7ffda3664d77 4390->4396 4397 7ffda3664d97-7ffda3664db5 4390->4397 4398 7ffda3664d92 call 7ffda36a3010 4396->4398 4399 7ffda3664d79-7ffda3664d8c 4396->4399 4400 7ffda3664dbb-7ffda3664e24 call 7ffda36278e0 4397->4400 4401 7ffda3664f45-7ffda3664f8e call 7ffda3631df0 call 7ffda3629260 call 7ffda3665210 call 7ffda3629290 4397->4401 4398->4397 4399->4398 4403 7ffda3665189-7ffda366518e call 7ffda36a9c5c 4399->4403 4411 7ffda3664e2a-7ffda3664e46 call 7ffda3629020 4400->4411 4412 7ffda3664ed9-7ffda3664eec 4400->4412 4443 7ffda3664f90-7ffda3664fe7 call 7ffda3628ab0 call 7ffda36232b0 call 7ffda3631dc0 call 7ffda36232d0 call 7ffda3628a80 4401->4443 4444 7ffda3664fec-7ffda3665038 call 7ffda3648f70 call 7ffda3631df0 call 7ffda3629260 call 7ffda36643e0 call 7ffda3629290 4401->4444 4415 7ffda366518f-7ffda36651b9 call 7ffda3649130 call 7ffda36a5df0 4403->4415 4421 7ffda3664e48-7ffda3664e52 call 7ffda3629020 4411->4421 4422 7ffda3664e57-7ffda3664e5f 4411->4422 4413 7ffda3664ef0-7ffda3664ef4 4412->4413 4413->4415 4417 7ffda3664efa-7ffda3664efc 4413->4417 4423 7ffda3664efe-7ffda3664f0f call 7ffda3623550 4417->4423 4424 7ffda3664f29-7ffda3664f40 call 7ffda36653f0 call 7ffda3628a80 4417->4424 4421->4422 4428 7ffda3664e61-7ffda3664e68 4422->4428 4429 7ffda3664e75 4422->4429 4441 7ffda3664f11-7ffda3664f1a call 7ffda3625b50 4423->4441 4442 7ffda3664f1f-7ffda3664f23 4423->4442 4457 7ffda3665127-7ffda366515d call 7ffda3665360 call 7ffda36a2ff0 4424->4457 4428->4429 4435 7ffda3664e6a-7ffda3664e73 4428->4435 4438 7ffda3664e77-7ffda3664e8a 4429->4438 4435->4438 4445 7ffda3664e8c 4438->4445 4446 7ffda3664ea5-7ffda3664ec1 4438->4446 4441->4442 4442->4424 4452 7ffda366515e-7ffda3665188 call 7ffda3649130 call 7ffda36a5df0 4442->4452 4443->4457 4487 7ffda366503e-7ffda3665061 4444->4487 4488 7ffda36650ef-7ffda3665116 call 7ffda3628ab0 call 7ffda3665420 call 7ffda3628a80 4444->4488 4453 7ffda3664e90-7ffda3664ea3 call 7ffda3629170 4445->4453 4446->4413 4454 7ffda3664ec3-7ffda3664ed7 call 7ffda36258a0 4446->4454 4452->4403 4453->4446 4454->4413 4492 7ffda3665063-7ffda3665066 4487->4492 4493 7ffda3665068-7ffda36650ba call 7ffda3628ab0 call 7ffda36232b0 call 7ffda3631dc0 call 7ffda36232d0 call 7ffda3628a80 4487->4493 4501 7ffda366511b-7ffda3665122 call 7ffda3642e70 4488->4501 4495 7ffda36650bf-7ffda36650d2 4492->4495 4493->4495 4495->4501 4503 7ffda36650d4-7ffda36650ed call 7ffda3648f70 call 7ffda36651c0 4495->4503 4501->4457 4503->4457
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Library$ErrorLastLoad$AddressFreePathProcRelative_invalid_parameter_noinfo_noreturn
                              • String ID: Could not load the msgbus plugin. Error: $Could not load the msgbus_filters lib. Error: $Could not set the wsccommunicator bus messages filter. Error: $Failed get create_msgbus_filter from dll.$Failed load the dll.$\msgbus.dll$\msgbus_filters.dll$\settings\msgbus_filters\wsccommunicator.wsccommunicator.json$create_msgbus_filter$msgbus$process_implementation::initialize_msgbus_filters$wsccommunicator
                              • API String ID: 2363643873-2864958505
                              • Opcode ID: 0124cf1f2580272c22a470eb1a84d5d5c978de36065a126eb78cbbbbd1a1bbca
                              • Instruction ID: 531deb833f02a9cdf5e843e51da65fc6741172aa940257ae35ec4101e0482893
                              • Opcode Fuzzy Hash: 0124cf1f2580272c22a470eb1a84d5d5c978de36065a126eb78cbbbbd1a1bbca
                              • Instruction Fuzzy Hash: 1E02B522F1AB8285F711DB24D8612F97762EF80384F582135EA4D267A7EF3EE584C744

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4515 7ffda367e170-7ffda367e1d4 SHGetKnownFolderPath 4516 7ffda367e1e7-7ffda367e1eb 4515->4516 4517 7ffda367e1d6-7ffda367e1e2 CoTaskMemFree 4515->4517 4519 7ffda367e1f2-7ffda367e1fb 4516->4519 4518 7ffda367e27f-7ffda367e284 4517->4518 4520 7ffda367e290-7ffda367e2eb call 7ffda362a750 call 7ffda363f120 call 7ffda363ef60 call 7ffda363f120 4518->4520 4521 7ffda367e286-7ffda367e28b 4518->4521 4519->4519 4522 7ffda367e1fd-7ffda367e22b call 7ffda362a750 call 7ffda3626830 4519->4522 4547 7ffda367e324-7ffda367e32c 4520->4547 4548 7ffda367e2ed-7ffda367e303 4520->4548 4523 7ffda367e4d0-7ffda367e503 call 7ffda3654f30 call 7ffda36a2ff0 4521->4523 4537 7ffda367e263-7ffda367e27d CoTaskMemFree 4522->4537 4538 7ffda367e22d-7ffda367e243 4522->4538 4537->4518 4540 7ffda367e25e call 7ffda36a3010 4538->4540 4541 7ffda367e245-7ffda367e258 4538->4541 4540->4537 4541->4540 4543 7ffda367e50a-7ffda367e50f call 7ffda36a9c5c 4541->4543 4554 7ffda367e510-7ffda367e515 call 7ffda36a9c5c 4543->4554 4550 7ffda367e364-7ffda367e3a3 call 7ffda363f120 LoadLibraryW 4547->4550 4551 7ffda367e32e-7ffda367e344 4547->4551 4552 7ffda367e31e-7ffda367e323 call 7ffda36a3010 4548->4552 4553 7ffda367e305-7ffda367e318 4548->4553 4565 7ffda367e3a9-7ffda367e3bf GetLastError 4550->4565 4566 7ffda367e3a5-7ffda367e3a7 4550->4566 4555 7ffda367e35f call 7ffda36a3010 4551->4555 4556 7ffda367e346-7ffda367e359 4551->4556 4552->4547 4553->4552 4553->4554 4560 7ffda367e516-7ffda367e51b call 7ffda36a9c5c 4554->4560 4555->4550 4556->4555 4556->4560 4570 7ffda367e51c-7ffda367e521 call 7ffda36a9c5c 4560->4570 4569 7ffda367e3c2-7ffda367e3c8 4565->4569 4566->4569 4571 7ffda367e3d0-7ffda367e3db 4569->4571 4572 7ffda367e3ca FreeLibrary 4569->4572 4574 7ffda367e413-7ffda367e415 4571->4574 4575 7ffda367e3dd-7ffda367e3f3 4571->4575 4572->4571 4576 7ffda367e491 4574->4576 4577 7ffda367e417-7ffda367e42d GetProcAddress 4574->4577 4579 7ffda367e40e call 7ffda36a3010 4575->4579 4580 7ffda367e3f5-7ffda367e408 4575->4580 4583 7ffda367e493-7ffda367e49b 4576->4583 4581 7ffda367e433-7ffda367e449 GetLastError 4577->4581 4582 7ffda367e42f-7ffda367e431 4577->4582 4579->4574 4580->4570 4580->4579 4585 7ffda367e44c-7ffda367e452 4581->4585 4582->4585 4583->4523 4586 7ffda367e49d-7ffda367e4b3 4583->4586 4585->4576 4587 7ffda367e454-7ffda367e46a GetProcAddress 4585->4587 4588 7ffda367e4ca-7ffda367e4cf call 7ffda36a3010 4586->4588 4589 7ffda367e4b5-7ffda367e4c8 4586->4589 4590 7ffda367e470-7ffda367e486 GetLastError 4587->4590 4591 7ffda367e46c-7ffda367e46e 4587->4591 4588->4523 4589->4588 4592 7ffda367e504-7ffda367e509 call 7ffda36a9c5c 4589->4592 4595 7ffda367e489-7ffda367e48f 4590->4595 4591->4595 4592->4543 4595->4576 4595->4583
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn$ErrorFreeLast$AddressLibraryProcTask$FolderKnownLoadPath
                              • String ID: WscRegisterForChanges$WscUnRegisterChanges$wscapi.dll
                              • API String ID: 3703913738-3196563575
                              • Opcode ID: 69cf77908e0306ff12f8ca091471fce32200b4c850e4cbef9737b7e36c8bff3e
                              • Instruction ID: 921337bf5b635c0527061af5ad75821b6202ae1bf3303371d715ae7b8f801848
                              • Opcode Fuzzy Hash: 69cf77908e0306ff12f8ca091471fce32200b4c850e4cbef9737b7e36c8bff3e
                              • Instruction Fuzzy Hash: 73B19022F16B4686FB00DBA4D4642AC6373AB48798F446631DE5C32BDAEF79E144C358
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Library$Free$ErrorLast$AddressLoadProc$_invalid_parameter_noinfo_noreturn
                              • String ID: BdCreateObject$BdDestroyObject$productinfo
                              • API String ID: 532591974-603925719
                              • Opcode ID: e5a8c608babae976017785d1226202bf817aa816162ce2520039809b57b8e4fc
                              • Instruction ID: 7db5a0a9bb5a499520e6f89a4920e711013b0f6f6a01d5bc96db820e90b11d0f
                              • Opcode Fuzzy Hash: e5a8c608babae976017785d1226202bf817aa816162ce2520039809b57b8e4fc
                              • Instruction Fuzzy Hash: 62C14C36B0AF4185FB00CF66E8642AD33F6BB48B88B085535DE4D23795EF399029D348
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Path$AddressFileLibraryLoadProc$AppendErrorLastModuleNameRelativeRemoveSpec
                              • String ID: BdCreateObject$BdDestroyObject$IServConfig.dll$productinfo
                              • API String ID: 2857617921-3834769276
                              • Opcode ID: 3376cacea87977b6839657724d97d17e7ec525bcb5a8be468a83449069eef622
                              • Instruction ID: 33f51e403eeb983a0966e467203df7d8cbc94b3f7c8eb1f1fc86585c079078d0
                              • Opcode Fuzzy Hash: 3376cacea87977b6839657724d97d17e7ec525bcb5a8be468a83449069eef622
                              • Instruction Fuzzy Hash: A9515F32B1AF4281FA15CF15E8A426973A2FF88B84F486131DA4D53766EF3DE558C708
                              APIs
                              • GetFileAttributesExW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FFDA3652725), ref: 00007FFDA36A2199
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FFDA3652725), ref: 00007FFDA36A21A3
                              • __std_fs_open_handle.LIBCPMT ref: 00007FFDA36A21FF
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FFDA3652725), ref: 00007FFDA36A2214
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FFDA3652725), ref: 00007FFDA36A2370
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: CloseHandle$AttributesErrorFileLast__std_fs_open_handle
                              • String ID:
                              • API String ID: 1051874144-0
                              • Opcode ID: da79eb5c1ec006bc21afa9729c7a879b907b502b4cc47840c3f8cd540b99527c
                              • Instruction ID: af66263c8c14509c37e801990ad84c27b0edd5bfa7ef11ceb8a843f55b41eb0d
                              • Opcode Fuzzy Hash: da79eb5c1ec006bc21afa9729c7a879b907b502b4cc47840c3f8cd540b99527c
                              • Instruction Fuzzy Hash: 6781EA31F46A4245F7648B65B8206B927B26F05764F1C2B34DE7D677D2DF2EE8018308
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn$ErrorFileLastModuleName
                              • String ID: \\.\PIPE\local\msgbus\$pipe_name$settings\process_broker.json
                              • API String ID: 1728480589-2130054303
                              • Opcode ID: f4b0b1fe396a97edd32a0533234a2f1cd1b1985e088d33391aaa2982a03cbf11
                              • Instruction ID: 204d730cb828a09ead5d9b66b76d21d11f5fbd34eae6cc645158449ccb27a594
                              • Opcode Fuzzy Hash: f4b0b1fe396a97edd32a0533234a2f1cd1b1985e088d33391aaa2982a03cbf11
                              • Instruction Fuzzy Hash: 7312A332B1ABC680FA208B14E5643EE6362FB89794F546632DA9D177DADF7ED040C704
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: String$AllocFree_invalid_parameter_noinfo_invalid_parameter_noinfo_noreturn$SleepTimetime
                              • String ID: $-> %s$Could not register the FW. Error $IDS_FW_TITLE$fw_reporter::register_to_wsc
                              • API String ID: 2952592024-3007436920
                              • Opcode ID: 3f54c649f8fcfa5c4f86e6c7d27bab7be760ed0eea7eba6aee5632726ddef843
                              • Instruction ID: ebef7a2f7ff828bb5c51130c577fd02287d75b3d9b4b8954fee62be8836b3c29
                              • Opcode Fuzzy Hash: 3f54c649f8fcfa5c4f86e6c7d27bab7be760ed0eea7eba6aee5632726ddef843
                              • Instruction Fuzzy Hash: 34D1C332F0AB8285FB109F64D4603A97366FB843A4F581135EA5D67BAADF3EE440C345
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: String$AllocFree_invalid_parameter_noinfo_invalid_parameter_noinfo_noreturn$SleepTimetime
                              • String ID: $-> %s$Could not register the AS. Error $IDS_AS_TITLE$as_reporter::register_to_wsc
                              • API String ID: 2952592024-2187673994
                              • Opcode ID: 5aa622e8a7a953f584fbafc8961ad85c677f024204e564b65aff03ef48bad928
                              • Instruction ID: 309104fe87820a2643a930665ce3050c0fc5cfc4d7fecf384cccc39712754d0b
                              • Opcode Fuzzy Hash: 5aa622e8a7a953f584fbafc8961ad85c677f024204e564b65aff03ef48bad928
                              • Instruction Fuzzy Hash: 19D1B432B0AB8286FB10DF64E8603A97362FB843A4F541135EA5D67BA6DF3ED440C745
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: String$AllocFree_invalid_parameter_noinfo_invalid_parameter_noinfo_noreturn$SleepTimetime
                              • String ID: $-> %s$Could not register the AV. Error $IDS_AV_TITLE$av_reporter::register_to_wsc
                              • API String ID: 2952592024-1957661905
                              • Opcode ID: 0d3bead0090df1b2d5c048640118c740b4b58858774f6fabb0a4a1189ad23bd2
                              • Instruction ID: 6820a516eb60292c2599ba34b55b769cdb7cc3a97ac9d79b2ce7ad389bd482dc
                              • Opcode Fuzzy Hash: 0d3bead0090df1b2d5c048640118c740b4b58858774f6fabb0a4a1189ad23bd2
                              • Instruction Fuzzy Hash: 96D1C332F0AB8285FB10DF64D8602A97362FB843A4F581135EA5C63BA6DF7ED440C745
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Timetime$_invalid_parameter_noinfo$CloseMtx_unlockSleep
                              • String ID: $ $ $-> %s$win_fw_ownership::uninitialize$win_fw_ownership::uninitialize_reg_key_handle$win_fw_ownership::uninitialize_serial_execution
                              • API String ID: 1893202648-1962513574
                              • Opcode ID: 78c919633e411219137631ccf637b5f84ba7f946e5d429706a70e5c271a9bc0f
                              • Instruction ID: ad43abcbf92391a2d0df41a9da384614cbc50a4d17cb1fa68103232d3d8609af
                              • Opcode Fuzzy Hash: 78c919633e411219137631ccf637b5f84ba7f946e5d429706a70e5c271a9bc0f
                              • Instruction Fuzzy Hash: E3C14E32B0AA8186F7109F64E8602E97371FB84764F541236EAAC537EADF3ED505C784
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn
                              • String ID:
                              • API String ID: 3668304517-0
                              • Opcode ID: 3a0695dc0ea66f419115a30f779f12246e5b48f10f266243b57493d921795b00
                              • Instruction ID: 826a17d939ff241fa48b3c4693d7e22c244ea919d719e96489f2a9f5e6a37962
                              • Opcode Fuzzy Hash: 3a0695dc0ea66f419115a30f779f12246e5b48f10f266243b57493d921795b00
                              • Instruction Fuzzy Hash: 9581E322B5AB8A86FA119B64D4A52FC33A2FB02744F486831DA4E57787EF3DE141C304
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Time_invalid_parameter_noinfotime$AddressLibraryLoadProcSleep_invalid_parameter_noinfo_noreturn
                              • String ID: $-> %s$BdCreateObject$Could not initialize servmain.$ServMain$\framework.dll$process_with_framework::OnStarting
                              • API String ID: 2489748767-3077556766
                              • Opcode ID: d9779f89f649f2a39f430317bb5bef76cb141a5cad631309f5fe9e563c0a320a
                              • Instruction ID: 098d3cc6410307a77db088bdd8230177268af0a049b4f1737d6137f38009dbea
                              • Opcode Fuzzy Hash: d9779f89f649f2a39f430317bb5bef76cb141a5cad631309f5fe9e563c0a320a
                              • Instruction Fuzzy Hash: FAC1B232B0AB8189FB10DF24E8603A973A1FB447A4F581136EA4D57BAADF3ED445C744
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Timetime$ErrorLastObjectSingleWait_invalid_parameter_noinfo
                              • String ID: $ $-> %s$WaitForSingleObject failed$process_with_framework::OnStarting$process_with_framework::framework_thread$process_with_framework::uninitialize_framework
                              • API String ID: 3884842641-2876963218
                              • Opcode ID: b0fd510dfd83726c5f7d92340812d5a1c7fed6011f2657e5fcc90ddfc905a889
                              • Instruction ID: 8a573ceda17e49d04614ac6d634ce5ec4b71c529b1c9d46181ac765c64f5c844
                              • Opcode Fuzzy Hash: b0fd510dfd83726c5f7d92340812d5a1c7fed6011f2657e5fcc90ddfc905a889
                              • Instruction Fuzzy Hash: 18B19132A09B8186F7109F64E8602EAB3B1FB84364F541236EA5C637E6DF3DD545CB44
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Library$AddressLoadProc$ErrorFreeLastPathRelative_invalid_parameter_noinfo_noreturn
                              • String ID: BdCreateObject$BdDestroyObject$msgbus
                              • API String ID: 4157416513-830720807
                              • Opcode ID: 44be42c1eda9b7e4e300cf907ff0301a0de82d6b0cc76884df480238db7c6da5
                              • Instruction ID: 766a2157178c32fe6ca5e178c2b56c8692e6d791ec35d3d49d3e78c09c5f0218
                              • Opcode Fuzzy Hash: 44be42c1eda9b7e4e300cf907ff0301a0de82d6b0cc76884df480238db7c6da5
                              • Instruction Fuzzy Hash: 37F18F32F1AB8181FB14CF21E5602AD7366FB99B84F146236EA8D13B56DF39D1A0C344
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy
                              • String ID: parse error$parse_error
                              • API String ID: 1944019136-1820534363
                              • Opcode ID: 416bca92a00322410df6f5d7a162c09b635c771667511bb68b818cafd0379067
                              • Instruction ID: c22015a64d6798b1f68ec5bfa942c4a78bed596fe2864e3ad6b912bcd6a1b195
                              • Opcode Fuzzy Hash: 416bca92a00322410df6f5d7a162c09b635c771667511bb68b818cafd0379067
                              • Instruction Fuzzy Hash: 93B18162F19B8586FB008B64D5543AD6362FB857A4F146631EAAC13BDBDF79E090C308
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: CloseHandleService$ErrorExceptionFileHeaderLastManagerOpenRaise
                              • String ID: OpenSCManager failed$vsserv$wscsvc
                              • API String ID: 936445003-1012139206
                              • Opcode ID: 7ff01f6cf5a91581daaab4c8572c40911cdb14b019d737ace7d93a0aca280411
                              • Instruction ID: af0e34faaeaac78041781a767e60201675cd83805619a73c32f42a9ff94069b6
                              • Opcode Fuzzy Hash: 7ff01f6cf5a91581daaab4c8572c40911cdb14b019d737ace7d93a0aca280411
                              • Instruction Fuzzy Hash: 1E416E3260AB8686FB648F50F4602A9B3A6FF88784F445136DB8D23B99DF3DD445C704
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA362B3EC
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $ with product being $-> %s$Could not update the AV status. Error $Updating AV status to $av_reporter::update_status$out of date.$up to date.
                              • API String ID: 3860382505-3275023622
                              • Opcode ID: 7564216f214083892a1db532f7371c0de2b45ca51b7c98749f407ca7c056fbf1
                              • Instruction ID: 6f72076a616aea62d59e50a7d349643c56d71d4316af78240134479485c1a7d0
                              • Opcode Fuzzy Hash: 7564216f214083892a1db532f7371c0de2b45ca51b7c98749f407ca7c056fbf1
                              • Instruction Fuzzy Hash: 45F1AF32F0AB828AF7209F64D8602E973A1FB84354F591135EA8C677AADF3ED544C744
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3622A38
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $ with product being $-> %s$Could not update the AS status. Error $Updating AS status to $as_reporter::update_status$out of date.$up to date.
                              • API String ID: 3860382505-2482948482
                              • Opcode ID: 54ba69bc15be2b64317fb8a3cd9d084990752b843e3636c7ef008cf3557d65a9
                              • Instruction ID: 2910fbc49296d7b20d246e55ad1c162941e599089bc5b66ac455b0bc72f53d4e
                              • Opcode Fuzzy Hash: 54ba69bc15be2b64317fb8a3cd9d084990752b843e3636c7ef008cf3557d65a9
                              • Instruction Fuzzy Hash: 65F1F232F0AB8289F760DF64E8602E973A1FB84354F591135EA8C677AADF3AD144C744
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ErrorLast$ByteCharMultiWide_invalid_parameter_noinfo_noreturn
                              • String ID: bad expected access
                              • API String ID: 3321244224-1948654898
                              • Opcode ID: 199932c534dae117789480bc914c6f8426ffe252d6ab482e98539dca23a69e36
                              • Instruction ID: 31936d3a532d83bd11d1c52ef351c3aaf8e4819829c0909cc3cffa22be869f6e
                              • Opcode Fuzzy Hash: 199932c534dae117789480bc914c6f8426ffe252d6ab482e98539dca23a69e36
                              • Instruction Fuzzy Hash: 2CA19122B0DBC185F7218F24E5517AAB3A6FB85794F446230DADD12B9ADF3DE090C704
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLibrary$FileFreeLoadModuleName
                              • String ID: dll::get_foldername failed$wsccommunicator.exe$wsccommunicator_ls.exe
                              • API String ID: 526934879-1203451368
                              • Opcode ID: 6b40404dc2677805007f6ea50f45f730d4979c1436e105076224644d8c726bfb
                              • Instruction ID: 3adaf23fa887afb45e8f2186640ebf7fb89b32933e48ea27104135f9642dc989
                              • Opcode Fuzzy Hash: 6b40404dc2677805007f6ea50f45f730d4979c1436e105076224644d8c726bfb
                              • Instruction Fuzzy Hash: 10819463F19B8285FB00CB74D4543AC6372AB48798F946235DE5D227DAEF39E185C318
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy
                              • String ID:
                              • API String ID: 1346393832-0
                              • Opcode ID: fa51efe5f2010e1a82482f6b4b1f754bccd2dea221ff92413f9fbc106d1ba2b4
                              • Instruction ID: 72e1a90c48219b0005f024f73ac3b5fe52a3bdd36c0a1b72fdc340be9ea1ea4b
                              • Opcode Fuzzy Hash: fa51efe5f2010e1a82482f6b4b1f754bccd2dea221ff92413f9fbc106d1ba2b4
                              • Instruction Fuzzy Hash: A7412473B466854AFB10DB64D8653EC33A2EF42364F586A31D66C577C7DE3AA181C204
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn$ErrorFileLastModuleName
                              • String ID: Error getting iservconfig$IServConfig.dll$bd::process_broker::detail::get_string_from_servconfig$common$error getting process folder. error=
                              • API String ID: 1728480589-938094522
                              • Opcode ID: ae62af4fb7d29ec10ee398fff82391fc244cbfc0930d203a41930526e51e8138
                              • Instruction ID: 62f2e0c38554219596612a27e2b7d1d173c6a1270203831bee5d730b18cce0dd
                              • Opcode Fuzzy Hash: ae62af4fb7d29ec10ee398fff82391fc244cbfc0930d203a41930526e51e8138
                              • Instruction Fuzzy Hash: BF027132B0AB8289FB208F24D8603E97362FB84754F585235DA5D57BA6DF3DE184C748
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskFormatMessage
                              • String ID: erro$own $unkn
                              • API String ID: 1937444189-2970004082
                              • Opcode ID: fe37f5df9135234981d793a91c79c77feff6fd05566f16afddceff7320d24bfa
                              • Instruction ID: b2def8154a197cbfddf35f9aae361b4bcff10d8071e35f17181b820a7569662c
                              • Opcode Fuzzy Hash: fe37f5df9135234981d793a91c79c77feff6fd05566f16afddceff7320d24bfa
                              • Instruction Fuzzy Hash: 8BD10462F16B818AFB00CFA4D0503AD33A2EB44B98F489631DE5D27B8ADF79D150C348
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3647B33
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA364801A
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTime_invalid_parameter_noinfo_noreturntime
                              • String ID: $-> %s$Could not load the WSC command communication provider. Error: $windows_security_center_integration_epaas_module::Init$windows_security_center_integration_epaas_module::initialize_provider$wsc_command_communication_provider
                              • API String ID: 983007448-3226922569
                              • Opcode ID: 6dd12f439abc15fe964ad3927eaf5e608f2144eb0b24ddd0ca7587a8c5a93a9a
                              • Instruction ID: 9d2197bac00fccffdefd650963140dc618e6f2cf73d1a3315778567eb447e706
                              • Opcode Fuzzy Hash: 6dd12f439abc15fe964ad3927eaf5e608f2144eb0b24ddd0ca7587a8c5a93a9a
                              • Instruction Fuzzy Hash: 01E1CE32B0AB8189F720CF24D8603E973A2FB84754F586636DA9C57BAADF39D544C704
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: AddressErrorLastProc$_invalid_parameter_noinfo_noreturn
                              • String ID: epaas_event_create$epaas_event_create_with_data$failed dll::get_proc
                              • API String ID: 3565339470-4029432076
                              • Opcode ID: f35edf6ea7f087a8521dfd72ba4a4fb286c442f722f3dba73420b6c85fc10883
                              • Instruction ID: acbb13efe6603dff9d39e544f62460096d9322e3f2e19e301a8bff65026189b9
                              • Opcode Fuzzy Hash: f35edf6ea7f087a8521dfd72ba4a4fb286c442f722f3dba73420b6c85fc10883
                              • Instruction Fuzzy Hash: 58C1D422F1AA8195FB10DF20D9613FD2762FB90788F486131E64D56BABDF3AD584C304
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ConditionInfoMaskSleepVerifyVersion_invalid_parameter_noinfo_noreturn
                              • String ID: -> %s$Could not get the WSC Reporter plugin. Error $wsc_reporter$wsc_reporter_lite$wsc_status_communication_provider::initialize_plugins
                              • API String ID: 3616022532-3936918023
                              • Opcode ID: 3861e360669326861a047be76828ae2dda4a7c95a1be06cec1553f7effb2c8c9
                              • Instruction ID: 6c6f3583282272931fe9ffc5bc03835d56638c44607ba9031ddc149396272ad5
                              • Opcode Fuzzy Hash: 3861e360669326861a047be76828ae2dda4a7c95a1be06cec1553f7effb2c8c9
                              • Instruction Fuzzy Hash: 9FC19132B0ABC185F710CF24D8502E977A2FB84794F586235EA8D63BAADF39D594C344
                              APIs
                              • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA366CC5D
                              • timeGetTime.WINMM ref: 00007FFDA366CCAA
                                • Part of subcall function 00007FFDA366D610: VerSetConditionMask.KERNEL32 ref: 00007FFDA366D690
                                • Part of subcall function 00007FFDA366D610: VerifyVersionInfoW.KERNEL32 ref: 00007FFDA366D6A5
                              • timeGetTime.WINMM ref: 00007FFDA366CE24
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Time_invalid_parameter_noinfotime$ConditionInfoMaskSleepVerifyVersion_invalid_parameter_noinfo_noreturn
                              • String ID: $ $-> %s$wsc_status_communication_provider::Init$wsc_status_communication_provider::UnInit
                              • API String ID: 3618919098-3628384323
                              • Opcode ID: 1828beefddfd6a7da68983724431a8efb2056a0fba9a559c96bd1f5a960aeae8
                              • Instruction ID: 05c40dfea2cbb3db4941844ec1c14641bf2c8f0aa7ca311c65545c88209a8644
                              • Opcode Fuzzy Hash: 1828beefddfd6a7da68983724431a8efb2056a0fba9a559c96bd1f5a960aeae8
                              • Instruction Fuzzy Hash: 36B1A232B0AB8182E714DF24E4602A973B5FB847A4F581236EA6C53BEADF3DD451C744
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn$ErrorFileLastModuleName
                              • String ID: epaas.dll$failed this_process::get_foldername
                              • API String ID: 1728480589-1154533728
                              • Opcode ID: 91669a5fd5e4368ce2fd3eaae389562ee5505e5cea8849cbd7a2da96dddb8c7d
                              • Instruction ID: bb9ce73b28b808bf8cdedb9de2096f02d977e94d05b3e7a30291f1cdc6224870
                              • Opcode Fuzzy Hash: 91669a5fd5e4368ce2fd3eaae389562ee5505e5cea8849cbd7a2da96dddb8c7d
                              • Instruction Fuzzy Hash: 5C91D062F16B8285FB00CB68D0643AC2373EB45798F146635DB5C26BDAEF79E181C348
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn$ErrorFileLastModuleName
                              • String ID: bad variant access$msgbus.dll
                              • API String ID: 1728480589-911574694
                              • Opcode ID: 9aca3b6a198271867d844df5546ec48c895694f13508a8eb9d48f467f1064ace
                              • Instruction ID: 55dcd0df36191c754a5c3b9b5c91b9e6bec0d33eeaaf9505d8fca3c7e5122a80
                              • Opcode Fuzzy Hash: 9aca3b6a198271867d844df5546ec48c895694f13508a8eb9d48f467f1064ace
                              • Instruction Fuzzy Hash: 3E81E962F56B4295FF008FA8D1643ED2333AB457A8F546631DA5C27BDAEE79D040C348
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Time_invalid_parameter_noinfotime$SleepUninitialize
                              • String ID: $ $-> %s$wsc_reporter_lite::Init$wsc_reporter_lite::UnInit
                              • API String ID: 2536955799-2558291676
                              • Opcode ID: 3eac60b87573a1ee8259235ef3974c3544ebc7591d51e4324a01c7731e10db88
                              • Instruction ID: a14ac1361470a598a1b84575ac47ed858d1b54fae1d02b2b48580f02174ac504
                              • Opcode Fuzzy Hash: 3eac60b87573a1ee8259235ef3974c3544ebc7591d51e4324a01c7731e10db88
                              • Instruction Fuzzy Hash: E491A532A0AB8186F710DF24E8602EAB3A1FB84764F181236EA5C537E6DF3DD555C784
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3637092
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                              • timeGetTime.WINMM ref: 00007FFDA36371EE
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Time_invalid_parameter_noinfotime$Sleep
                              • String ID: $ $-> %s$WinFwInitialStat$win_fw_ownership::get_saved_win_fw_status$win_fw_ownership::initialize
                              • API String ID: 3401150693-4235453999
                              • Opcode ID: a1bdf50822853fcbec58afbaf5d6af9d047b736414894512d097fe1b8483bf72
                              • Instruction ID: d6ab37087845f81a26c38afc29e897bd82de9428fb4f584a240bd3f2617c7c6f
                              • Opcode Fuzzy Hash: a1bdf50822853fcbec58afbaf5d6af9d047b736414894512d097fe1b8483bf72
                              • Instruction Fuzzy Hash: DA817532B0AA8186F610DF64E8602EA7362FB84364F541236EA6C677E7DF3DD505CB44
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: CloseHandleService$_invalid_parameter_noinfo$SleepTimeUninitializetime
                              • String ID: $-> %s$wsc_reporter::UnInit
                              • API String ID: 2139385379-932292110
                              • Opcode ID: f17eadbe270215ee2c13b7366708e4be6275c4e30f226556801d92fcf5d58cff
                              • Instruction ID: b20d6fe2c10f3eb2ec81f469e8092ca6677432a80bcb682f0114f4465a73099c
                              • Opcode Fuzzy Hash: f17eadbe270215ee2c13b7366708e4be6275c4e30f226556801d92fcf5d58cff
                              • Instruction Fuzzy Hash: F2518F32B0AB4186F7109F20E4A02AA73B6FB88B50F585535DA8D637AACF3ED445C744
                              APIs
                                • Part of subcall function 00007FFDA3642E70: FreeLibrary.KERNEL32(?,?,?,00007FFDA36430CF,?,?,?,?,?,?,?,00007FFDA36400D8), ref: 00007FFDA3642EB6
                              • LoadLibraryW.KERNEL32(?,?,?,?,00000000,00007FFDA3664F7A), ref: 00007FFDA366524E
                              • PathIsRelativeW.SHLWAPI(?,?,?,?,00000000,00007FFDA3664F7A), ref: 00007FFDA3665260
                              • LoadLibraryExW.KERNEL32(?,?,?,?,00000000,00007FFDA3664F7A), ref: 00007FFDA3665273
                              • GetLastError.KERNEL32(?,?,?,?,00000000,00007FFDA3664F7A), ref: 00007FFDA3665286
                              • GetProcAddress.KERNEL32(?,?,?,?,00000000,00007FFDA3664F7A), ref: 00007FFDA36652A2
                              • GetProcAddress.KERNEL32(?,?,?,?,00000000,00007FFDA3664F7A), ref: 00007FFDA36652BC
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Library$AddressLoadProc$ErrorFreeLastPathRelative
                              • String ID: BdCreateObject$BdDestroyObject
                              • API String ID: 1444712439-1744982320
                              • Opcode ID: dc053092d03d5bd963f6869455ca7e82ba9137485827cba472e43f15c412c843
                              • Instruction ID: 6f25d364d97eec1c1f182f77de30b4a84181a1409d19ba2ba8cd8891d7a2b181
                              • Opcode Fuzzy Hash: dc053092d03d5bd963f6869455ca7e82ba9137485827cba472e43f15c412c843
                              • Instruction Fuzzy Hash: 06319536B0AF4292FA18CB16E56016933A2FF58BD4B485130DB5D67756EF3EE4648308
                              APIs
                                • Part of subcall function 00007FFDA3626BD0: VerSetConditionMask.KERNEL32 ref: 00007FFDA3626C34
                                • Part of subcall function 00007FFDA3626BD0: VerSetConditionMask.KERNEL32 ref: 00007FFDA3626C43
                                • Part of subcall function 00007FFDA3626BD0: VerSetConditionMask.KERNEL32 ref: 00007FFDA3626C52
                                • Part of subcall function 00007FFDA3626BD0: VerifyVersionInfoW.KERNEL32 ref: 00007FFDA3626C73
                              • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA367DFD2
                              • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA367DFD8
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ConditionMask$_invalid_parameter_noinfo_noreturn$InfoVerifyVersion
                              • String ID: Could not load the WSC collector. Error $Could not load the WSC communicator launcher. Error $wsc_collector$wsc_communicator_launcher$wsc_loader::initialize_plugins
                              • API String ID: 34692979-100609096
                              • Opcode ID: d7e379da93dedaf55f5f38e2e62bbd85a05fc441ebe424c361c8ce7d88feade1
                              • Instruction ID: a8eb4d7bdebc20851e7a57bcf52f95f015bd41840ed7cf77d8cfdc72091ebdd3
                              • Opcode Fuzzy Hash: d7e379da93dedaf55f5f38e2e62bbd85a05fc441ebe424c361c8ce7d88feade1
                              • Instruction Fuzzy Hash: 6BE18032B0AB8189FB218F24D8603E97362FB84754F581631EA4D677AADF3ED545C704
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3667847
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$IIgAl::GetSettings failed with error code $Invalid IGAL plugin pointer$wsc_collector::register_listeners$wsc_collector::report_current_firewall_status
                              • API String ID: 3860382505-1881030535
                              • Opcode ID: 522250c4681d116bae8c38f621cf5f72eea7dcf3312be042d040c4620c38ae87
                              • Instruction ID: e68787048a83a49589da5a21239c9858fbdd711613dac423563fd8e403d9de1c
                              • Opcode Fuzzy Hash: 522250c4681d116bae8c38f621cf5f72eea7dcf3312be042d040c4620c38ae87
                              • Instruction Fuzzy Hash: 89D1C432B0AB818AF710CF24D8602E977A2FB84394F581235EA4C53BAADF3ED551C744
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn
                              • String ID: D:\bamboo\home\xml-data\build-dir\WSP-MASTER-SOURCES\3rdparty\tinyxml\tinyxpath\tokenlist.h$D:\bamboo\home\xml-data\build-dir\WSP-MASTER-SOURCES\3rdparty\tinyxml\tinyxpath\xml_util.cpp$XEp_elem$XNp_parent$false$ltp_current
                              • API String ID: 3668304517-605504345
                              • Opcode ID: 4f266d2010113c84efd834de4e1d5dd0e01108943c43574cdffa9b335d2dfc5c
                              • Instruction ID: da4837b754daa83d43d4d1b784b832875164bac5bf079d61d0134f39bbf50881
                              • Opcode Fuzzy Hash: 4f266d2010113c84efd834de4e1d5dd0e01108943c43574cdffa9b335d2dfc5c
                              • Instruction Fuzzy Hash: FFA19F32F0AA8286FA109F15E460269A3B2FF44B84F5C6531EA4D17796DF3EE851C748
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA368290B
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $ $-> %s$Could not enque the report_protection_service_stopped task. Error: $report_protection_service_stopped$wsc_reporter::on_protection_service_stopped
                              • API String ID: 3860382505-2311478399
                              • Opcode ID: 18b5a6feeded1b9fcb0d7f75c7ac7bbd0fe267a423a50c80c300db5a12d9e6c8
                              • Instruction ID: 34383a5438442431c9497ae31c3fb4028333531931bb139bcb71b80c800694ae
                              • Opcode Fuzzy Hash: 18b5a6feeded1b9fcb0d7f75c7ac7bbd0fe267a423a50c80c300db5a12d9e6c8
                              • Instruction Fuzzy Hash: 18B1E332B0AB8186F710DF24E8602AA77B1FB88354F585535EA8D63BA6DF3ED440C744
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3687098
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                              • _Xtime_get_ticks.LIBCPMT ref: 00007FFDA3687324
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                                • Part of subcall function 00007FFDA36A5DF0: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,Product,00007FFDA3643D13,?,?,?,00007FFDA362102E), ref: 00007FFDA36A5E34
                                • Part of subcall function 00007FFDA36A5DF0: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,Product,00007FFDA3643D13,?,?,?,00007FFDA362102E), ref: 00007FFDA36A5E7A
                              • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA36873F7
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$ExceptionFileHeaderRaiseSleepTimeXtime_get_ticks_invalid_parameter_noinfo_noreturntime
                              • String ID: $-> %s$status$wsc_telemetry::post_update_status_result
                              • API String ID: 730741297-1854541697
                              • Opcode ID: 1c1bb5b513cdb7dc6a698070e973ffa167764fea815587d619bae1acdca8004a
                              • Instruction ID: b6168e53da76844556e100a85611e1e657ce2a6eb4f802986a4630d824532a81
                              • Opcode Fuzzy Hash: 1c1bb5b513cdb7dc6a698070e973ffa167764fea815587d619bae1acdca8004a
                              • Instruction Fuzzy Hash: 06A1C232B0AA8282FA20DB14D4602E97362FB84764F582236DA5D27BD7CF7EE545C744
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA363C674
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                              • RegGetValueW.ADVAPI32 ref: 00007FFDA363C7BA
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimeValuetime
                              • String ID: $-> %s$Could not get the firewall status from Registry. Error: $win_fw_ownership::enable_win_fw$win_fw_ownership::get_fw_status_from_registry
                              • API String ID: 2975554297-3056843409
                              • Opcode ID: 205199fad46d4e3bf43b18355f7d22d29dc6205572f5b6452671f18204602200
                              • Instruction ID: ff18c7064b98b228c43338fb792e94ba1b53f3633c26b0ed8bf7b73a4d0c3e73
                              • Opcode Fuzzy Hash: 205199fad46d4e3bf43b18355f7d22d29dc6205572f5b6452671f18204602200
                              • Instruction Fuzzy Hash: 6E91B432B0AB8186F700DF64E8602AA77A1FB80364F181235EA5C63BA6DF3DD545CB44
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave_invalid_parameter_noinfo_noreturn
                              • String ID: wsc_loader
                              • API String ID: 2008198395-3143197780
                              • Opcode ID: 654c792830c7d8b34ae1c85ab842095d36b6814a8de4d16c6e97593fa6d73a9a
                              • Instruction ID: a6e3cf0beb61a59936f1b982af51d6a418983b618c14b8641eb52332e986cf2e
                              • Opcode Fuzzy Hash: 654c792830c7d8b34ae1c85ab842095d36b6814a8de4d16c6e97593fa6d73a9a
                              • Instruction Fuzzy Hash: F871B462F0AB5181FA109B19E15436AE362FB85BE4F581231EE9C17BDACF3ED441C704
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA363C9B4
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                              • RegSetKeyValueW.ADVAPI32 ref: 00007FFDA363CAF1
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimeValuetime
                              • String ID: $-> %s$Could not save the firewall status. Error: $win_fw_ownership::enable_win_fw$win_fw_ownership::save_fw_status_to_registry
                              • API String ID: 2975554297-4178297072
                              • Opcode ID: d1d98abd7246e2b33a9a3dd179ad4be05434b771950c170a6ecf856e5bcec316
                              • Instruction ID: 260f6986c01ad87c2f15548aaf527a3dc98da8509961526a8c756d0f5df84314
                              • Opcode Fuzzy Hash: d1d98abd7246e2b33a9a3dd179ad4be05434b771950c170a6ecf856e5bcec316
                              • Instruction Fuzzy Hash: 9F91C532B0AB818AF710DF60E8602AA77B1FB85364F181131EA5D637AADF3ED445C744
                              APIs
                                • Part of subcall function 00007FFDA36529B0: timeGetTime.WINMM ref: 00007FFDA36529D6
                              • AllowSetForegroundWindow.USER32 ref: 00007FFDA3652C26
                              • timeGetTime.WINMM ref: 00007FFDA3652C5B
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA3652E41
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Time_invalid_parameter_noinfotime$AllowForegroundSleepWindow_invalid_parameter_noinfo_noreturn
                              • String ID: $-> %s$bd::process_broker::client::spawn_process_with_current_params${B581F4B2-146B-4F1D-BB59-601B5B6317E1}
                              • API String ID: 3792124684-2932271592
                              • Opcode ID: 8b586c7bb465fcef06e8ef43a0a8698d56b1711a4c2cf49b4d84c09c8bca2f83
                              • Instruction ID: 7c55c7bec814d0263b74ca05710c019468dd5e290166ebf78e52a04f0fa03a97
                              • Opcode Fuzzy Hash: 8b586c7bb465fcef06e8ef43a0a8698d56b1711a4c2cf49b4d84c09c8bca2f83
                              • Instruction Fuzzy Hash: 7A81A272B0A78285FB109B64E4602EA73A2FB85754F582532EA4D23B9BDF3ED444C744
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Value
                              • String ID: subkey $ value $; err=$helpers::write_last_timestamp_to_reg$timestamp$write to reg
                              • API String ID: 3702945584-919870011
                              • Opcode ID: 389daa563466a678f6008a048938189431849e5e6847bc5282006c564ac126f0
                              • Instruction ID: 9a4ce00b4fd8fe3fb9e203d87a9b6ea9f18cb7581c1c1652690800c23a0322af
                              • Opcode Fuzzy Hash: 389daa563466a678f6008a048938189431849e5e6847bc5282006c564ac126f0
                              • Instruction Fuzzy Hash: 2581B372F1AB9186F710CB64E4602A973B1FB44790F482036EA8D2779AEF3DD554CB44
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA36654CA
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                              • timeGetTime.WINMM ref: 00007FFDA3665644
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Time_invalid_parameter_noinfotime$Sleep
                              • String ID: $ $-> %s$wsc_collector::Init$wsc_collector::UnInit
                              • API String ID: 3401150693-305415645
                              • Opcode ID: ea9f50994fce6166715aa6095206c5224fd343725d49a107a64dbbf1486f725f
                              • Instruction ID: e12ad6f02da87d12826248eda1f8b13ce809f5d2b23c542f8fbaa2b2b077925f
                              • Opcode Fuzzy Hash: ea9f50994fce6166715aa6095206c5224fd343725d49a107a64dbbf1486f725f
                              • Instruction Fuzzy Hash: EF81B832A0AB8186F710DF24E8602A9B3B5FB44764F541236E65C537E6DF3DD511C784
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn$Value
                              • String ID: .DEFAULT\Software\SetID$.txtui$wslibsite_lang
                              • API String ID: 3517525675-3839206562
                              • Opcode ID: f9cb2c4da37a3064234e84cd4e132fea7bf15764a73ba96a3f13e2211f47af40
                              • Instruction ID: 2b16fd30416705ae4a4ab18c14bc37e71d4b5cb54aa645134de5cd5c0812bd1a
                              • Opcode Fuzzy Hash: f9cb2c4da37a3064234e84cd4e132fea7bf15764a73ba96a3f13e2211f47af40
                              • Instruction Fuzzy Hash: A7817F72B09BC181EB648F10E4507AAB3A5FB84784F64A135DBDC52B9ADF3DE094CB04
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Value
                              • String ID: subkey $ value $; err=$count$helpers::write_restart_count_to_reg$write to reg
                              • API String ID: 3702945584-1862470528
                              • Opcode ID: c58c57cdde11ca6df5531af15edf1e2210cd05d85fbc9f109b6aeeb3976ea8c1
                              • Instruction ID: e65c196152e4e9caf3e7037c2612a349830733f36d1f286637502ec2a5b126fe
                              • Opcode Fuzzy Hash: c58c57cdde11ca6df5531af15edf1e2210cd05d85fbc9f109b6aeeb3976ea8c1
                              • Instruction Fuzzy Hash: 3381A432F1AB8285F710CB60E4A01ADB7B5FB84354F482136EA4D227AAEF7ED445C744
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA366D1C7
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                              • timeGetTime.WINMM ref: 00007FFDA366D302
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Time_invalid_parameter_noinfotime$Sleep
                              • String ID: $ $-> %s$wsc_status_communication_provider::Start$wsc_status_communication_provider::Stop
                              • API String ID: 3401150693-3688800006
                              • Opcode ID: 3eda71225bca69205ed40007909907772de0e5f451e9dfb48f33fcd1e75fc7ff
                              • Instruction ID: ad29bfa4a19abf3ce2977800f8590d461251f47f37d09dfac71f5f51500f80c6
                              • Opcode Fuzzy Hash: 3eda71225bca69205ed40007909907772de0e5f451e9dfb48f33fcd1e75fc7ff
                              • Instruction Fuzzy Hash: 54719632A0A78186F210DB64E8602EAB3B5FB84374F541235E66C63BE6CF7ED511CB44
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3662441
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                              • timeGetTime.WINMM ref: 00007FFDA366255D
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Time_invalid_parameter_noinfotime$Sleep
                              • String ID: $ $-> %s$wsc_command_communication_provider::Stop$wsc_command_communication_provider::uninitialize_communication
                              • API String ID: 3401150693-4186254922
                              • Opcode ID: a5d0f8f59e4df3b9ca345a03a2ee0a0f5bc58de34e2f56eebc6815ac7abc1eba
                              • Instruction ID: 67f5a7fd95d1a34af0ff9f7e5940846210e39b93f9164012539166f761a19a70
                              • Opcode Fuzzy Hash: a5d0f8f59e4df3b9ca345a03a2ee0a0f5bc58de34e2f56eebc6815ac7abc1eba
                              • Instruction Fuzzy Hash: 18718232A0AB8186F710DB64E8602EAB371FB84360F541236E6AC53BE6CF7DD555CB44
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID:
                              • String ID: .txtui
                              • API String ID: 0-459513690
                              • Opcode ID: 66f1a5cbfdf14cbc94babeaf27d2cf27372b4f5fa7ffc97c689dde069f95ce8e
                              • Instruction ID: 8821c2f0f1d42dd89308e098a1fb52a3f73640e4591ac2d65398b47444799512
                              • Opcode Fuzzy Hash: 66f1a5cbfdf14cbc94babeaf27d2cf27372b4f5fa7ffc97c689dde069f95ce8e
                              • Instruction Fuzzy Hash: 1C51E422F5AB8284FB009B64D4512ED6372EB85798F147235EA4C27B9BDE7DE085C308
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ExclusiveLock_invalid_parameter_noinfo$AcquireReleaseSleepTimetime
                              • String ID: $-> %s$update_requested$windows_security_center_integration_epaas_module::UpdateRequested
                              • API String ID: 344959351-869077612
                              • Opcode ID: 114efd3277e189440ff2b4f90b75c36e93e6d5e2bec58b093553c6cdc8119e87
                              • Instruction ID: 093900a8f8ac3a81f02e71b53af178584f86d45bd4b4911507d4ea85345df2c2
                              • Opcode Fuzzy Hash: 114efd3277e189440ff2b4f90b75c36e93e6d5e2bec58b093553c6cdc8119e87
                              • Instruction Fuzzy Hash: 96518E32B09B4186E710DB15E4602AA73B1FB84760F581232EA6C53BE6DF3EE955C744
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ExclusiveLock_invalid_parameter_noinfo$AcquireReleaseSleepTimetime
                              • String ID: $-> %s$launch_requested$windows_security_center_integration_epaas_module::LaunchRequested
                              • API String ID: 344959351-289789384
                              • Opcode ID: 87e8ecf2b84af2056b5f3adadd7f9a7212f11f279d080ec78461a9ea8c13f4bc
                              • Instruction ID: 5d55961bd01e3d54ac7babe2700860290422e216f56c4d05323a2b8e68f17810
                              • Opcode Fuzzy Hash: 87e8ecf2b84af2056b5f3adadd7f9a7212f11f279d080ec78461a9ea8c13f4bc
                              • Instruction Fuzzy Hash: E651A132B09B4186F710DB14E8602AA7371FB84760F581232EA6C53BE6DF3EE445CB44
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ExclusiveLock_invalid_parameter_noinfo$AcquireReleaseSleepTimetime
                              • String ID: $-> %s$enable_requested$windows_security_center_integration_epaas_module::EnableRequested
                              • API String ID: 344959351-1796317626
                              • Opcode ID: 673f775a522c8086126d23ea30616664a90104d399c11e4bc6fb32072a1053af
                              • Instruction ID: 20e9c4f47d31146cd6472c7b1bd1d8b6af0ddea362758c7c77dc739454aa5e8c
                              • Opcode Fuzzy Hash: 673f775a522c8086126d23ea30616664a90104d399c11e4bc6fb32072a1053af
                              • Instruction Fuzzy Hash: 3F519032B09B8186F710DB54E4602AA73B1FB84760F581632EAAC53BE6DF3EE445C744
                              APIs
                              Strings
                              • i_entry >= 0 && i_entry < i_size, xrefs: 00007FFDA36B745B
                              • D:\bamboo\home\xml-data\build-dir\WSP-MASTER-SOURCES\3rdparty\tinyxml\tinyxpath\action_store.cpp, xrefs: 00007FFDA36B745C
                              • Assertion failed: %Ts, file %Ts, line %d, xrefs: 00007FFDA36B74C2
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ConsoleFileHandleTypeWriteswprintf
                              • String ID: Assertion failed: %Ts, file %Ts, line %d$D:\bamboo\home\xml-data\build-dir\WSP-MASTER-SOURCES\3rdparty\tinyxml\tinyxpath\action_store.cpp$i_entry >= 0 && i_entry < i_size
                              • API String ID: 2943507729-639025340
                              • Opcode ID: 275c85333dc90a2897370e1a260774358b835b0df6de12c223b147499d6e0288
                              • Instruction ID: 2ed66f7a20357d8c93237ec160188601fe79636d935fb60508cadf84f9984edf
                              • Opcode Fuzzy Hash: 275c85333dc90a2897370e1a260774358b835b0df6de12c223b147499d6e0288
                              • Instruction Fuzzy Hash: 8431A32274AA8241F7149F51E8252FAA7A6EF807A0F441235FA9D13BD7DF3DD4008B04
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA362B9AB
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                                • Part of subcall function 00007FFDA362D300: timeGetTime.WINMM ref: 00007FFDA362D338
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Time_invalid_parameter_noinfotime$Sleep
                              • String ID: -> %s$Could not update the AV scan substatus because the OS does not support the functionality.$Could not update the AV scan substatus. Error $Updating AV scan substatus to $av_reporter::update_scan_substatus
                              • API String ID: 3401150693-3466254839
                              • Opcode ID: ac179d91db86e2cd6b16f2864fbe6665279b984f53db6ae648f76a89ed51e0f5
                              • Instruction ID: 951a831d0ea1d6a6071fbc206cbebb607409a1772e3f3c0ba27f89c87572b37c
                              • Opcode Fuzzy Hash: ac179d91db86e2cd6b16f2864fbe6665279b984f53db6ae648f76a89ed51e0f5
                              • Instruction Fuzzy Hash: B412B132B0AB818AF720DF64D8A03E973A1FB44354F591135EA4C67BAADF3AD544CB44
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA362EA5A
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                                • Part of subcall function 00007FFDA3630390: timeGetTime.WINMM ref: 00007FFDA36303C8
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Time_invalid_parameter_noinfotime$Sleep
                              • String ID: $-> %s$Could not update the FW status. Error $Updating FW status to $fw_reporter::update_status
                              • API String ID: 3401150693-4173644015
                              • Opcode ID: f08d149d346e6429f3395bf654eded6f90730aed68fdc56189560ea3540e14e9
                              • Instruction ID: 481ddbeb2cb06c044ddb627782fd84c73f1d250f375b5fc2dd826dce4a36efa8
                              • Opcode Fuzzy Hash: f08d149d346e6429f3395bf654eded6f90730aed68fdc56189560ea3540e14e9
                              • Instruction Fuzzy Hash: CDE1C132B0AB818AF720DF64D8603E973A5FB84354F181135EA9C57BAADF3AD544C744
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn
                              • String ID: Could not get the communication bus.$Could not get the communication channel for actions.$cl.vsserv.actions$wsc_command_communication_peer::initialize_communication
                              • API String ID: 3668304517-4210707646
                              • Opcode ID: eac5298c6a2bf132becb2a13a293ba3635e334753fb71343cea2343d2a228263
                              • Instruction ID: 0a752c6d3201a14a9c0ba07ca868d6d901b1f8327b1e905cdb52569b618c6c50
                              • Opcode Fuzzy Hash: eac5298c6a2bf132becb2a13a293ba3635e334753fb71343cea2343d2a228263
                              • Instruction Fuzzy Hash: F1E19E32B0AB8189FB218F24D8603E933A1FB84B54F586535EA4D577A6DF3ED544C704
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 3215553584-0
                              • Opcode ID: fab40e3865fbef0f845fe55651978e9ae15812499dfb196ed1f5ec3b5694e902
                              • Instruction ID: b384493b7ffc7a02b422edd1332c3d4a84bcb0dae1ec341500d21021860e6aa1
                              • Opcode Fuzzy Hash: fab40e3865fbef0f845fe55651978e9ae15812499dfb196ed1f5ec3b5694e902
                              • Instruction Fuzzy Hash: E5C1F922B0D78641FA61AF1990202BE7B62FF81B84F5D6131E98E13793CE7EE455C709
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e243edfe9c1ecb22b8dfdbd050e3b87af6e0cd115bc1ee12b8b2719ceaf49fe4
                              • Instruction ID: 77b511798f2abde417fd1a56d9a95bfdd502d8c2c981d5a2dd80e3cbf9ec5a00
                              • Opcode Fuzzy Hash: e243edfe9c1ecb22b8dfdbd050e3b87af6e0cd115bc1ee12b8b2719ceaf49fe4
                              • Instruction Fuzzy Hash: 96B1DF22F1AB8545FB00CB64E1203AD2262EB457A8F586631DF6C23BD7DE39E095D348
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA36671F5
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                              • _Mtx_unlock.LIBCPMT ref: 00007FFDA366758A
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$Mtx_unlockSleepTimetime
                              • String ID: $-> %s$Could not register a listener for the Virus Shield settings. Error: $wsc_collector::register_listeners
                              • API String ID: 2549448539-432359578
                              • Opcode ID: 5aec1473090269d19904ca7371896a999fe43e2f7899e1637ac55089603bd2ad
                              • Instruction ID: 7d185732134919237b4463223a116dcf2e8f1e0e866636aacf555fb647d3b2ae
                              • Opcode Fuzzy Hash: 5aec1473090269d19904ca7371896a999fe43e2f7899e1637ac55089603bd2ad
                              • Instruction Fuzzy Hash: 96B1D332B0AB8286FB00DF25E4602E973A2FB80794F581135EA4D637AADF3ED455C744
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3631A11
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA3631DAD
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTime_invalid_parameter_noinfo_noreturntime
                              • String ID: $-> %s$Could not load Framework even after resolving symbolic links. Framework XML path: $process_with_framework::initialize_framework
                              • API String ID: 983007448-4003940238
                              • Opcode ID: 8d72eccabbfef7065867b8da9a33c166e825f2466b17c9611e3e5fcfa651227c
                              • Instruction ID: 8acc479fdf19470df6ee4e71047129af8328c7c85bf664409b47b4b9e11a7148
                              • Opcode Fuzzy Hash: 8d72eccabbfef7065867b8da9a33c166e825f2466b17c9611e3e5fcfa651227c
                              • Instruction Fuzzy Hash: 7AB19032B06B8186FB10DF24E8602A977A2FB857A4F541231EA5C53BAADF3ED445C744
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA36377FB
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                                • Part of subcall function 00007FFDA3628C20: timeGetTime.WINMM ref: 00007FFDA3628C76
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Time_invalid_parameter_noinfotime$Sleep
                              • String ID: $-> %s$Could not start the take ownership task. Error: $win_fw_ownership: take_ownership$win_fw_ownership::take_ownership
                              • API String ID: 3401150693-2323749783
                              • Opcode ID: 51a31c36d4acd964fa17619e5df03d2ce0c5b4d4f495eaeda9953af722d5f37c
                              • Instruction ID: 92c2e7b1e4ccd3e22005eaa5b5a1e5f20fd07b29f363fada475a5a5c80ae4f30
                              • Opcode Fuzzy Hash: 51a31c36d4acd964fa17619e5df03d2ce0c5b4d4f495eaeda9953af722d5f37c
                              • Instruction Fuzzy Hash: 27B1A232B0AB8186F710DF54E8602AA73B1FB84364F181635EA9D53BA6DF3EE544C744
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3637B9B
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                                • Part of subcall function 00007FFDA3628C20: timeGetTime.WINMM ref: 00007FFDA3628C76
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Time_invalid_parameter_noinfotime$Sleep
                              • String ID: $-> %s$Could not start the restore ownership task. Error: $win_fw_ownership: restore_ownership$win_fw_ownership::restore_ownership
                              • API String ID: 3401150693-3928388406
                              • Opcode ID: 609e9a653b5dab3bb7c0b69233cc1dee51c6322c5d5acd8df54ad5c709c00471
                              • Instruction ID: 39fd7184ad8f2fd96432acae53273fba828efa55e4cea3a5b4f339dd81c9f144
                              • Opcode Fuzzy Hash: 609e9a653b5dab3bb7c0b69233cc1dee51c6322c5d5acd8df54ad5c709c00471
                              • Instruction Fuzzy Hash: CEB1B232B0AB8186F710DF54E8602AA77B1FB84364F181535EA9C53BA6DF3EE444C744
                              APIs
                              • _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36C273A
                              • GetConsoleMode.KERNEL32(?,?,?,?,?,?,as_reporter::register_to_wsc,00000000,00000000,?,00000020,00007FFDA36C26B7,as_reporter::register_to_wsc,00000000,00000000,00007FFDA36C190A), ref: 00007FFDA36C27F8
                              • GetLastError.KERNEL32(?,?,?,?,?,?,as_reporter::register_to_wsc,00000000,00000000,?,00000020,00007FFDA36C26B7,as_reporter::register_to_wsc,00000000,00000000,00007FFDA36C190A), ref: 00007FFDA36C2882
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                              • String ID: as_reporter::register_to_wsc
                              • API String ID: 2210144848-929089643
                              • Opcode ID: 3469b01ec9e18ad2569f0a48a08a506644ff6f28fb73e7e092ee869305914c8e
                              • Instruction ID: feb693064db31bd435b339b9b433f7958fcc2aa501837fe6bb3429878b05400f
                              • Opcode Fuzzy Hash: 3469b01ec9e18ad2569f0a48a08a506644ff6f28fb73e7e092ee869305914c8e
                              • Instruction Fuzzy Hash: D681D622F1A64285FF50AF69A4602BC6762BF44B84F485132DE4E73797DF3EA445C328
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA362D338
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$AV function call failed because product is not registered. Retrying with registration.$av_reporter::execute_with_registration_if_needed$av_reporter::update_status
                              • API String ID: 3860382505-797322649
                              • Opcode ID: 9c78a7726173f310e5c3e034087cdf2ebdc57ca5f02e98ad184aa3ecfc2c0125
                              • Instruction ID: c8b3220791f27b096004c4348bfc2e6019bce1ee8ec142f6d17a9ab8fc053cd6
                              • Opcode Fuzzy Hash: 9c78a7726173f310e5c3e034087cdf2ebdc57ca5f02e98ad184aa3ecfc2c0125
                              • Instruction Fuzzy Hash: 7F91D532B0AB818AF700DF64E4602AA73B1FB84364F181535EA5D63BA6DF7EE445C744
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$FileModuleName
                              • String ID: process_with_framework::OnStarting
                              • API String ID: 2805837667-3250114685
                              • Opcode ID: 048ee58b9fd47773678349983fc9d2d9affbe732514c772fb307057d7645b806
                              • Instruction ID: 372be435eb1c4e2ab66d3c8df1586686041e19a26f38fafd758c47e832354d1d
                              • Opcode Fuzzy Hash: 048ee58b9fd47773678349983fc9d2d9affbe732514c772fb307057d7645b806
                              • Instruction Fuzzy Hash: AC814F22B19BC182EB148F24E46436D73A1FB84794F549235DBDC22BAADF3DE095D704
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA362A8C8
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                              • CoCreateInstance.OLE32 ref: 00007FFDA362A9FB
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$CreateInstanceSleepTimetime
                              • String ID: $-> %s$Could not create the AV interface. Error $av_reporter::create_instance
                              • API String ID: 1585765107-3445465257
                              • Opcode ID: 894880849888f1e3a1b7881a004db020d03a273f57f70650c7545c99d626af60
                              • Instruction ID: 7513677b237d364a4c44005821abde861a4d1f529355c5341b8e334984951acc
                              • Opcode Fuzzy Hash: 894880849888f1e3a1b7881a004db020d03a273f57f70650c7545c99d626af60
                              • Instruction Fuzzy Hash: 6F91D432F0AB8186F700DB60E8602AA73B2FB84360F191235EA5C53BA6DF7DE545C744
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn$ErrorFileLastModuleName
                              • String ID: wscfix.exe
                              • API String ID: 1728480589-3131413875
                              • Opcode ID: 8a8d6622b1e913d11aea9b825acf1bd3242e20f9ee749f5a8695d9304b385666
                              • Instruction ID: 28f148c7d6333f9d876b938f1f9a79bf29279dc21a423968a213b904e2736d59
                              • Opcode Fuzzy Hash: 8a8d6622b1e913d11aea9b825acf1bd3242e20f9ee749f5a8695d9304b385666
                              • Instruction Fuzzy Hash: 8781A472B5ABC280FA208B14E4553EEB362EB85394F546631D69C16BEADF7DD180C708
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ExclusiveLock_invalid_parameter_noinfo$AcquireReleaseSleepTimetime
                              • String ID: $-> %s$wsc_reporter::UpdateFwStatus
                              • API String ID: 344959351-2832709353
                              • Opcode ID: e00e07d5e6d5999baa1fefa1fa388ace27b2ff502389f86633b33a938f7fc347
                              • Instruction ID: b359f2f495522278d3a2e0e1fd3c195bbce8a9d929d26916b9ba208c739c7ce5
                              • Opcode Fuzzy Hash: e00e07d5e6d5999baa1fefa1fa388ace27b2ff502389f86633b33a938f7fc347
                              • Instruction Fuzzy Hash: 3851D132B0964192F610DB20E4613EA7372FB84760F581632EA5D637D6CF3EE915C784
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ExclusiveLock_invalid_parameter_noinfo$AcquireReleaseSleepTimetime
                              • String ID: $-> %s$wsc_reporter::UpdateAvAndAsStatus
                              • API String ID: 344959351-2979390263
                              • Opcode ID: 19033faba704a1cd19bcd8935f99feb96d1613c3b035b6c431018337f8d943b2
                              • Instruction ID: 264606bb0076af04060397e07799cc5f6d585a6c1c2bea21c9fbc85774f36748
                              • Opcode Fuzzy Hash: 19033faba704a1cd19bcd8935f99feb96d1613c3b035b6c431018337f8d943b2
                              • Instruction Fuzzy Hash: BE51A032B0AA4197F710DB24E4603EA73A2FB84364F541236EA5C93796DF3EE455C788
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ExclusiveLock_invalid_parameter_noinfo$AcquireReleaseSleepTimetime
                              • String ID: $-> %s$wsc_reporter_lite::UpdateFwStatus
                              • API String ID: 344959351-745734130
                              • Opcode ID: 44825bbfbc004414de275995788501714e1ef3fe332d6c984e99546a2e411858
                              • Instruction ID: 33bfacf9f0589ad63c5b5db894960e789258993850ac68e91877723f142ba914
                              • Opcode Fuzzy Hash: 44825bbfbc004414de275995788501714e1ef3fe332d6c984e99546a2e411858
                              • Instruction Fuzzy Hash: FA416032B0AB4186F710DB20E8602AA7375FB84760F541236EA6C627EADF3ED555C744
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ExclusiveLock_invalid_parameter_noinfo$AcquireReleaseSleepTimetime
                              • String ID: $-> %s$wsc_reporter::UnregisterFw
                              • API String ID: 344959351-3818477932
                              • Opcode ID: 128c1c7cee10803c842158c9f9ed87a06bee8411a3cf0db5e2e18c93fbdac9ac
                              • Instruction ID: 37e88e1aaca19b371e0e0551702e53ad4beeab7112f02dd97517efb1b08c3b06
                              • Opcode Fuzzy Hash: 128c1c7cee10803c842158c9f9ed87a06bee8411a3cf0db5e2e18c93fbdac9ac
                              • Instruction Fuzzy Hash: 09417231B0AB4186E710DB14E4602EA73B5FB85360F541236EAAC537EADF3ED505C784
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ExclusiveLock_invalid_parameter_noinfo$AcquireReleaseSleepTimetime
                              • String ID: $-> %s$windows_security_center_integration_epaas_module::RegisterHandler
                              • API String ID: 344959351-653397644
                              • Opcode ID: a2a1eb1d74012aa7e441f98baa77ae9107af08cd441eb0d0adfe1a23c8ad193b
                              • Instruction ID: 5ca2fb68490e55b503e82673a14f1065518e6a8b189bbfb1c33a64312a1bd9a2
                              • Opcode Fuzzy Hash: a2a1eb1d74012aa7e441f98baa77ae9107af08cd441eb0d0adfe1a23c8ad193b
                              • Instruction Fuzzy Hash: 80418332B09B4186E710DB14E8602EA7371FB84360F541636E6AC53BEADF3ED545CB84
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ExclusiveLock_invalid_parameter_noinfo$AcquireReleaseSleepTimetime
                              • String ID: $-> %s$windows_security_center_integration_epaas_module::AddVersion
                              • API String ID: 344959351-3386970960
                              • Opcode ID: aa444b1a4fbd2f0c208d8ccd130d1b6ec43078e70fd9c0e396f0e26044f132a0
                              • Instruction ID: 3581c6a2109e02284211b8deda0b30a52a28e513784e29a1e869068c9d29a2b2
                              • Opcode Fuzzy Hash: aa444b1a4fbd2f0c208d8ccd130d1b6ec43078e70fd9c0e396f0e26044f132a0
                              • Instruction Fuzzy Hash: 97417F32B0AB4186E610DB24E8603EA7371FB85364F541632E6AC53BEADF3ED505CB44
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                              • String ID: CONOUT$
                              • API String ID: 3230265001-3130406586
                              • Opcode ID: f373d316bf912c5ce75db15df45859944ef71327214485e6dc44c30b880405aa
                              • Instruction ID: 89bf30cd08c0298c6bf747b0cab5bad5afe5f4747049730ce6c2c958aee541d5
                              • Opcode Fuzzy Hash: f373d316bf912c5ce75db15df45859944ef71327214485e6dc44c30b880405aa
                              • Instruction Fuzzy Hash: 5211D332B29B4182F7508F16E864369B3A1FB88FE4F181234EA1D977A5CF3DD4148748
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ByteCharMultiStringWide
                              • String ID:
                              • API String ID: 2829165498-0
                              • Opcode ID: 1ea21602743830af0283ae8f0bf1965baa2705426e8ec31bf502b91c6e44ea74
                              • Instruction ID: 0d20d91004f7936c4050af5cd19594aa7c501dd67f9a8507942db7bf37834f5d
                              • Opcode Fuzzy Hash: 1ea21602743830af0283ae8f0bf1965baa2705426e8ec31bf502b91c6e44ea74
                              • Instruction Fuzzy Hash: 6C81A332B4AB8186FB218F11A46037967F2FB44BA8F181635EA5D27BCADF7DD4058704
                              APIs
                                • Part of subcall function 00007FFDA3629470: __std_exception_copy.LIBVCRUNTIME ref: 00007FFDA362949F
                                • Part of subcall function 00007FFDA36A5DF0: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,Product,00007FFDA3643D13,?,?,?,00007FFDA362102E), ref: 00007FFDA36A5E34
                                • Part of subcall function 00007FFDA36A5DF0: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,Product,00007FFDA3643D13,?,?,?,00007FFDA362102E), ref: 00007FFDA36A5E7A
                              • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA3634971
                              • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA3634977
                              • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA3634D28
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn$ExceptionFileHeaderRaise__std_exception_copy
                              • String ID: Failed to load file$product_info
                              • API String ID: 818104658-3597872723
                              • Opcode ID: 09681dd53d2ebb1b8e1941a9568983a30ad1e5576848a727ac59940ca8621909
                              • Instruction ID: eb6f9334e877b3bec5a9db3112e0d47ac49dea1e22a9891185e4aea8a4bab316
                              • Opcode Fuzzy Hash: 09681dd53d2ebb1b8e1941a9568983a30ad1e5576848a727ac59940ca8621909
                              • Instruction Fuzzy Hash: 5BF1E62270AB9681FE19CB11E4663B8B3A3FB45B84F896532DA4D17796DF3ED540C308
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                              • String ID:
                              • API String ID: 2081738530-0
                              • Opcode ID: 4321455e9b6da399b4bb0487acb35a90563691f1dac0d689aeddd9dab449dd15
                              • Instruction ID: 2f3a79b98cca7aa0cdd5127df8e85790ca239993fe97777e237c1367bd7ab77a
                              • Opcode Fuzzy Hash: 4321455e9b6da399b4bb0487acb35a90563691f1dac0d689aeddd9dab449dd15
                              • Instruction Fuzzy Hash: DC414026B0AB8681FE15DF16D8601A977A2FB84BD0F0C5532DA5D237A6DF3EE451C308
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                              • String ID:
                              • API String ID: 2081738530-0
                              • Opcode ID: ef66f68efa0b8d7c3b45df9a0e7c751d6a755a05029be4315741585939102a5b
                              • Instruction ID: 680dc2f95fd5611d2250c9e1e8a344e382381a333704cc2a0eb72062aea83735
                              • Opcode Fuzzy Hash: ef66f68efa0b8d7c3b45df9a0e7c751d6a755a05029be4315741585939102a5b
                              • Instruction Fuzzy Hash: ED318462F0AA4281FA059F55E8605B9B3A2EF44BA0B5C6531DB5D237E7DF2EE4418308
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Concurrency::cancel_current_task
                              • String ID: false$true
                              • API String ID: 118556049-2658103896
                              • Opcode ID: 9f434fc32bcad0e9e85458bfebfef8fe8f0d7871906ab4b145c9a9d261e375e9
                              • Instruction ID: 4e8bd8b7d4412f9cb949ee99f8873bee478806cd305ac64f7ebf1c480877598b
                              • Opcode Fuzzy Hash: 9f434fc32bcad0e9e85458bfebfef8fe8f0d7871906ab4b145c9a9d261e375e9
                              • Instruction Fuzzy Hash: 3891A122F0AA8589FB50DFA1D4102AD33B6FB58788F095535DE4C67B8AEF3AD516C304
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA36303C8
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$FW function call failed because product is not registered. Retrying with registration.$fw_reporter::execute_with_registration_if_needed
                              • API String ID: 3860382505-422381607
                              • Opcode ID: 86bf3b87a9de2ea28286e5bcaf6a64063d2df8269eadb8800833029a00ee25c8
                              • Instruction ID: bf64e66284d4061bd0002f434cc9432beb1517ca2eace84e95973bb5213a63d8
                              • Opcode Fuzzy Hash: 86bf3b87a9de2ea28286e5bcaf6a64063d2df8269eadb8800833029a00ee25c8
                              • Instruction Fuzzy Hash: 3D91C432B0AB8186F700DF64E4602AAB3A1FB84364F141535EA5D63BA7DF3EE445C744
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA362B0B7
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$Could not unregister the AV. Error $av_reporter::unregister_from_wsc
                              • API String ID: 3860382505-3038971805
                              • Opcode ID: 1cf3777540b34b279add336ee1f2bea1cf56186a7904b9ca8263bea25f934e54
                              • Instruction ID: 88de6874e2ece5bda5baba5d37308a0ca05901618845c39c07de816bba7d439f
                              • Opcode Fuzzy Hash: 1cf3777540b34b279add336ee1f2bea1cf56186a7904b9ca8263bea25f934e54
                              • Instruction Fuzzy Hash: 6191A232B0AB8186F710DB60E8602AE7771FB84364F591235EA5C53BAADF3ED541C744
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3622707
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$Could not unregister the AS. Error $as_reporter::unregister_from_wsc
                              • API String ID: 3860382505-3357004189
                              • Opcode ID: d1a2397ff5cf34f9d422e55ab80807f881079ef1b544c57c37c40bf93442af80
                              • Instruction ID: d9d5c0bb307f6094107d0b40b118d2ed85c4ca6ae23a2d83e5a911504255550e
                              • Opcode Fuzzy Hash: d1a2397ff5cf34f9d422e55ab80807f881079ef1b544c57c37c40bf93442af80
                              • Instruction Fuzzy Hash: 0E91C332F0AB8186F710DB61E8602AA77B1FB84360F191231EA5C53BAADF3ED541C744
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA362E727
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$Could not unregister the FW. Error $fw_reporter::unregister_from_wsc
                              • API String ID: 3860382505-2892152727
                              • Opcode ID: cc5d9d3f0d1ed7129e82dda1ab7dfdc029e4f2627467e9f24ca952ecf0538c1e
                              • Instruction ID: e7c3b7e99fec509f84cf5ed9bbc61df819aec5e94c4870baecacf02a3616060e
                              • Opcode Fuzzy Hash: cc5d9d3f0d1ed7129e82dda1ab7dfdc029e4f2627467e9f24ca952ecf0538c1e
                              • Instruction Fuzzy Hash: 2991C332F0AB8186F710DB60E4602AA77A5FB84360F591136EA9C53BEADF3ED441C744
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3638677
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$Could not create the serial execution. Error: $win_fw_ownership::initialize_serial_execution
                              • API String ID: 3860382505-3659787877
                              • Opcode ID: 77721a959ffa6eed10f3d20dd17757ee270da7d533cae479b4a8a5ef654950cd
                              • Instruction ID: 3d30d5c52eb650e7fe930535eda48bf1f19c72a33ebeb6276d490ceb3c408c57
                              • Opcode Fuzzy Hash: 77721a959ffa6eed10f3d20dd17757ee270da7d533cae479b4a8a5ef654950cd
                              • Instruction Fuzzy Hash: 4D91B232B0AB8186F710DB60E8602EA73B1FB84364F581635EA5C53BAADF3ED545C744
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3687438
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$Post event failed; err=$wsc_telemetry::post_event
                              • API String ID: 3860382505-455864069
                              • Opcode ID: 0911d42ba0882024a28310145d926dc7110e892cf5cc86986a86b37a12fe9e12
                              • Instruction ID: 0d7a3ce4d7d6ce034ae946e8a1ff2f84735316fbd110ed2d503419e046595db4
                              • Opcode Fuzzy Hash: 0911d42ba0882024a28310145d926dc7110e892cf5cc86986a86b37a12fe9e12
                              • Instruction Fuzzy Hash: B0819232B0AB8186F710DF64E8602EA77A1FB84364F181235EA5C63BA6DF3ED455C744
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy
                              • String ID: out_of_range
                              • API String ID: 1944019136-3053435996
                              • Opcode ID: e18ef67919c138e366144328a00511938bc197e06932f30011ffe871b1da3974
                              • Instruction ID: 7244bf5a7cb5d379f08bd4fc399a98313518732b51295f378582c95afbc78297
                              • Opcode Fuzzy Hash: e18ef67919c138e366144328a00511938bc197e06932f30011ffe871b1da3974
                              • Instruction Fuzzy Hash: 4671BF62F05B418AFB00CF69E5603AC3362EB48B98F14A631DA5D677D6DF3AD491C344
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn
                              • String ID: SZ_PRODUCT_NAME$product_info$wsc
                              • API String ID: 3668304517-1149581336
                              • Opcode ID: 3a9cdae9500f661829fd6db54db423c3c3417c87e11b7b3b94345bc1f67bb2bf
                              • Instruction ID: 066f7a0e7d09010dd52900f9054dba731564a1d3e7a8526c29819e211186d684
                              • Opcode Fuzzy Hash: 3a9cdae9500f661829fd6db54db423c3c3417c87e11b7b3b94345bc1f67bb2bf
                              • Instruction Fuzzy Hash: 41719F62B15B4285FF00DBA5D4683AD2373AB44BA8F445A31DE6C27BDADF39D045C348
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA36633E8
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$module_type$wsc_command_communication_provider::update
                              • API String ID: 3860382505-2715584558
                              • Opcode ID: bd19668e1a773b2ecc22357cec4acd5dccfce10c0564ce2a256837137f8e5078
                              • Instruction ID: bd9c09e05dae1668efe0a0ffd1aa8e1140238a2923fabaf1324f7c59b2bf18bb
                              • Opcode Fuzzy Hash: bd19668e1a773b2ecc22357cec4acd5dccfce10c0564ce2a256837137f8e5078
                              • Instruction Fuzzy Hash: 9081B432B06B8182EB00CF2AD8602AA73B1FB88B94F585532DA5D537B6DF3ED451C704
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3663128
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$module_type$wsc_command_communication_provider::enable
                              • API String ID: 3860382505-3394860388
                              • Opcode ID: 0d3746bab242fc3de80ac40f4fc4f25f5d2c2de4d4723a784767dfa9fc32e9a4
                              • Instruction ID: 0102f811b70f6db68dc9cd36dc1ea0174a471cdcfbad9e39eca97e42a18aa684
                              • Opcode Fuzzy Hash: 0d3746bab242fc3de80ac40f4fc4f25f5d2c2de4d4723a784767dfa9fc32e9a4
                              • Instruction Fuzzy Hash: 4C815132B06B8182EB10CF2AE8502AA73B1FB88B94F585532DA5D537B6DF3ED455C704
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA36636A8
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$module_type$wsc_command_communication_provider::launch
                              • API String ID: 3860382505-1078913699
                              • Opcode ID: ea63fc5a0736adbd4cfd9df1194983d886d85229809e55bfaa1512b4c6f77a17
                              • Instruction ID: 2c5387adbd7d4134a1e391b89681cc23790aeb70ade665e47a43c1cc1a6819af
                              • Opcode Fuzzy Hash: ea63fc5a0736adbd4cfd9df1194983d886d85229809e55bfaa1512b4c6f77a17
                              • Instruction Fuzzy Hash: 04819232B06B8182EB00CF2AD8502AA73B1FB88B94F585536DA5D537B6DF3ED455C704
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn
                              • String ID: failed; err=$eceventsclient$get_plugin $wsc_telemetry::wsc_telemetry
                              • API String ID: 3668304517-1257028105
                              • Opcode ID: b9dc50404d368953bb1bf3880f416c04d324e9c952ee6e725e71c5560e368997
                              • Instruction ID: 5f146a425fe0cda3f7fec5e3ce46a16026c4279d7c89223c7f66f3e81f6cda4e
                              • Opcode Fuzzy Hash: b9dc50404d368953bb1bf3880f416c04d324e9c952ee6e725e71c5560e368997
                              • Instruction Fuzzy Hash: 30819432B1AB818AF750CF24E4A42A977A2FF48758F582135EA4D237A6DF3DD445C704
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3672323
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA367254C
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTime_invalid_parameter_noinfo_noreturntime
                              • String ID: $-> %s$wsc_communicator_launcher_plg::init
                              • API String ID: 983007448-3503075372
                              • Opcode ID: 5589135ce10748fffabe1fa1247ffadd5edd4c412e6c55a26e9220a10d193b6e
                              • Instruction ID: e35ed1fec6598c9552f6e284276321179991bb28569c13cae05372fb4d286c26
                              • Opcode Fuzzy Hash: 5589135ce10748fffabe1fa1247ffadd5edd4c412e6c55a26e9220a10d193b6e
                              • Instruction Fuzzy Hash: C851A771B0A74146F610DB24E4602AA7372FB857A0F945231EA6D63BDBDF3ED501C748
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy
                              • String ID: invalid_iterator
                              • API String ID: 1944019136-2508626007
                              • Opcode ID: 5d4b35c0580cb16dce36868c87fddc8a2da8cfe010a20eeab7d5fb5982f7c2c8
                              • Instruction ID: cad3daf3cc50e0a94a10eac9099c9ea0a8f0e4e399bd89ff6ee15521baf8cbad
                              • Opcode Fuzzy Hash: 5d4b35c0580cb16dce36868c87fddc8a2da8cfe010a20eeab7d5fb5982f7c2c8
                              • Instruction Fuzzy Hash: 1251AE62F15B8189FB00CF74D4643AC2362EB49798F446631EA6D27BDADF39E194C348
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ConvertErrorFreeLastLocalSleepString
                              • String ID: ConvertSidToStringSid failed err = $sid_to_str
                              • API String ID: 1890500361-3037493536
                              • Opcode ID: 98e0fe6eb657fbf0d582fa49c9e5869469b747a69d4709cc1bb32b44560e809a
                              • Instruction ID: 6f6b4e7a7fd3e250944e0f8a18f214c77325e26ef5e330e62aa911d03bf9c5e3
                              • Opcode Fuzzy Hash: 98e0fe6eb657fbf0d582fa49c9e5869469b747a69d4709cc1bb32b44560e809a
                              • Instruction Fuzzy Hash: 3351BF32B0AB4286F7108F60E4902AD37B5FB44764F581235EA5D23BA6DF3DD151C748
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
                              • String ID: bad locale name
                              • API String ID: 2967684691-1405518554
                              • Opcode ID: 6c443aa8e48061aab8e4c7500e30dbe0008e6a9ed1fb63f9581d57c2165e6d2f
                              • Instruction ID: 694f51c3469496c5f74499b073b7f54cc8797f2321e55f96e9898d0590f3ec61
                              • Opcode Fuzzy Hash: 6c443aa8e48061aab8e4c7500e30dbe0008e6a9ed1fb63f9581d57c2165e6d2f
                              • Instruction Fuzzy Hash: 47516522F4AB818AFB10CBB0D4606EC33B6AF54748B086535DE4D37B57DF39A5669308
                              APIs
                              • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00007FFDA367C322), ref: 00007FFDA367C3FF
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              • CreateEventW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00007FFDA367C322), ref: 00007FFDA367C4A6
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00007FFDA367C322), ref: 00007FFDA367C4AF
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00007FFDA367C322), ref: 00007FFDA367C4C2
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: CloseCreateCriticalErrorEventHandleInitializeLastSectionSleep
                              • String ID: CreateEvent failed
                              • API String ID: 439794563-176999938
                              • Opcode ID: b99ff219bb3bdc6f0725465208def0c77c88a85fea623ec2415b498e5809685b
                              • Instruction ID: 93b6a297edec7d618c08d7bb95fc3a9b0dc4acb502c71db6b4c3d20af2952e66
                              • Opcode Fuzzy Hash: b99ff219bb3bdc6f0725465208def0c77c88a85fea623ec2415b498e5809685b
                              • Instruction Fuzzy Hash: 70514A33606B81C6E7109F24E89479973B9FB44B08F689134DB8D27765EF39D4AAC348
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
                              • String ID: bad locale name
                              • API String ID: 2967684691-1405518554
                              • Opcode ID: e71bd2a2ab88c33e779b4c7399c7e251f069b365227cc27ea6a98d78d0d42e8a
                              • Instruction ID: 4d381efe24ac698fca3a2e2429f4d14dfe1588554ff0a01d5501417a004bccd2
                              • Opcode Fuzzy Hash: e71bd2a2ab88c33e779b4c7399c7e251f069b365227cc27ea6a98d78d0d42e8a
                              • Instruction Fuzzy Hash: EB414922F4AB8589FB14DFB1D4602AC33B6AF40784F086538DE4E32B56DF39D5269348
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA36699FE
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                              • CoUninitialize.OLE32 ref: 00007FFDA3669B29
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimeUninitializetime
                              • String ID: $-> %s$wsc_reporter_lite::UnInit
                              • API String ID: 3596313072-2781271877
                              • Opcode ID: 5a421eb0f29c2a8f160977cd8b5159e5cb3a6437f814568607a6f2a0f1300b8b
                              • Instruction ID: b639d35d43d1d42c642f1309912e6d789ac6979da2777b5d11ec1b79e91c7466
                              • Opcode Fuzzy Hash: 5a421eb0f29c2a8f160977cd8b5159e5cb3a6437f814568607a6f2a0f1300b8b
                              • Instruction Fuzzy Hash: 70417232A09B4186E710DB14E8602EA73B1FB85364F541236EAAC537EADF3ED545C784
                              APIs
                              • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDA3644C9C), ref: 00007FFDA364A776
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDA3644C9C), ref: 00007FFDA364A785
                              • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA364A873
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: AddressErrorLastProc_invalid_parameter_noinfo_noreturn
                              • String ID: epaas_response_create$failed dll::get_proc
                              • API String ID: 3294902964-1091962615
                              • Opcode ID: 691297718d8e4450d149f0bfe665b3888c7c17496e19361fcd624cbb473ac443
                              • Instruction ID: a563e2315689abd501056d49bd6fc4410579ff8eb6885b7f3f2a65764dbae4b4
                              • Opcode Fuzzy Hash: 691297718d8e4450d149f0bfe665b3888c7c17496e19361fcd624cbb473ac443
                              • Instruction Fuzzy Hash: 6131E232B09B8182FA20CB24E5503697761FB887D4F586231EB9C13BA6EF3DE195C704
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA363C4D1
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$WinFwSetStat$win_fw_ownership::save_last_set_win_fw_status
                              • API String ID: 3860382505-1644270488
                              • Opcode ID: 60daa6109275d109dc3f25deba4dc0389f8de5c9969955f33e77a8f6def507d5
                              • Instruction ID: 59ff0339cc6e54b07f2b7c950892c4f318151ef6016d014c04b0d92442039f04
                              • Opcode Fuzzy Hash: 60daa6109275d109dc3f25deba4dc0389f8de5c9969955f33e77a8f6def507d5
                              • Instruction Fuzzy Hash: 83415131A09B4186E710DB10E8603EAB372FB85364F541232EAAC537EADF3ED555CB84
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: AddressErrorLastProc_invalid_parameter_noinfo_noreturn
                              • String ID: epaas_error_create$failed dll::get_proc
                              • API String ID: 3294902964-3392039171
                              • Opcode ID: 1774b9953c3505de3150a56215666b0e0c06975ef40ce5b6a5c055838f1b663f
                              • Instruction ID: cd2014c683a08242d150f252f0d349b4567085c48edc7d0ad796bf8d762399a1
                              • Opcode Fuzzy Hash: 1774b9953c3505de3150a56215666b0e0c06975ef40ce5b6a5c055838f1b663f
                              • Instruction Fuzzy Hash: 6F31B122B09B8182FA208B24E5503697762FB98794F586231EB9C13BA6DF7DE1D4C704
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$Timetime
                              • String ID: bd::process_broker::client::is_process_broker_running$bd::process_broker::client::this_process_should_be_started_by_broker$process broker is not running.$settings
                              • API String ID: 1656420430-3926003902
                              • Opcode ID: 53355e6ae1bbe7e17134cac8f09911426aed4656ea7476cc74dad71d1128f5c9
                              • Instruction ID: 32f6f55392747a4a321a4f2184f91c5c8623600cff90639d19664336043aa9d2
                              • Opcode Fuzzy Hash: 53355e6ae1bbe7e17134cac8f09911426aed4656ea7476cc74dad71d1128f5c9
                              • Instruction Fuzzy Hash: E9014C71F06A828AF300DBA0E8602E93372AB04334F941731D97C627E6DF7DA549C358
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task__std_exception_copy
                              • String ID:
                              • API String ID: 3630682930-0
                              • Opcode ID: a2b04af165a8c467580944c73364bd789b7b25b5de8beb4275d095d74b9906e0
                              • Instruction ID: 72ba86c41e4a046a8e1328c0c20663490ec315646ea64bfad8cfafc8c209b0dc
                              • Opcode Fuzzy Hash: a2b04af165a8c467580944c73364bd789b7b25b5de8beb4275d095d74b9906e0
                              • Instruction Fuzzy Hash: 7471A322F06B8185FB00DF65D4543AC73A2EB49B98F586631DA6C2379AEF39D1A0C344
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$FileModuleName
                              • String ID:
                              • API String ID: 2805837667-0
                              • Opcode ID: 9c38639f955a1754eb4c3cad3c8a0e8c4c2b8d1002b134207ca453979fb8e1ce
                              • Instruction ID: 3996507ede475bed7360bd426a1942f722020b567db5a606109b299589898e7b
                              • Opcode Fuzzy Hash: 9c38639f955a1754eb4c3cad3c8a0e8c4c2b8d1002b134207ca453979fb8e1ce
                              • Instruction Fuzzy Hash: EB819F22B19BC182FB108F24E45536E73A6FB84784F549231E79D52B9ADF3DE085CB04
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn$ErrorLast$FileModuleName
                              • String ID:
                              • API String ID: 2854467964-0
                              • Opcode ID: 4f97db0db1b0619c6a204eeb5becf0b2b6bff7d6476d092401da40f5143d1e75
                              • Instruction ID: d8e37353c30ae623b03997bc4d5bf51fda23671280a16134bcda1f5657a23c1c
                              • Opcode Fuzzy Hash: 4f97db0db1b0619c6a204eeb5becf0b2b6bff7d6476d092401da40f5143d1e75
                              • Instruction Fuzzy Hash: D8517432B19B8582FB148F25E45436E73A2FB84794F145235EB9D12BAADF3DE051CB08
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: CloseHandleService$Free$LibraryString
                              • String ID:
                              • API String ID: 1330875019-0
                              • Opcode ID: 65cd4dff6c166a1f3024e9aacbc9a5227f8bbea4e0090bf656d96a21a8f7b88f
                              • Instruction ID: efab23db4197baf18d0c83527bdbe7e45f3c0a36e5b851b80f2bad35f47e33c6
                              • Opcode Fuzzy Hash: 65cd4dff6c166a1f3024e9aacbc9a5227f8bbea4e0090bf656d96a21a8f7b88f
                              • Instruction Fuzzy Hash: 8E413A36B07A4586FB599F26E5A02683362FF44F84F5CA431CE0E27765CF2AD850C308
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 2067211477-0
                              • Opcode ID: 891e02c0382e5e6effd01d0be349ad4e1d4afebf704675c463acd150b857da2c
                              • Instruction ID: 325ad6b880b7f100c7be4f7b73256281bad5d43350ecd5ef54d7fc25036f0667
                              • Opcode Fuzzy Hash: 891e02c0382e5e6effd01d0be349ad4e1d4afebf704675c463acd150b857da2c
                              • Instruction Fuzzy Hash: 66214226F0BB8282FE55DF65A460179A3B2AF84BC0F0C5935DE4D23797DE3DE4018648
                              APIs
                                • Part of subcall function 00007FFDA3632600: GetModuleFileNameW.KERNEL32 ref: 00007FFDA3632680
                                • Part of subcall function 00007FFDA3632600: GetLastError.KERNEL32 ref: 00007FFDA363268E
                              • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA367A800
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ErrorFileLastModuleName_invalid_parameter_noinfo_noreturn
                              • String ID: <norestart>$Load crash handler failed$dll::get_foldername failed
                              • API String ID: 4139909131-3014219687
                              • Opcode ID: a0b7f82c4a164237f2428ee918d0aabe899bebaeb1b607abe57a4d20433e95af
                              • Instruction ID: 101809856afe18daecbce7dcb12226acbf38079246851e101cfa1d5c32d2e9eb
                              • Opcode Fuzzy Hash: a0b7f82c4a164237f2428ee918d0aabe899bebaeb1b607abe57a4d20433e95af
                              • Instruction Fuzzy Hash: 57716F32B19B8186FB10CB24E4543AD73B5FB88758F546225EE8C22BAADF3DD181C704
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn
                              • String ID: failed convert error description utf8_to_utf16
                              • API String ID: 3668304517-3156949349
                              • Opcode ID: 32700df1b1596abc27372c634036d3d1634f5a7c34b58dc8381c2a5eb25a3740
                              • Instruction ID: c35b69ef08610d082226b72b0ee8807a2ffbaa0b6dd911b6fe8c49cf264617a3
                              • Opcode Fuzzy Hash: 32700df1b1596abc27372c634036d3d1634f5a7c34b58dc8381c2a5eb25a3740
                              • Instruction Fuzzy Hash: C1519B62F55B858AFB00CB68D5953AC3362EB44798F046631EB5D23BE6DF39E090C308
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Delete
                              • String ID: err=$delete reg path $helpers::delete_reg_key
                              • API String ID: 1035893169-2878050877
                              • Opcode ID: 1a0eb00fd8e44a3c44cc96c148b71738fb926b3b25dba229261da544fb80cd3e
                              • Instruction ID: 2be9fd0d3e0dd58e403963c1acb6441e81dfe5580a203a0803ed471880840099
                              • Opcode Fuzzy Hash: 1a0eb00fd8e44a3c44cc96c148b71738fb926b3b25dba229261da544fb80cd3e
                              • Instruction Fuzzy Hash: A471D732B0AB818AF720CF24E4542A977B1FB84758F581136EA8D637AAEF3DD545C704
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ThreadpoolWait$CreateErrorLast
                              • String ID: failed winapi::thread_pool::make_wait
                              • API String ID: 2142434369-1791275070
                              • Opcode ID: c572ed8a55a6076082118eb345c29ea0ba88f3a6b9c0f9491c548545fce0583e
                              • Instruction ID: 03a2088d8c882e8e23c36ed38ba615e1f269808660215c4d438f12dbf798ac66
                              • Opcode Fuzzy Hash: c572ed8a55a6076082118eb345c29ea0ba88f3a6b9c0f9491c548545fce0583e
                              • Instruction Fuzzy Hash: 09719F23F09B818AF7118B74E4103AD73B2B75974CF586225DE8C22B5ADF39E195C358
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ErrorLastQueryServiceSleepStatus
                              • String ID: Could not query the service limited status. Error $helpers::services::query_limited_status
                              • API String ID: 260879946-4251040822
                              • Opcode ID: 4fe7f371e32ca84406b5e3c7d755805afabbe024c38479101cbecc9fd4647c29
                              • Instruction ID: 9b565946be4b522a36b7ee966bd6d19cd5ef792baa099aeace8f9554e0943748
                              • Opcode Fuzzy Hash: 4fe7f371e32ca84406b5e3c7d755805afabbe024c38479101cbecc9fd4647c29
                              • Instruction Fuzzy Hash: 35616F32B0AB818AF710CF24E4A02AA77B5FB84354F582135EA4D63B66DF3ED455CB44
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Value
                              • String ID: ; err=$helpers::write_dword_to_reg$write to reg
                              • API String ID: 3702945584-2388879816
                              • Opcode ID: 0b178b62fb36bd1c27453f8b4bc4934da07c2d375f06cc788da38cbb1f8d05d9
                              • Instruction ID: 820f4a1c0eb50b1852e7ac99f9175823dd17ee4958ecf658688423fe79c4108e
                              • Opcode Fuzzy Hash: 0b178b62fb36bd1c27453f8b4bc4934da07c2d375f06cc788da38cbb1f8d05d9
                              • Instruction Fuzzy Hash: B061AF32B1AB428AF7508F60E4901AD77B1FB88754F182135EB4D62BAADF3DD444CB44
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA36675FE
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$wsc_collector::unregister_listeners
                              • API String ID: 3860382505-3974979308
                              • Opcode ID: e75fe0971672a2c1ceef321a30ae5e8c20fb9bbd83974766642a1d7324bdfb3c
                              • Instruction ID: 3a606a5e18a595d5cb2c0c33d0e5cb59a2566412cf5ac53c78687dc5f8ada3e3
                              • Opcode Fuzzy Hash: e75fe0971672a2c1ceef321a30ae5e8c20fb9bbd83974766642a1d7324bdfb3c
                              • Instruction Fuzzy Hash: A351A53270AB4186EB10CF25E4602E97376FB84BA4F585232DA5C57BAADF3ED444C744
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3671C56
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$wsc_communicator_launcher_plg::Init
                              • API String ID: 3860382505-1895702290
                              • Opcode ID: f60da19272df7cb6789cf66fe7d359a8a7ad35ef3795b43bc294b6d19ff9d8cd
                              • Instruction ID: ee977ecda8d81b850f817218b771c515f5679e18197edb8321f5e368ae5a4f85
                              • Opcode Fuzzy Hash: f60da19272df7cb6789cf66fe7d359a8a7ad35ef3795b43bc294b6d19ff9d8cd
                              • Instruction Fuzzy Hash: 43518332B0AB4186F710DF15E8602AA73A5FB84760F581236EA9C537E6DF3ED541CB84
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
                              • String ID: bad locale name
                              • API String ID: 2775327233-1405518554
                              • Opcode ID: 1c1444e7e95c9f40254f9c0b35bd7b9ada31a9cc004fee8aff5b861b5087cdbf
                              • Instruction ID: 45b521ab7765f3f881d2f058e14be57c21a732716b36895cfc17f2424c8ac74e
                              • Opcode Fuzzy Hash: 1c1444e7e95c9f40254f9c0b35bd7b9ada31a9cc004fee8aff5b861b5087cdbf
                              • Instruction Fuzzy Hash: C0417C22F4BA8189FB50DFB0D4A02EC33B5EF54748F086434DA4E36B56CE3AD5269319
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
                              • String ID: bad locale name
                              • API String ID: 2775327233-1405518554
                              • Opcode ID: 0885bdeb48bff71c486be85b94fc703e9b000333f9b9612ccd2745269d11fffa
                              • Instruction ID: 1b5d29fa88e4efb25a730f1b15102beef309d5de7c372112a5e01d6c8b9f6ae2
                              • Opcode Fuzzy Hash: 0885bdeb48bff71c486be85b94fc703e9b000333f9b9612ccd2745269d11fffa
                              • Instruction Fuzzy Hash: D4415822F4BA8189FB54DFB0D4A02EC33B5EF54748F086434DA4D26B5ACE3AD5269309
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3681357
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$wsc_reporter::InitiateAvOfflineCleaning
                              • API String ID: 3860382505-294364611
                              • Opcode ID: b06e2a2fc459ac6972fbed537ed8e941d57d2d899dabf103e1fd94a7367a8b17
                              • Instruction ID: fd48aa4100ec2dce13e008f68ed0f07be8a42e98c7892b2bd679bd633f28fbd0
                              • Opcode Fuzzy Hash: b06e2a2fc459ac6972fbed537ed8e941d57d2d899dabf103e1fd94a7367a8b17
                              • Instruction Fuzzy Hash: 48518332B09B8186F7109F54E4502EA73B1FB88354F581136EA9C63BAADF3ED545CB84
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3680B53
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$wsc_reporter::Start
                              • API String ID: 3860382505-1161620030
                              • Opcode ID: 3acc356391d927d1179c9e02d970692ea0622c86b7cd73b2bef44d62c4eaa9a7
                              • Instruction ID: f0a43f1a6ec21204ac68bd93757e3d853c9523593d52316846ac89f18f3be4d8
                              • Opcode Fuzzy Hash: 3acc356391d927d1179c9e02d970692ea0622c86b7cd73b2bef44d62c4eaa9a7
                              • Instruction Fuzzy Hash: 43416431B09B4196F610DB14E4602EA7375FB85360F541632EA9C53BD6CF3EE545C784
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA366AAAE
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$wsc_status_communication_peer::Stop
                              • API String ID: 3860382505-2147366973
                              • Opcode ID: 282044ed6ae36011ba4806d7332ab0728fc303be3313f00c342133789bd10df3
                              • Instruction ID: d692f0f49ad3e7abd7264f65a27dcb9f61fefabf4e646d6c7523ce64e944c387
                              • Opcode Fuzzy Hash: 282044ed6ae36011ba4806d7332ab0728fc303be3313f00c342133789bd10df3
                              • Instruction Fuzzy Hash: E7418232B0AB4186E710DB14E4602EA73B1FB85760F581236EA6C537EADF3ED405CB44
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA366D4A3
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$wsc_status_communication_provider::Stop
                              • API String ID: 3860382505-1854121952
                              • Opcode ID: 43493113ea8fe9cb976ec2b032def1b28a0d047d8b28ae7122127450c4c8862a
                              • Instruction ID: 1950ed35d3cc98c1969ab7a06601a81dd13279d4d4e6c6858252e7d1d813d52d
                              • Opcode Fuzzy Hash: 43493113ea8fe9cb976ec2b032def1b28a0d047d8b28ae7122127450c4c8862a
                              • Instruction Fuzzy Hash: 16419332B09B4186F310DB14E4602AA73B5FB84360F541636E6AC53BEADF3EE555CB84
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA36657EE
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$wsc_collector::UnInit
                              • API String ID: 3860382505-3047546046
                              • Opcode ID: 11757545deb8691adbf1fda2c3843870323c6410b7e53c5e325c39a850212bbd
                              • Instruction ID: 404fed245f4ea3417237d82d33ff8013270f566d3738495e7ca76c32b78241a0
                              • Opcode Fuzzy Hash: 11757545deb8691adbf1fda2c3843870323c6410b7e53c5e325c39a850212bbd
                              • Instruction Fuzzy Hash: 1E418632A09B4186E310DB10E4602EAB3B5FB85360F541636EAAC53BEADF3ED555C784
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA366B2E0
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$wsc_status_communication_peer::UpdateFwStatusAsync
                              • API String ID: 3860382505-1306562990
                              • Opcode ID: d50caac44f8663815dc8ff5c3d7d17248ba7559b51349e741498a5f2783f9472
                              • Instruction ID: 2a183ec7eca8af4076bd233e0e23cc370c2f3f60024e897e58d6233ee52cb270
                              • Opcode Fuzzy Hash: d50caac44f8663815dc8ff5c3d7d17248ba7559b51349e741498a5f2783f9472
                              • Instruction Fuzzy Hash: D5418232B09B8186E310DB54E8602EAB371FB84360F541232E6AC537EADF7ED545CB44
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3653B90
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$wsc_command_communication_peer::launch
                              • API String ID: 3860382505-2795836371
                              • Opcode ID: 54f77c286ece807232e2a0f748118afc85ee52b3259249e4c168ec25dd799878
                              • Instruction ID: 194e62885d915623cdd6a6326124b8fe1908c27afa32487f5aee69c11286995d
                              • Opcode Fuzzy Hash: 54f77c286ece807232e2a0f748118afc85ee52b3259249e4c168ec25dd799878
                              • Instruction Fuzzy Hash: BD414032B09B4186E710DB54E4603AAB371FB85360F541636EAAC53BDADF3ED505CB84
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3653A00
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$wsc_command_communication_peer::enable
                              • API String ID: 3860382505-749898772
                              • Opcode ID: 0d8323ac2161496d1ef82ae98db4e19bc8e56790dbbcc1151300fa043dc8403f
                              • Instruction ID: 4109f4f139c85e6e79f4ccc5ce30878345213725f30dc58ba6f96b6e8fc9cd01
                              • Opcode Fuzzy Hash: 0d8323ac2161496d1ef82ae98db4e19bc8e56790dbbcc1151300fa043dc8403f
                              • Instruction Fuzzy Hash: 08416032A09B4186E710DB54E4603AAB371FB85360F541636EAAC53BDADF3ED505CB44
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: BdCreateObject$ServMain
                              • API String ID: 2574300362-2505129937
                              • Opcode ID: 0d53f57a36ec408c6618b6e0052f3e0db73715af1cd191b1d4726aea3c0d1530
                              • Instruction ID: 9ab5f5a1a7437d702f50d6f1dfaf3ac8ba0a68676459ec580b0b4e1e8727a15d
                              • Opcode Fuzzy Hash: 0d53f57a36ec408c6618b6e0052f3e0db73715af1cd191b1d4726aea3c0d1530
                              • Instruction Fuzzy Hash: DF31072670AF8681EA10CF1AE86026973A1FB88FC5F585036DE9D53765EF3ED854C348
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA366B149
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$wsc_status_communication_peer::UnregisterFw
                              • API String ID: 3860382505-1429497769
                              • Opcode ID: 7310959c34b0d8e1473832c572706b319be633adb543b043c5005b3396b874d5
                              • Instruction ID: 10b0b2cb1796ec52ee9918bb80a241689f9ac465cb3f660573ea476aea74e5d2
                              • Opcode Fuzzy Hash: 7310959c34b0d8e1473832c572706b319be633adb543b043c5005b3396b874d5
                              • Instruction Fuzzy Hash: 2E418332B0AB4186E7109B14E8603EA7371FB85364F541231E6AD53BEADF3ED515CB84
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA366AC59
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$wsc_status_communication_peer::UnregisterAvAndAs
                              • API String ID: 3860382505-644546753
                              • Opcode ID: 97aa6b192edd871eb448e8ba63637c7fe96b40afafe614b78240633d440ae3ea
                              • Instruction ID: 62022b0d89f7972cba683537bc8b28dd867b0f9aa7fdb9fc3b8b3408f95338c7
                              • Opcode Fuzzy Hash: 97aa6b192edd871eb448e8ba63637c7fe96b40afafe614b78240633d440ae3ea
                              • Instruction Fuzzy Hash: 23416032B0AB4186E7109B14E8603EA73B1FB85364F541236E6AC537EADF3ED545CB84
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3665AF9
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$wsc_collector::Stop
                              • API String ID: 3860382505-298119417
                              • Opcode ID: cbbd38754e88cb77b372dcd633cdba76791d25d52e88c515f1bfa11461a68e7e
                              • Instruction ID: cfd92b0f36a7fb7cd9839a62b0f2e66b2b374c3bed43e434de3d5dc64f29056b
                              • Opcode Fuzzy Hash: cbbd38754e88cb77b372dcd633cdba76791d25d52e88c515f1bfa11461a68e7e
                              • Instruction Fuzzy Hash: 8D318131A0AB4186E7109B14E8603EAB371FB85364F541236E6AC537EADF3ED545CB44
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA3669B92
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$wsc_reporter_lite::Start
                              • API String ID: 3860382505-3234020082
                              • Opcode ID: de08fbc2d2f9d4ff79e8800db95c2492e5efe838ce2a50b39c5d3181578a8860
                              • Instruction ID: 330d720b2a2717b499452e572800949b3d6c26e38fd56a19fa34328e35d2d347
                              • Opcode Fuzzy Hash: de08fbc2d2f9d4ff79e8800db95c2492e5efe838ce2a50b39c5d3181578a8860
                              • Instruction Fuzzy Hash: D8318F31A0AB4186F7109B64E8603AA73B1FB85364F541232E6AC537EADF3EE505CB44
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA366A3D2
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$wsc_reporter_lite::UnregisterFw
                              • API String ID: 3860382505-3942199609
                              • Opcode ID: a603d933779cfd38f78eb872be14d02ddcad92cf41cee595dc261713b5eea8d2
                              • Instruction ID: ccac891578f7b0eb851906db57821197b7a91a0273bae8a1e6feb0e50fd1815e
                              • Opcode Fuzzy Hash: a603d933779cfd38f78eb872be14d02ddcad92cf41cee595dc261713b5eea8d2
                              • Instruction Fuzzy Hash: 94317031A0AB4186F710DB54E8603EA73B1FB85364F541236E6AC527EADF3EE505CB84
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA366A262
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$wsc_reporter_lite::InitiateAvOfflineCleaning
                              • API String ID: 3860382505-2276558501
                              • Opcode ID: 5e20fbbcd768ba83ad0f109441e0375e8420177c780e64c80e808a7f0167b0f4
                              • Instruction ID: ec3f7b2656dcadc0f2720792f4e5aed8f485e6f93f8f5ded3735b4c2b9a545fc
                              • Opcode Fuzzy Hash: 5e20fbbcd768ba83ad0f109441e0375e8420177c780e64c80e808a7f0167b0f4
                              • Instruction Fuzzy Hash: D5317031A0AB4186F7109B54E8603EAB371FB85364F541236E6AC527EADF3EE505CB84
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA366A0F2
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$wsc_reporter_lite::UpdateAvAndAsStatus
                              • API String ID: 3860382505-3236270295
                              • Opcode ID: 2b2b8622ecfe6badcaf2f416e00f0e40a30d3ed36bb66150bb4b26b2aae11bd2
                              • Instruction ID: 00ab9f227eac6d4ffc8dfdb66172365167f44c031485322b60acae85cc5385ea
                              • Opcode Fuzzy Hash: 2b2b8622ecfe6badcaf2f416e00f0e40a30d3ed36bb66150bb4b26b2aae11bd2
                              • Instruction Fuzzy Hash: AA319231A0AB4186F7109B54E4603EAB3B1FB85360F541236E6AC527EADF3ED505CB84
                              APIs
                              • timeGetTime.WINMM ref: 00007FFDA366A6F2
                                • Part of subcall function 00007FFDA36ADFA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36ADFD6
                                • Part of subcall function 00007FFDA36AE08C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDA36AE0B5
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$SleepTimetime
                              • String ID: $-> %s$wsc_reporter_lite::ReportProtectionServiceStopped
                              • API String ID: 3860382505-2535424707
                              • Opcode ID: 68edd2761f4418aa41dc1b8438907015b8c165b6ad98ebea22d7d881ae749efc
                              • Instruction ID: 07a0e5628ffcb8a677d7ca412fb9d75082684c87b0b8115db9135021dda2d70e
                              • Opcode Fuzzy Hash: 68edd2761f4418aa41dc1b8438907015b8c165b6ad98ebea22d7d881ae749efc
                              • Instruction Fuzzy Hash: 78319031A0AB4186F7109B54E8603EA7371FB85360F541236E6AC527EADF3EE505CB84
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: AddressCriticalEnterFreeLibraryProcSection
                              • String ID: BdDestroyObject$ServMain
                              • API String ID: 575065677-1001278063
                              • Opcode ID: 11c90e8f69dbb1dd852e00abf1c7e75081c8d70b9b4219355ab0900e8aefc3cf
                              • Instruction ID: 0a23436ed5a31fff46efa10b88f5ea9144ed88ed2ca0006424c604c7c6c9fe21
                              • Opcode Fuzzy Hash: 11c90e8f69dbb1dd852e00abf1c7e75081c8d70b9b4219355ab0900e8aefc3cf
                              • Instruction Fuzzy Hash: 7921B72670AF4682FB058F1AD5A43682361FB88F94F4C5435CA0E57765DF2DE8A58305
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Close$Open
                              • String ID: Software\Bitdefender\InternalCrashEnabled
                              • API String ID: 2976201327-2942834247
                              • Opcode ID: 838e30a3e1d4b23659ac1ec2554db2623311da25d8e5514d542da14d0f64e4ce
                              • Instruction ID: b54e2f42a1013d1dd99bbb9f15d08995e139925e6193a8c88dbd9c77c87ab5e1
                              • Opcode Fuzzy Hash: 838e30a3e1d4b23659ac1ec2554db2623311da25d8e5514d542da14d0f64e4ce
                              • Instruction Fuzzy Hash: B1F0F662B16B5242FF500F11F824271A3A6BF55744F8C2030DE5C57396EF2ED014C628
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: AddressFreeLibraryProc
                              • String ID: LogDeinit$logging::CLogDLL::~CLogDLL
                              • API String ID: 3013587201-5329003
                              • Opcode ID: 781019b11b68eda3d717da1ace42eda92936cc12c5d0dd444f7c630524589061
                              • Instruction ID: 4843c2178f2b77bfb160f58629e60458ff706fe420ead9061ffab6b19887420c
                              • Opcode Fuzzy Hash: 781019b11b68eda3d717da1ace42eda92936cc12c5d0dd444f7c630524589061
                              • Instruction Fuzzy Hash: 1EF01221F4BA4281FE159F66D4782B413A2AF88F85F5C3435CC4D263A6DF2EE458C319
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: String$AllocFree
                              • String ID:
                              • API String ID: 344208780-0
                              • Opcode ID: 17127d9ef4fd4660261376c0523af1dc7e5f2d1d9aff9103fecac56c3a99debf
                              • Instruction ID: 3e1161bdd979832d876a0569b7cec0bfcdf91e3dc39f01162bfe4b595900bae8
                              • Opcode Fuzzy Hash: 17127d9ef4fd4660261376c0523af1dc7e5f2d1d9aff9103fecac56c3a99debf
                              • Instruction Fuzzy Hash: 69310723B0AA4345FA6C8B55906427C22929F46780F1C5A36DA2EE77A3DE2FE440821D
                              APIs
                              • SetThreadpoolTimer.KERNEL32(?,?,?,?,?,?,?,00007FFDA3641EC4), ref: 00007FFDA36403D4
                              • WaitForThreadpoolTimerCallbacks.KERNEL32(?,?,?,?,?,?,?,00007FFDA3641EC4), ref: 00007FFDA36403E0
                              • CloseThreadpoolTimer.KERNEL32(?,?,?,?,?,?,?,00007FFDA3641EC4), ref: 00007FFDA36403EE
                              • CloseThreadpoolTimer.KERNEL32(?,?,?,?,?,?,?,00007FFDA3641EC4), ref: 00007FFDA364046F
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ThreadpoolTimer$Close$CallbacksWait
                              • String ID:
                              • API String ID: 831535739-0
                              • Opcode ID: e6983cfc7aa4ddc802c29cbd6ec9ed68a87af485642ba414804e94eb3a29fe32
                              • Instruction ID: bb1e05fee7ac90a86bff2c1e8472ea53ede2c8a1c39575898dc7fceaed935e11
                              • Opcode Fuzzy Hash: e6983cfc7aa4ddc802c29cbd6ec9ed68a87af485642ba414804e94eb3a29fe32
                              • Instruction Fuzzy Hash: 6A212A36B06A5282FB54CF62E6A0639A362FF84FC4B1CA531DA4E17B55CF3ED4618305
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ConditionMask$InfoVerifyVersion
                              • String ID:
                              • API String ID: 2793162063-0
                              • Opcode ID: 9d408f6f6e4e4241044716a17df65c972e07418512b5b7a80f63f1ac7d1af978
                              • Instruction ID: b48e7f601e2bd509121776bf962e37b2bc8732213a4c71445c9162086935e132
                              • Opcode Fuzzy Hash: 9d408f6f6e4e4241044716a17df65c972e07418512b5b7a80f63f1ac7d1af978
                              • Instruction Fuzzy Hash: 28111A36A09A8186E730CF21E4542DAB3A1FB8CB80F445225EA8D57B59DF3DD205CF44
                              APIs
                              • SetThreadpoolWait.KERNEL32(?,?,?,?,?,?,?,00007FFDA3641EC4), ref: 00007FFDA3640316
                              • WaitForThreadpoolWaitCallbacks.KERNEL32(?,?,?,?,?,?,?,00007FFDA3641EC4), ref: 00007FFDA3640324
                              • CloseThreadpoolWait.KERNEL32(?,?,?,?,?,?,?,00007FFDA3641EC4), ref: 00007FFDA3640332
                              • CloseThreadpoolWait.KERNEL32(?,?,?,?,?,?,?,00007FFDA3641EC4), ref: 00007FFDA364036B
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Wait$Threadpool$Close$Callbacks
                              • String ID:
                              • API String ID: 678710421-0
                              • Opcode ID: fd2c4e4b1dd60a2d820819f7c911b5d6b12e3d9d666c12ec3526b1abd3bb1e5f
                              • Instruction ID: 3ce946ae7dfd68e5e489ea5c5988b6fa9f154ea7e5b6565b42ebea8e4156f2d8
                              • Opcode Fuzzy Hash: fd2c4e4b1dd60a2d820819f7c911b5d6b12e3d9d666c12ec3526b1abd3bb1e5f
                              • Instruction Fuzzy Hash: E7014F6AF07A1281FF159F65D5B4379A762BF44F84F1CA030CE4D16346DF3E94808255
                              APIs
                                • Part of subcall function 00007FFDA3629980: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDA3629AD9
                                • Part of subcall function 00007FFDA3629980: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA3629ADF
                              • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA3650522
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
                              • String ID: bd.process.broker$bd.process.broker.channel.spawner
                              • API String ID: 3936042273-1416602129
                              • Opcode ID: 1f7bade64479720db0385b273ca8a07a6ad77835b919183997a3154b5f263429
                              • Instruction ID: 8781d4db4f74b402d76b0dadfa4b4fa123ba061eea8d5a8bb1e96aa450ed51e6
                              • Opcode Fuzzy Hash: 1f7bade64479720db0385b273ca8a07a6ad77835b919183997a3154b5f263429
                              • Instruction Fuzzy Hash: D9A16C32A09B819AF710CF24D8503ED77A1FB84358F582235EA8C23BAADF79D595C744
                              APIs
                                • Part of subcall function 00007FFDA3632600: GetModuleFileNameW.KERNEL32 ref: 00007FFDA3632680
                                • Part of subcall function 00007FFDA3632600: GetLastError.KERNEL32 ref: 00007FFDA363268E
                              • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA3631571
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ErrorFileLastModuleNameSleep_invalid_parameter_noinfo_noreturn
                              • String ID: dll::get_foldername failed; err=$process_with_framework::initialize_current_directory
                              • API String ID: 515700886-1092012914
                              • Opcode ID: 31f8c5cbb946051341fa21e4b2b4c0143fa22f31e853376de3b17eb5d6ec87e7
                              • Instruction ID: ec54ab2b3807eca4aac34aa412f6f692b88b4d2fcad993f4a441cfc4c0e3b39f
                              • Opcode Fuzzy Hash: 31f8c5cbb946051341fa21e4b2b4c0143fa22f31e853376de3b17eb5d6ec87e7
                              • Instruction Fuzzy Hash: 5A81A272B0AB8185FB14DB24E4602AD73B2FB84794F586231EA8D13BAADF3DD541C704
                              APIs
                              • GetModuleFileNameW.KERNEL32 ref: 00007FFDA367D7E3
                              • GetLastError.KERNEL32 ref: 00007FFDA367D7F8
                                • Part of subcall function 00007FFDA3632320: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA3632495
                                • Part of subcall function 00007FFDA36A5DF0: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,Product,00007FFDA3643D13,?,?,?,00007FFDA362102E), ref: 00007FFDA36A5E34
                                • Part of subcall function 00007FFDA36A5DF0: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,Product,00007FFDA3643D13,?,?,?,00007FFDA362102E), ref: 00007FFDA36A5E7A
                                • Part of subcall function 00007FFDA3661DA0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDA3661DC7), ref: 00007FFDA3661DA9
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ErrorFileLast$ExceptionHeaderModuleNameRaise_invalid_parameter_noinfo_noreturn
                              • String ID: GetModuleFileName returned an unexpected path
                              • API String ID: 2059994382-567792
                              • Opcode ID: c71143791a2ad404049dba8bc005e4f70a240e756e32de8c212dc0cd76a996c4
                              • Instruction ID: 86c5aff0cd4dfa1b4503a710e428f4806152f70268fc89869c77b7903180d589
                              • Opcode Fuzzy Hash: c71143791a2ad404049dba8bc005e4f70a240e756e32de8c212dc0cd76a996c4
                              • Instruction Fuzzy Hash: 61719232B0AB4681FB14CF29E46026973A2FF84B84F58A432DA4D5776ADF3DD851C344
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID:
                              • String ID: Failed to create epaas event.$windows_security_center_integration
                              • API String ID: 0-4277936331
                              • Opcode ID: 51842a1ae19edc0ae659edce196e4662cb60e75294dc585aeef7099fffe47c7f
                              • Instruction ID: f597bcdccba25c415c5f6a5b47c15751fa63fe8882747f1540fda1ab3b749fda
                              • Opcode Fuzzy Hash: 51842a1ae19edc0ae659edce196e4662cb60e75294dc585aeef7099fffe47c7f
                              • Instruction Fuzzy Hash: 8A517C32A0ABC694EB20DB10E4943EAB3A6FB84784F445131D69C53BAAEF7DD144CB44
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID: e+000$gfff
                              • API String ID: 3215553584-3030954782
                              • Opcode ID: 394b6788483e9afb20590b5279c15bc63c2b3a34adbb56338d63679470f35f54
                              • Instruction ID: 83f166f99017c7a15da78d4419f0f2e02ca269cd83c0881611c0771159356d58
                              • Opcode Fuzzy Hash: 394b6788483e9afb20590b5279c15bc63c2b3a34adbb56338d63679470f35f54
                              • Instruction Fuzzy Hash: 0B510662B597C546F7248F399861369AB92E780B94F0CA231C79C4FBD7DE2EE444CB04
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID:
                              • String ID: wsc_communicator_launcher_plg::launch_wsc_communicator$wsc_communicator_launcher_plg::restart_wsc_communicator
                              • API String ID: 0-3072351872
                              • Opcode ID: 48285a6d49ffb291fef8a5f6c4a7a860bca2173945e67d28aaa88bcc0f98191c
                              • Instruction ID: 7a7a8e6743c2641671d62c374321bcc0bcb31a6bb475111ae56095f69bb49935
                              • Opcode Fuzzy Hash: 48285a6d49ffb291fef8a5f6c4a7a860bca2173945e67d28aaa88bcc0f98191c
                              • Instruction Fuzzy Hash: CC51D232B19B8196FB00DF24E8602E97372FB84784F585231EA8C63BA6DF3AD555C704
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: FreeLibrary
                              • String ID: Could not unregister from WSC changes. Error $wsc_reporter::unregister_from_security_service_changes
                              • API String ID: 3664257935-2368255860
                              • Opcode ID: 1b64c59c956254fa6ebb7ac2f64cc0b9fb28ae3a4d0fdb92bdec8e54a7fafc97
                              • Instruction ID: 83b90bcd8608a1975add48798d64e2984bc07ac3112226030500d405db015430
                              • Opcode Fuzzy Hash: 1b64c59c956254fa6ebb7ac2f64cc0b9fb28ae3a4d0fdb92bdec8e54a7fafc97
                              • Instruction Fuzzy Hash: A251B032B0AB4286FB20CB60E4602A977B5FB88754F191135EA4D6376ADF3DD540C744
                              APIs
                              • CoInitializeEx.OLE32 ref: 00007FFDA36694E3
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: InitializeSleep
                              • String ID: Could not initialize COM. Error $helpers::com::initialize
                              • API String ID: 4203272843-301115768
                              • Opcode ID: 60a32d125b91adcab10a443aef672536ea3cca33cddc895e8d8c49eae1b43e4a
                              • Instruction ID: 7c151068f304a19dea076f71e0eacfdce515ce12d97e868a515773c2ecde60e3
                              • Opcode Fuzzy Hash: 60a32d125b91adcab10a443aef672536ea3cca33cddc895e8d8c49eae1b43e4a
                              • Instruction Fuzzy Hash: CB51CE32B0AB418AF720CB60E4602AD73B1FB84394F581135EA8D63B96DF3DD155CB48
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: AddressCallerErrorFileLastLibraryLoadProcWrite
                              • String ID: U
                              • API String ID: 1510926668-4171548499
                              • Opcode ID: 502a509e1c706d2454729930b122fa941a4286aca5ff5715818b1aefe161375c
                              • Instruction ID: b67dee484a682ad86fe5b0f62610e8ac7ca85e3fdf92385bdca53255daf002e5
                              • Opcode Fuzzy Hash: 502a509e1c706d2454729930b122fa941a4286aca5ff5715818b1aefe161375c
                              • Instruction Fuzzy Hash: A841C732B19A8182EB10DF29F4643AA7762FB58794F845031EE4D97799DF3DD441C704
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                              • String ID: gfffffff
                              • API String ID: 73155330-1523873471
                              • Opcode ID: 1af3d5b90c5011b68eb17ea74fda165df2358f775322b64abbe1d7039b16fcdd
                              • Instruction ID: b6e05161f524704495478bd3af6f41d7c245a9316dc37eb567abf04582f00e73
                              • Opcode Fuzzy Hash: 1af3d5b90c5011b68eb17ea74fda165df2358f775322b64abbe1d7039b16fcdd
                              • Instruction Fuzzy Hash: 0D21E672B17B8641FE048F26E4603BC62A2EB08B84F5CA531DA5D5738AEF6DE4908304
                              APIs
                              • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA3659736
                                • Part of subcall function 00007FFDA3645C90: __std_exception_copy.LIBVCRUNTIME ref: 00007FFDA3645DF7
                                • Part of subcall function 00007FFDA36A5DF0: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,Product,00007FFDA3643D13,?,?,?,00007FFDA362102E), ref: 00007FFDA36A5E34
                                • Part of subcall function 00007FFDA36A5DF0: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,Product,00007FFDA3643D13,?,?,?,00007FFDA362102E), ref: 00007FFDA36A5E7A
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ExceptionFileHeaderRaise__std_exception_copy_invalid_parameter_noinfo_noreturn
                              • String ID: cannot use operator[] with a string argument with $pipe_name
                              • API String ID: 2766386702-3021157005
                              • Opcode ID: 3f4dd8f71791c59689a85fcbd064c09c45362e893171fc55946d53f4a3b58371
                              • Instruction ID: 1f2a713a7e91aad84da9933b3d283298afe2906eab85b1b5b2a220c33be7f749
                              • Opcode Fuzzy Hash: 3f4dd8f71791c59689a85fcbd064c09c45362e893171fc55946d53f4a3b58371
                              • Instruction Fuzzy Hash: EE310A22B0A78681FE00DB24E4603AA77A2EB857D4F586132E78C577EBDE6ED045C704
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: InfoSecurity
                              • String ID: invalid handle parameter$is_owner_system
                              • API String ID: 3528565900-1961004910
                              • Opcode ID: 733135b3913b9a591668148b0c3b3ea683b1db05551a23bf1d9a81b6b7cdd7c4
                              • Instruction ID: 74c054857150877336b16b5df01d81c4c8f2200390eaee86f2b99ece6bb4a93f
                              • Opcode Fuzzy Hash: 733135b3913b9a591668148b0c3b3ea683b1db05551a23bf1d9a81b6b7cdd7c4
                              • Instruction Fuzzy Hash: 5C419332A19B8186F7108F25F4502AAB7B5FB88794F545225EBCC13BAADF3DD181C744
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: ErrorLastOpenService
                              • String ID: OpenService failed
                              • API String ID: 1364080077-96198573
                              • Opcode ID: 089c94e3e1e7b53954d9ff681502ba22d94fb8a11a1ae799c5da3babb1538e0e
                              • Instruction ID: 425336e6b8ca6fad88e20d988384693c2f403ac111e8fa16d327cf2d3e82a412
                              • Opcode Fuzzy Hash: 089c94e3e1e7b53954d9ff681502ba22d94fb8a11a1ae799c5da3babb1538e0e
                              • Instruction Fuzzy Hash: 41212172A09B8182F7218F15F4903A9B3B1FB88344F545135DB8D12B69EF7DD599CB04
                              APIs
                                • Part of subcall function 00007FFDA367A440: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,00007FFDA367A32D), ref: 00007FFDA367A46E
                                • Part of subcall function 00007FFDA367A440: RegCloseKey.ADVAPI32(?,?,?,?,?,00007FFDA367A32D), ref: 00007FFDA367A48B
                              • CreateThread.KERNEL32 ref: 00007FFDA367A420
                                • Part of subcall function 00007FFDA36A31E8: EnterCriticalSection.KERNEL32(?,?,?,00007FFDA3621C90), ref: 00007FFDA36A31F8
                                • Part of subcall function 00007FFDA36A3188: EnterCriticalSection.KERNEL32(?,?,?,00007FFDA3621CF4), ref: 00007FFDA36A3198
                                • Part of subcall function 00007FFDA36A3188: LeaveCriticalSection.KERNEL32(?,?,?,00007FFDA3621CF4), ref: 00007FFDA36A31D8
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: CriticalSection$Enter$CloseCreateLeaveOpenThread
                              • String ID: #abort#$#crash#
                              • API String ID: 461504956-3711271617
                              • Opcode ID: b88b25d60c340df8ce8f51c002d2b11e9df702405c13f2c9c858f26849e08909
                              • Instruction ID: 400094b67dc48ebbeccf499451bafc15ffe98bd858a50fa417b2a7254a0ccfc0
                              • Opcode Fuzzy Hash: b88b25d60c340df8ce8f51c002d2b11e9df702405c13f2c9c858f26849e08909
                              • Instruction Fuzzy Hash: 58318D22B0A64681FB108F10E8612B83762EB54B18FC85136DD4D623A2DF3FA586D718
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _handle_error
                              • String ID: "$pow
                              • API String ID: 1757819995-713443511
                              • Opcode ID: 3886a78c72beee55db735833138284eab1111463fa1d110e7556ec35f3b21d8f
                              • Instruction ID: 16bffb75057ead95bc82141227bb45e85fa5b2752e462f558e0f8dc375e0bf22
                              • Opcode Fuzzy Hash: 3886a78c72beee55db735833138284eab1111463fa1d110e7556ec35f3b21d8f
                              • Instruction Fuzzy Hash: 1531A272E1CA8486E370DF14E05076ABAB1FBDA344F282326F38916A55CB7ED0419F08
                              APIs
                              Strings
                              • i_entry >= 0 && i_entry < i_size, xrefs: 00007FFDA36B7654
                              • D:\bamboo\home\xml-data\build-dir\WSP-MASTER-SOURCES\3rdparty\tinyxml\tinyxpath\action_store.cpp, xrefs: 00007FFDA36B7655
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _set_error_mode
                              • String ID: D:\bamboo\home\xml-data\build-dir\WSP-MASTER-SOURCES\3rdparty\tinyxml\tinyxpath\action_store.cpp$i_entry >= 0 && i_entry < i_size
                              • API String ID: 1949149715-74859147
                              • Opcode ID: d77e4e5ed4441a137b3d662befe675070bfafa57c870d310fbb74cb395c2431b
                              • Instruction ID: 6af66d5bb842cf7d2fbe1e5c7d10f10aadaf0e315640bf749c49ec007ed715ce
                              • Opcode Fuzzy Hash: d77e4e5ed4441a137b3d662befe675070bfafa57c870d310fbb74cb395c2431b
                              • Instruction Fuzzy Hash: 28110661B1979181F724AB06A9600AAABA6EF94FC0F1C5435EF8C13B97CE3DD4528B44
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: _set_errno_from_matherr
                              • String ID: exp
                              • API String ID: 1187470696-113136155
                              • Opcode ID: 8e49b68a98430d6cdcc4c78fea497b5648e1964acd3ec3909c386ed780934400
                              • Instruction ID: ab970201cd233221dd9e537bb42596c90e49f84defefcf3038d529bd1fe9d4cc
                              • Opcode Fuzzy Hash: 8e49b68a98430d6cdcc4c78fea497b5648e1964acd3ec3909c386ed780934400
                              • Instruction Fuzzy Hash: 53213E36B1A641CBE760EF2CA46066AB3A1FB88340F546535E68D92B56EF3DD4008F08
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: CloseHandle_invalid_parameter_noinfo_noreturn
                              • String ID: CreateFile failed
                              • API String ID: 3151167499-3833977531
                              • Opcode ID: 31ff15eb84d94a601dfd2f3ac8fff50b1406269696aa664c1d5ee9075c447c42
                              • Instruction ID: 269169bd43629d729fc39e9e58fb7a835c55c3b2a57fbffcec1eab124f43cdc6
                              • Opcode Fuzzy Hash: 31ff15eb84d94a601dfd2f3ac8fff50b1406269696aa664c1d5ee9075c447c42
                              • Instruction Fuzzy Hash: D7119861B096C281FD14D724E4653AD6322EB857A4F842332D67C137DADF2DD546C704
                              APIs
                                • Part of subcall function 00007FFDA3629020: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDA36221D3), ref: 00007FFDA3629038
                              • timeGetTime.WINMM ref: 00007FFDA3628C76
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: SleepTimetime
                              • String ID: $<- %s [%d]
                              • API String ID: 346578373-1251298756
                              • Opcode ID: 1ab93a72d0f36b366e1713d1adc5c10bc2dc75e5e3b21eb95b831d0f8981d9d6
                              • Instruction ID: 5f717ea88d9146a195598a62f8b6c11017e37faed6925b70272cf97f5f842d51
                              • Opcode Fuzzy Hash: 1ab93a72d0f36b366e1713d1adc5c10bc2dc75e5e3b21eb95b831d0f8981d9d6
                              • Instruction Fuzzy Hash: 83216072B0A74186E6109F54F85026AB7B2F785390F281135EB9C5376ACF3ED450CB85
                              APIs
                              • try_get_function.LIBVCRUNTIME ref: 00007FFDA36C0C21
                              • TlsSetValue.KERNEL32(?,?,0000142099110276,00007FFDA36BCA7A,?,?,0000142099110276,00007FFDA36AE9AD,?,?,?,?,00007FFDA36BCC3A,?,?,00000000), ref: 00007FFDA36C0C38
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2178185251.00007FFDA3621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDA3620000, based on PE: true
                              • Associated: 00000004.00000002.2178165902.00007FFDA3620000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178255810.00007FFDA36D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178292230.00007FFDA3710000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178317704.00007FFDA3711000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000004.00000002.2178338142.00007FFDA3718000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffda3620000_rundll32.jbxd
                              Similarity
                              • API ID: Valuetry_get_function
                              • String ID: FlsSetValue
                              • API String ID: 738293619-3750699315
                              • Opcode ID: 1b9ce9ca0ec1cdea8a6c40949f64605397682e1ee412c4a94deff19498f34ee4
                              • Instruction ID: fd909f27d081641f4c7b65a2819858a72bac8503c257f733bc2e3dcbc0051810
                              • Opcode Fuzzy Hash: 1b9ce9ca0ec1cdea8a6c40949f64605397682e1ee412c4a94deff19498f34ee4
                              • Instruction Fuzzy Hash: A5E0E523B0AA8281FA189B14E4201F86263AF4C7C0F8C6032C50D1B396CE3EE854C708