Edit tour

Windows Analysis Report
wfdrproxy.dll

Overview

General Information

Sample name:	wfdrproxy.dll
Analysis ID:	1584174
MD5:	d0aec875dd42dceebc1a480b6aac1654
SHA1:	69670ae930e294c6587547e3c98a943e271dde20
SHA256:	e493d38dcca74cc9d8309c966728e71bb3a93b342ab77ab50b4fa3ef7890d0da
Tags:	dlluser-zhuzhu0009
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 3864 cmdline: loaddll32.exe "C:\Users\user\Desktop\wfdrproxy.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 2696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3752 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wfdrproxy.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 4520 cmdline: rundll32.exe "C:\Users\user\Desktop\wfdrproxy.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 2472 cmdline: rundll32.exe C:\Users\user\Desktop\wfdrproxy.dll,DestroyFolderWatcher MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4312 cmdline: rundll32.exe C:\Users\user\Desktop\wfdrproxy.dll,DestroyUpload MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6664 cmdline: rundll32.exe C:\Users\user\Desktop\wfdrproxy.dll,GetAllBypass MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Joe Sandbox Signatures

• AV Detection
• Compliance
• Spreading
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: wfdrproxy.dll	ReversingLabs: Detection: 58%
Source: wfdrproxy.dll	Virustotal: Detection: 56%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: wfdrproxy.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: wfdrproxy.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\DSAJKLDSJLAJKSAJFKSAJKFSAJKSAJFKSAJKFAFF\Debug\wfdrproxy.pdb source: loaddll32.exe, 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1710838785.000000006CBCC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1740661966.000000006CBCC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1770784581.000000006CBCC000.00000002.00000001.01000000.00000003.sdmp, wfdrproxy.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDB019A FindFirstFileExW,	0_2_6CDB019A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CE21660 FindFirstFileExW,FindNextFileW,	0_2_6CE21660
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CE21200 FindFirstFileExW,FindNextFileW,	0_2_6CE21200
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB2019A FindFirstFileExW,	3_2_6CB2019A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB91660 FindFirstFileExW,FindNextFileW,	3_2_6CB91660
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB91200 FindFirstFileExW,FindNextFileW,	3_2_6CB91200

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CE3BE80		0_2_6CE3BE80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBABE80		3_2_6CBABE80

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6CDB3197 appears 377 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6CDB11C1 appears 108 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6CE1F1D0 appears 34 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6CDB0BB8 appears 454 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CB23197 appears 422 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CB8F1D0 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CB20BB8 appears 507 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CB211C1 appears 108 times

Source: wfdrproxy.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal52.winDLL@12/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2696:120:WilError_03

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wfdrproxy.dll,DestroyFolderWatcher

Source: wfdrproxy.dll	ReversingLabs: Detection: 58%
Source: wfdrproxy.dll	Virustotal: Detection: 56%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\wfdrproxy.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wfdrproxy.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wfdrproxy.dll,DestroyFolderWatcher
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wfdrproxy.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wfdrproxy.dll,DestroyUpload
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wfdrproxy.dll,GetAllBypass
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wfdrproxy.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wfdrproxy.dll,DestroyFolderWatcher	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wfdrproxy.dll,DestroyUpload	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wfdrproxy.dll,GetAllBypass	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wfdrproxy.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: wfdrproxy.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: wfdrproxy.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: wfdrproxy.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: wfdrproxy.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: wfdrproxy.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: wfdrproxy.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: wfdrproxy.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: wfdrproxy.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: wfdrproxy.dll	Static PE information: section name: .textbss
Source: wfdrproxy.dll	Static PE information: section name: .msvcjmc
Source: wfdrproxy.dll	Static PE information: section name: .00cfg

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDB0B54 push ecx; ret		0_2_6CE55013
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB20B54 push ecx; ret		3_2_6CBC5013

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	API coverage: 4.1 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 4.2 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDB019A FindFirstFileExW,	0_2_6CDB019A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CE21660 FindFirstFileExW,FindNextFileW,	0_2_6CE21660
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CE21200 FindFirstFileExW,FindNextFileW,	0_2_6CE21200
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB2019A FindFirstFileExW,	3_2_6CB2019A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB91660 FindFirstFileExW,FindNextFileW,	3_2_6CB91660
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB91200 FindFirstFileExW,FindNextFileW,	3_2_6CB91200

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CE10E40 GetSystemInfo,

0_2_6CE10E40

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CDC0C20 MultiByteToWideChar,MultiByteToWideChar,DebuggerProbe,DebuggerRuntime,IsDebuggerPresent,WideCharToMultiByte,WideCharToMultiByte,

0_2_6CDC0C20

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CE1BD90 OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,GetFileType,WriteConsoleW,GetLastError,WriteFile,WriteFile,OutputDebugStringW,

0_2_6CE1BD90

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDD83B0 mov eax, dword ptr fs:[00000030h]	0_2_6CDD83B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CE19D10 mov ecx, dword ptr fs:[00000030h]	0_2_6CE19D10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CE19C40 mov ecx, dword ptr fs:[00000030h]	0_2_6CE19C40
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CE19AA0 mov ecx, dword ptr fs:[00000030h]	0_2_6CE19AA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CE19B70 mov ecx, dword ptr fs:[00000030h]	0_2_6CE19B70
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDBD3B0 mov eax, dword ptr fs:[00000030h]	0_2_6CDBD3B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB483B0 mov eax, dword ptr fs:[00000030h]	3_2_6CB483B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB89D10 mov ecx, dword ptr fs:[00000030h]	3_2_6CB89D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB89C40 mov ecx, dword ptr fs:[00000030h]	3_2_6CB89C40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB89AA0 mov ecx, dword ptr fs:[00000030h]	3_2_6CB89AA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB89B70 mov ecx, dword ptr fs:[00000030h]	3_2_6CB89B70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB2D3B0 mov eax, dword ptr fs:[00000030h]	3_2_6CB2D3B0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CDC24C0 VirtualQuery,GetProcAddress,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,

0_2_6CDC24C0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDBF5F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CDBF5F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDD8810 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CDD8810
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDB013B SetUnhandledExceptionFilter,	0_2_6CDB013B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDC1690 SetUnhandledExceptionFilter,	0_2_6CDC1690
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDC13E0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CDC13E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB2F5F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6CB2F5F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB48810 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6CB48810
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB2013B SetUnhandledExceptionFilter,	3_2_6CB2013B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB31690 SetUnhandledExceptionFilter,	3_2_6CB31690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB313E0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6CB313E0

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wfdrproxy.dll",#1

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetACP,GetLocaleInfoW,	0_2_6CE42E60
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6CE42FA0
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6CE1EA90
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6CE42B60
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6CE42450
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_6CE425A0
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6CE420D0
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6CE42260
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6CE42330
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6CE1FA50
Source: C:\Windows\System32\loaddll32.exe	Code function: IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_6CE430F0
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6CDB0ED8
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6CDB3679
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetACP,GetLocaleInfoW,	3_2_6CBB2E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6CBB2FA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6CB8EA90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6CBB2B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6CBB2450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_6CBB25A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6CBB20D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6CBB2260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6CBB2330
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6CB8FA50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_6CBB30F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6CB23679
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6CB20ED8

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CE1FAD0 GetSystemTimeAsFileTime,

0_2_6CE1FAD0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Rundll32	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	3 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
wfdrproxy.dll	58%	ReversingLabs	Win32.PUA.SoftCnapp
wfdrproxy.dll	56%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584174
Start date and time:	2025-01-04 14:55:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wfdrproxy.dll
Detection:	MAL
Classification:	mal52.winDLL@12/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 19 Number of non-executed functions: 118
Cookbook Comments:	Found application associated with file extension: .dll Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.521939918620145
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	wfdrproxy.dll
File size:	898'048 bytes
MD5:	d0aec875dd42dceebc1a480b6aac1654
SHA1:	69670ae930e294c6587547e3c98a943e271dde20
SHA256:	e493d38dcca74cc9d8309c966728e71bb3a93b342ab77ab50b4fa3ef7890d0da
SHA512:	9c4967e957e62e5fe17c36c261d74aabb7930acbf4c354c6da166e71b3e7957bf0e5c510b884c4851307bf4cf6272d9a86d790c9dbda6e50870f23638223b2f5
SSDEEP:	12288:asb15PYW9E5OSii3uuYqdB2kCiF3FGUpT7tMtIuQI/aTQXa:f5PYW9EHBFF3FGU57tuoT
TLSH:	B715E801BBA05118FDFB25FA45FE20A8993DB9E11724D0CB52C42AEDDA25AF0BD31717
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b!...O...O...O..hL...O..hJ.A.O..hK...O.m.K...O.m.L...O.m.J...O..hN...O...N...O..~J...O..~O...O..~....O..~M...O.Rich..O........

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100530e8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6498F797 [Mon Jun 26 02:27:35 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	817c7ef98bce85754d2d8fd28197419f

Entrypoint Preview

Instruction
jmp 00007FF0112665E8h
jmp 00007FF0112DF013h
jmp 00007FF01126A3FEh
jmp 00007FF011284359h
jmp 00007FF0112EAF14h
jmp 00007FF0112FA9C3h
jmp 00007FF011291CCAh
jmp 00007FF01127E6D5h
jmp 00007FF0112B0D60h
jmp 00007FF0112678FBh
jmp 00007FF0112FA7D6h
jmp 00007FF01128B931h
jmp 00007FF0112B266Ch
jmp 00007FF0112D1327h
jmp 00007FF0112BF352h
jmp 00007FF0112D087Dh
jmp 00007FF01127DC28h
jmp 00007FF011265273h
jmp 00007FF0112A594Eh
jmp 00007FF0112B0D59h
jmp 00007FF0112F8674h
jmp 00007FF01127CDFFh
jmp 00007FF01126D47Ah
jmp 00007FF011286325h
jmp 00007FF011297AB0h
jmp 00007FF0112A5A5Bh
jmp 00007FF011295DB6h
jmp 00007FF011262041h
jmp 00007FF011264F6Ch
jmp 00007FF0112F0DD7h
jmp 00007FF01129CE62h
jmp 00007FF0112A589Dh
jmp 00007FF011296348h
jmp 00007FF0112967D3h
jmp 00007FF01129693Eh
jmp 00007FF01127EF59h
jmp 00007FF01127EA44h
jmp 00007FF0112CC40Fh
jmp 00007FF0112E30CAh
jmp 00007FF0112D2565h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x122a70	0x5ee	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1271d0	0x28	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12a000	0x326	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12b000	0x4cec	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11fe10	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x11fd28	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x127000	0x1d0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.textbss	0x1000	0x4e611	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x50000	0xab3e2	0xab400	c537e886d5301fcaeb22fc8216ab7a48	False	0.2747405337591241	data	5.435745159215184	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xfc000	0x2705e	0x27200	726ddab222c7dd2d87d8b0b65d3c59a7	False	0.17937549920127796	data	3.5123293933529056	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x124000	0x2928	0x1200	969404309de01c1df85568310d693ca4	False	0.1384548611111111	data	2.1223147255687507	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x127000	0xbf2	0xc00	98f69aaeba8fca22da1ed122fd411ff7	False	0.3662109375	data	4.6611104062121385	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.msvcjmc	0x128000	0x8dc	0xa00	0c946249f1e8f9bf9fc4fcd52bcbc638	False	0.017578125	Targa image data - Map (257-257) 257 x 257 x 1 +257 +257 - 1-bit alpha "\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001"	0.9294509089963453	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.00cfg	0x129000	0x10e	0x200	c78b312853a2d9a75aaa372d1e38d894	False	0.037109375	data	0.14736507530476972	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x12a000	0x326	0x400	cc3043b41049f3a78d87cff769711f0c	False	0.171875	data	1.4441586203433472	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12b000	0x5b7f	0x5c00	d64f126ffff19a2179cf8d56bc088f01	False	0.6370584239130435	data	6.094474279045823	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x12a170	0x91	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.8689655172413793

Imports

DLL

Import

KERNEL32.dll

CloseHandle, GetFileAttributesW, GetModuleFileNameW, lstrlenW, GetLastError, CreateEventA, DecodePointer, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, GetCurrentThreadId, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, RaiseException, MultiByteToWideChar, WideCharToMultiByte, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeSListHead, GetStartupInfoW, GetModuleHandleW, HeapAlloc, HeapFree, GetProcessHeap, VirtualQuery, FreeLibrary, GetProcAddress, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, LoadLibraryExW, SetLastError, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, GetModuleHandleExW, HeapValidate, GetSystemInfo, GetCurrentThread, GetStdHandle, GetFileType, WriteFile, OutputDebugStringW, WriteConsoleW, SetConsoleCtrlHandler, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, HeapReAlloc, HeapSize, HeapQueryInformation, GetStringTypeW, SetStdHandle, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, ReadConsoleW, CreateFileW

Exports

Name	Ordinal	Address
DestroyFolderWatcher	1	0x10051662
DestroyUpload	2	0x10053043
GetAllBypass	3	0x100531fb
GetAllWhiteList	4	0x10051513
GetDevicePathAndDeviceDescAndInstanceId	5	0x10050a2d
GetDownLoadSettingsLatestSucceedTime	6	0x1005020d
GetLangMain	7	0x10051c20
GetLatestLoginErrorCode	8	0x100508f7
GetLoginLatestSucceedTime	9	0x10050a19
GetLoginLatestTime	10	0x10052b57
GetSetupValue	11	0x1005229c
GetUseIEProxy	12	0x1005160d
HASUKY	13	0x100527bf
InitDLL	14	0x10052b7f
InitFolderWatcher	15	0x10051fd1
InitUpload	16	0x100505cd
InsertDemandWhiteUSB	17	0x1005236e
InsertUSBDeviceConnected	18	0x10051ec8
InsertUSBDeviceDisConnected	19	0x1005012c
InsertUploadWhiteUSB	20	0x1005055a
IsDemoVersion	21	0x10050f00
ModifyAdminPwd	22	0x10051a18
PassComputerUniqueID	23	0x10051fe0
RemoveWhiteList	24	0x10051842
STSPD	25	0x100523e1
SVUKY	26	0x10050e51
SetLangMain	27	0x100517d4
SetSetupValue	28	0x10050294
SetUseIEProxy	29	0x100501f4
StartSpecifiedFolderWatcher	30	0x10050037
StopAllFolderWatcher	31	0x10051b30
StopSpecifiedFolderWatcher	32	0x10050749
TryClientLogin	33	0x10051d47
VerifyNetworkConnectExpired	34	0x1005184c
VerifySoftwareExpired	35	0x10050096

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• loaddll32.exe
• conhost.exe
• cmd.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe

Click to jump to process

Memory Usage

• loaddll32.exe
• conhost.exe
• cmd.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe

Click to jump to process

Click to jump to process

Target ID:	0
Start time:	08:56:05
Start date:	04/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\wfdrproxy.dll"
Imagebase:	0x9b0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:56:05
Start date:	04/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:56:05
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wfdrproxy.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:56:05
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\wfdrproxy.dll,DestroyFolderWatcher
Imagebase:	0x560000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:56:05
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\wfdrproxy.dll",#1
Imagebase:	0x560000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:56:08
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\wfdrproxy.dll,DestroyUpload
Imagebase:	0x560000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:56:11
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\wfdrproxy.dll,GetAllBypass
Imagebase:	0x560000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.2%
Total number of Nodes:	96
Total number of Limit Nodes:	11

Executed Functions

Function 6CDD83B0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42fea7762a687a22cf2d6112516f2d1a25df828811d9156d6ed8d7143b856e2
Instruction ID: 6c9badefb8dab69c84f04b2384ea165f41c1ec573c8d96fdf751597bd518c60e
Opcode Fuzzy Hash: e42fea7762a687a22cf2d6112516f2d1a25df828811d9156d6ed8d7143b856e2
Instruction Fuzzy Hash: 3FE0A020C4C2C8A6CB038B6988427AE7B689B03308F0520C6C48887A62C5BBA509D3E1

Function 6CE19D10 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444943a13ae2ffb8ab67dbbfae9924854bd6ff28f0f721fd2be7c0ad30b87760
Instruction ID: b857c1cb5c82b109d78e0903f7b5bea40c73dcf5b7f5d19878051d20210956b2
Opcode Fuzzy Hash: 444943a13ae2ffb8ab67dbbfae9924854bd6ff28f0f721fd2be7c0ad30b87760
Instruction Fuzzy Hash: 4DE048F6D14248ABCB04CF55D441A9AB775E744215F344658EC094BB01D635EF25C691

Function 6CE1F350 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%ls, xrefs: 6CE1F3CE, 6CE1F420
cached_handle == INVALID_HANDLE_VALUE, xrefs: 6CE1F3C9
cached_handle == new_handle, xrefs: 6CE1F41B
minkernel\crts\ucrt\src\appcrt\internal\winapi_thunks.cpp, xrefs: 6CE1F3DA, 6CE1F42C

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID:
String ID: %ls$cached_handle == INVALID_HANDLE_VALUE$cached_handle == new_handle$minkernel\crts\ucrt\src\appcrt\internal\winapi_thunks.cpp
API String ID: 0-442401637
Opcode ID: ba454c427f98a18bb7750eba1390cd44b8270b12f7f02a0d2c257423a160c108
Instruction ID: 08e324cd971bfc5310e19a22b689977acc6cb3876d0c480f5dea23a8055a6263
Opcode Fuzzy Hash: ba454c427f98a18bb7750eba1390cd44b8270b12f7f02a0d2c257423a160c108
Instruction Fuzzy Hash: 0A2191B0E05249EBCF10DBA5CC45BAE7775AB0631CF304A54E41667EC0D738A665CB92

Function 6CE1F4F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(6CE1F399,00000000,00000800,?,?,6CE1F399,00000000), ref: 6CE1F501
GetLastError.KERNEL32(?,?,6CE1F399), ref: 6CE1F515
LoadLibraryExW.KERNEL32(6CE1F399,00000000,00000000,?,?,?,?,6CE1F399), ref: 6CE1F556

Strings

ext-ms-, xrefs: 6CE1F539
api-ms-, xrefs: 6CE1F522

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-$ext-ms-
API String ID: 3177248105-537541572
Opcode ID: b39b7bf745be99a5aefe467c2b10361e0defaedae95c23a4ab765765bfec6e2e
Instruction ID: befce1eebd1ef3e81ff3d36c7faf9ec642fd7d48705dfacd9dc5c321a04fda6e
Opcode Fuzzy Hash: b39b7bf745be99a5aefe467c2b10361e0defaedae95c23a4ab765765bfec6e2e
Instruction Fuzzy Hash: F4016DB1A49209BBDB00CEA4CD09B9A3775AB11719F304410FA289BA80DA79EE1187A0

Function 6CE10A00 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 255
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(01310000,00000000,?), ref: 6CE10B8F

Strings

Client hook allocation failure., xrefs: 6CE10AD8
Error: memory allocation: bad memory block type., xrefs: 6CE10B5A
Client hook allocation failure at file %hs line %d., xrefs: 6CE10ABB

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: AllocateHeap
String ID: Client hook allocation failure at file %hs line %d.$Client hook allocation failure.$Error: memory allocation: bad memory block type.
API String ID: 1279760036-2973468218
Opcode ID: 9f437b71bec49b7738add46ca10e9a0ed20b2aa22e9a1ffe4e680a402645e7b2
Instruction ID: 1b1165b157fd8873a383ee96e22e7df3ea172af89cf1ffcad3383b5ab2baddab
Opcode Fuzzy Hash: 9f437b71bec49b7738add46ca10e9a0ed20b2aa22e9a1ffe4e680a402645e7b2
Instruction Fuzzy Hash: BAB181B0A05249DFDB04CF54C890FDEB7B5FB4A318F208219E915ABB80D775A961CFA1

Function 6CDBD800 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32(00000000,00000001,00000001,VerifyNetworkConnectExpired), ref: 6CDBD846
GetLastError.KERNEL32 ref: 6CDBD865
CloseHandle.KERNEL32(00000000), ref: 6CDBD87F

Strings

VerifyNetworkConnectExpired, xrefs: 6CDBD83B

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: CloseCreateErrorEventHandleLast
String ID: VerifyNetworkConnectExpired
API String ID: 937152468-916440064
Opcode ID: ddf8d3e1d03bda505f5c7068510252c0286d26705835650a9d6febb1b1b17c4e
Instruction ID: 25843f3f8eef4847d40ef4ea5b7ed2122f51b536374cc5246dd5b4d3672e8b1f
Opcode Fuzzy Hash: ddf8d3e1d03bda505f5c7068510252c0286d26705835650a9d6febb1b1b17c4e
Instruction Fuzzy Hash: 7E11C8B6E05614ABDA207BA88845BCCB7329B01329F400552FA1E77790C7754984C6F2

Function 6CDD8260 Relevance: 4.5, APIs: 3, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(6CDD8230,?,6CDD8230,?), ref: 6CDD8275
TerminateProcess.KERNEL32(00000000,?,6CDD8230,?), ref: 6CDD827C
ExitProcess.KERNEL32 ref: 6CDD8292

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ea8859b2524b1873918b623d4366b63b87711270ace13e9b21af271ee347dcbd
Instruction ID: 496e49c328b4b010aaf408fdba25c828509096c8b7c96342bb19ea7c23c30e4e
Opcode Fuzzy Hash: ea8859b2524b1873918b623d4366b63b87711270ace13e9b21af271ee347dcbd
Instruction Fuzzy Hash: 70E012B5B01204ABCF01ABB1CC4889F3B7DAB452457114415BD0ACB251DE34F544C7F1

Function 6CE26150 Relevance: 3.1, APIs: 2, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(00000000), ref: 6CE261C8
GetFileType.KERNELBASE(000000FF), ref: 6CE261F9

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 92190de92d31e91a7f28175807b4544ec25b6636ccff23f64b5cfafadf5bf345
Instruction ID: 1f628629f44a99f60c1d15375cbea7e138a50cf687534fd27a60a4cc51f6c9a9
Opcode Fuzzy Hash: 92190de92d31e91a7f28175807b4544ec25b6636ccff23f64b5cfafadf5bf345
Instruction Fuzzy Hash: 0D419075D05289DFDB04CF94C4817ADBB75BF46328F344388C4A5AB782C338AA82CB90

Function 6CE1F4A0 Relevance: 1.5, APIs: 1, Instructions: 23
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 6CE1F4CB

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 6a7fbf0f4bd604c84febcbe2c99641186191209ab94edb24a1af5ed876e7a29e
Instruction ID: a7f905b5901a28d49e8010d97865ca41a1a06ded6f800a26ffac7bbe2ea4f2e9
Opcode Fuzzy Hash: 6a7fbf0f4bd604c84febcbe2c99641186191209ab94edb24a1af5ed876e7a29e
Instruction Fuzzy Hash: 7BE04F76A0820CFBCB00CFA5DC04D9E77B8EB8A314F204658FD0CD3600E635DA1087A0

Non-executed Functions

Function 6CE1BD90 Relevance: 54.8, APIs: 11, Strings: 20, Instructions: 600COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32(Second Chance Assertion Failed: File ), ref: 6CE1BEB4
OutputDebugStringW.KERNEL32(6CE7062C), ref: 6CE1BEDC
OutputDebugStringW.KERNEL32(, Line ), ref: 6CE1BEE7
OutputDebugStringW.KERNEL32(?), ref: 6CE1BEF4
OutputDebugStringW.KERNEL32(6CE70664), ref: 6CE1BEFF

Strings

, Line , xrefs: 6CE1BEE2
wcscat_s(szLineMessage, 4096, L"\n"), xrefs: 6CE1C0F7
wcscpy_s(szOutMessage, 4096, szLineMessage), xrefs: 6CE1C211
_CrtDbgReport: String too long or Invalid characters in String, xrefs: 6CE1C2A1
%ls(%d) : %ls, xrefs: 6CE1C159
wcstombs_s(nullptr, szOutMessage2, 4096, szOutMessage, ((size_t)-1)), xrefs: 6CE1C24B
wcscat_s(szLineMessage, 4096, szUserMessage), xrefs: 6CE1C070
wcscpy_s(szLineMessage, 4096, szFormat ? L"Assertion failed: " : L"Assertion failed!"), xrefs: 6CE1C036
_itow_s(nLine, szLineMessage, 4096, 10), xrefs: 6CE1BE87, 6CE1C68B
wcstombs_s(&ret, szaOutMessage, 4096, szOutMessage, ((size_t)-1)), xrefs: 6CE1C53D
P, xrefs: 6CE1C582
wcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error"), xrefs: 6CE1C1D7
_CrtDbgReport: String too long or IO Error, xrefs: 6CE1BFE1, 6CE1C1DC
wcscat_s(szLineMessage, 4096, L"\r"), xrefs: 6CE1C0BF
_VCrtDbgReportW, xrefs: 6CE1BE82, 6CE1BF97, 6CE1BFD7, 6CE1C031, 6CE1C06B, 6CE1C0BA, 6CE1C0F2, 6CE1C192, 6CE1C1D2, 6CE1C20C, 6CE1C246, 6CE1C297, 6CE1C538, 6CE1C686
wcscpy_s(szUserMessage, 4096, L"_CrtDbgReport: String too long or IO Error"), xrefs: 6CE1BFDC
minkernel\crts\ucrt\src\appcrt\misc\dbgrptt.cpp, xrefs: 6CE1BE7D, 6CE1BF92, 6CE1BFD2, 6CE1C02C, 6CE1C066, 6CE1C0B5, 6CE1C0ED, 6CE1C18D, 6CE1C1CD, 6CE1C207, 6CE1C241, 6CE1C292, 6CE1C533, 6CE1C681
strcpy_s(szOutMessage2, 4096, "_CrtDbgReport: String too long or Invalid characters in String"), xrefs: 6CE1C29C
(*_errno()), xrefs: 6CE1BF9C, 6CE1C197
Second Chance Assertion Failed: File , xrefs: 6CE1BEAF

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: DebugOutputString
String ID: %ls(%d) : %ls$(*_errno())$, Line $P$Second Chance Assertion Failed: File $_CrtDbgReport: String too long or IO Error$_CrtDbgReport: String too long or Invalid characters in String$_VCrtDbgReportW$_itow_s(nLine, szLineMessage, 4096, 10)$minkernel\crts\ucrt\src\appcrt\misc\dbgrptt.cpp$strcpy_s(szOutMessage2, 4096, "_CrtDbgReport: String too long or Invalid characters in String")$wcscat_s(szLineMessage, 4096, L"\n")$wcscat_s(szLineMessage, 4096, L"\r")$wcscat_s(szLineMessage, 4096, szUserMessage)$wcscpy_s(szLineMessage, 4096, szFormat ? L"Assertion failed: " : L"Assertion failed!")$wcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error")$wcscpy_s(szOutMessage, 4096, szLineMessage)$wcscpy_s(szUserMessage, 4096, L"_CrtDbgReport: String too long or IO Error")$wcstombs_s(&ret, szaOutMessage, 4096, szOutMessage, ((size_t)-1))$wcstombs_s(nullptr, szOutMessage2, 4096, szOutMessage, ((size_t)-1))
API String ID: 1166629820-796398028
Opcode ID: bf9a7dca1757525694f2f1339ba2a6894e781001603ca4778b86aeddcdb6dcbf
Instruction ID: d4d1ae05a2ca84dcef81d5de76f179b040eb0c5e30ee43600459b12d1e41ba08
Opcode Fuzzy Hash: bf9a7dca1757525694f2f1339ba2a6894e781001603ca4778b86aeddcdb6dcbf
Instruction Fuzzy Hash: E332F6B1E40248EBEB60DF50CC45FDE7774BB09348F208594F549B6A80DB74AA98CF65

Function 6CDC24C0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 310memorylibraryloaderCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 6CDC24E5
GetProcAddress.KERNEL32(00000000,PDBOpenValidate5), ref: 6CDC25AF
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6CDC270C
HeapFree.KERNEL32(00000000), ref: 6CDC2713
GetProcessHeap.KERNEL32 ref: 6CDC2784
HeapAlloc.KERNEL32(00000000,00000000,?), ref: 6CDC278E

Strings

PDBOpenValidate5, xrefs: 6CDC25A9

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: Heap$Process$AddressAllocFreeProcQueryVirtual
String ID: PDBOpenValidate5
API String ID: 1898765391-413491164
Opcode ID: 53d6bb7413b079e0df2cfcea7ba84f3027b25eb7ec6f37091ba839fbce1691df
Instruction ID: a5e7a049dd3c934ebef131282456f3efe72b9aee617d42d925dc520d5f5ab800
Opcode Fuzzy Hash: 53d6bb7413b079e0df2cfcea7ba84f3027b25eb7ec6f37091ba839fbce1691df
Instruction Fuzzy Hash: 30B16D75B01219DFDF01DFA4C898BAE7B7ABF49718F240055E912A7390DB31E912CB92

Function 6CE42E60 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 6CE42E9D
GetACP.KERNEL32 ref: 6CE42EB1
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 6CE42EE2

Strings

ACP, xrefs: 6CE42E76
OCP, xrefs: 6CE42EBB

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 99f6a16f5550c023c6dc95a4afe17eed9bd6a0ddaa8cc52961c77766d6cc9841
Instruction ID: ed4358b018813aa46c8ae7fc312f07fe0eb9e5cd590edd0a29aff9cb4899708f
Opcode Fuzzy Hash: 99f6a16f5550c023c6dc95a4afe17eed9bd6a0ddaa8cc52961c77766d6cc9841
Instruction Fuzzy Hash: 47118E75600105EBDB00CF62D849F9A3778AB5634CF20C518FD06DBA00E731DA41CB61

Function 6CE430F0 Relevance: 6.2, APIs: 4, Instructions: 228COMMON

Download Yara Rule

APIs

IsValidCodePage.KERNEL32(00000000), ref: 6CE432AE

Part of subcall function 6CE422E0: GetUserDefaultLCID.KERNEL32 ref: 6CE422F6

IsValidLocale.KERNEL32(00000000,00000001), ref: 6CE432C8
GetLocaleInfoW.KERNEL32(00000000,00001001,00000000,00000040,00000000,-00000120,00000055,00000000,00000000,?,00000055,00000000), ref: 6CE43331

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: LocaleValid$CodeDefaultInfoPageUser
String ID:
API String ID: 334263767-0
Opcode ID: 15b2e34d2cf20099d7b6fd185cdd7ac8c89b6e1a46e115e437c3a2f2cea83732
Instruction ID: c916a88bb48341102f3a5972c183d2d7c5f7ea7c3fb9f4b0f8a9c21ba94d63f9
Opcode Fuzzy Hash: 15b2e34d2cf20099d7b6fd185cdd7ac8c89b6e1a46e115e437c3a2f2cea83732
Instruction Fuzzy Hash: A5914CB1A01205DBEB04CFA4D885BAFB7B6EF49309F24C118E505AB780D735E946CBA5

Function 6CDC13E0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 6CDC13EB
IsDebuggerPresent.KERNEL32 ref: 6CDC14BB
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CDC14E7
UnhandledExceptionFilter.KERNEL32(?), ref: 6CDC14F1

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: e63b9b375ee64aedd9b45a0ae40be761bf6043f0738f79a9a9c12482f7c7caa0
Instruction ID: bfc363df6d1991ac57ae989f7b59eef81b6264f888e7e99f993b9fda9718904a
Opcode Fuzzy Hash: e63b9b375ee64aedd9b45a0ae40be761bf6043f0738f79a9a9c12482f7c7caa0
Instruction Fuzzy Hash: B13107B4E152289BDB11DF64C8497DDBBB4AF09304F1481D9E80D6B290E7759A88CF51

Function 6CE425A0 Relevance: 4.8, APIs: 3, Instructions: 292COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,00001002,?,00000078), ref: 6CE4261F
GetLocaleInfoW.KERNEL32(?,00001001,?,00000078), ref: 6CE42699

Part of subcall function 6CE42FA0: GetLocaleInfoW.KERNEL32(00000000,20000001,?,00000002,?,?,00000000,?), ref: 6CE42FDB

GetLocaleInfoW.KERNEL32(?,00001001,?,00000078), ref: 6CE42835

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b33919f70b1f2a8ffda6b0978d29f41a9fa06872ccfd89050b20e5d7792e2d03
Instruction ID: cb17801d8ef4da88db98c13211a27c6be8c5fc850b1411d67d1789b34ac57509
Opcode Fuzzy Hash: b33919f70b1f2a8ffda6b0978d29f41a9fa06872ccfd89050b20e5d7792e2d03
Instruction Fuzzy Hash: B2D11D74A4021ACBDB64CF14D884BE9B3B5BB59308F21C1E8D559ABB40EB70AEC5DF50

Function 6CDD8810 Relevance: 4.6, APIs: 3, Instructions: 81COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6CDD8910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CDD891E
UnhandledExceptionFilter.KERNEL32(?), ref: 6CDD892B

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: ecc86e32a6408c1748ea6d3c8a59eb6ac88683b58985ae8a54acda5eea46fecf
Instruction ID: d80df96b8be99c565e74104fe82776ec55a39f4f2e78447f2a20b6f018f5224b
Opcode Fuzzy Hash: ecc86e32a6408c1748ea6d3c8a59eb6ac88683b58985ae8a54acda5eea46fecf
Instruction Fuzzy Hash: BB41E5B5D11228DBCB25DF24D8887D9B7B4BF08314F5042DAE80DA6290E7309B89CF95

Function 6CE3BE80 Relevance: 4.4, Strings: 3, Instructions: 603COMMON

Download Yara Rule

Strings

%ls, xrefs: 6CE3BEB9
minkernel\crts\ucrt\inc\corecrt_internal_big_integer.h, xrefs: 6CE3BEC5
("Division by zero", false), xrefs: 6CE3BEB4

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID:
String ID: %ls$("Division by zero", false)$minkernel\crts\ucrt\inc\corecrt_internal_big_integer.h
API String ID: 0-226933
Opcode ID: eff7d11370f3bb5fba32e8f625b4e99b251a2bbb4aa94e4ec84311719ae9bff8
Instruction ID: aaa99f0de189d23d42fb1f03147a596c1418d612756f97a7f9a3e7c0749d7b30
Opcode Fuzzy Hash: eff7d11370f3bb5fba32e8f625b4e99b251a2bbb4aa94e4ec84311719ae9bff8
Instruction Fuzzy Hash: C962A974E049288FDB64DF18CD94B9AB7B2BB89356F1092D9D80DA7744DB34AE81CF40

Function 6CE19C40 Relevance: 3.8, Strings: 3, Instructions: 52COMMON

Download Yara Rule

Strings

%ls, xrefs: 6CE19CB8
minkernel\crts\ucrt\src\appcrt\internal\win_policies.cpp, xrefs: 6CE19CC1
cached_state == static_cast<long>(policyValue), xrefs: 6CE19CB3

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID:
String ID: %ls$cached_state == static_cast<long>(policyValue)$minkernel\crts\ucrt\src\appcrt\internal\win_policies.cpp
API String ID: 0-2042085565
Opcode ID: afcb949b6828f3167c9a752999c300ea0033045a4c7361934ab1cf1d9b9c050a
Instruction ID: e56a37c50bc25c39931a978bc734f7d2a17ed6416fdc6ed698702eb5cf861931
Opcode Fuzzy Hash: afcb949b6828f3167c9a752999c300ea0033045a4c7361934ab1cf1d9b9c050a
Instruction Fuzzy Hash: FD1182B5D45208EBDB00DB95C941B9DB7F4BB44308F304698D41A6BF80E775AA65CBC1

Function 6CE19AA0 Relevance: 3.8, Strings: 3, Instructions: 52COMMON

Download Yara Rule

Strings

%ls, xrefs: 6CE19B18
minkernel\crts\ucrt\src\appcrt\internal\win_policies.cpp, xrefs: 6CE19B21
cached_state == static_cast<long>(policyValue), xrefs: 6CE19B13

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID:
String ID: %ls$cached_state == static_cast<long>(policyValue)$minkernel\crts\ucrt\src\appcrt\internal\win_policies.cpp
API String ID: 0-2042085565
Opcode ID: 641785cbccf0d7eb8ad7378f327a6833013778336f96585d77668f4642fb5504
Instruction ID: 9c199a21d8a02cb6fb032b8b73606905587d10052848645318993c02ed2360a8
Opcode Fuzzy Hash: 641785cbccf0d7eb8ad7378f327a6833013778336f96585d77668f4642fb5504
Instruction Fuzzy Hash: D411C2B4D15208EBDB00DBA5C842F9EB3B0AB04308F304698D4196BF80E734EB64CB81

Function 6CE19B70 Relevance: 3.8, Strings: 3, Instructions: 52COMMON

Download Yara Rule

Strings

%ls, xrefs: 6CE19BE8
minkernel\crts\ucrt\src\appcrt\internal\win_policies.cpp, xrefs: 6CE19BF1
cached_state == static_cast<long>(policyValue), xrefs: 6CE19BE3

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID:
String ID: %ls$cached_state == static_cast<long>(policyValue)$minkernel\crts\ucrt\src\appcrt\internal\win_policies.cpp
API String ID: 0-2042085565
Opcode ID: ff10486fbf3b7490106e06cc252495d52b37084abdeadff758a237c20d07ce06
Instruction ID: 3126536a8822e72a387a97a9fc128e3521baf72621485b747bc4f5c1878de022
Opcode Fuzzy Hash: ff10486fbf3b7490106e06cc252495d52b37084abdeadff758a237c20d07ce06
Instruction Fuzzy Hash: F41182B5D45208ABDB00DF95C941B9DB7B0AB44308F344AA8D81A6BF80E775AB64CB81

Function 6CE21660 Relevance: 3.2, APIs: 2, Instructions: 224fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(00000000,00000000,?), ref: 6CE21773
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 6CE21915

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 4d60a4d972bcdb814794c8d9f3f9aefbd12c0d9148c63ef18a101a44cf0d5003
Instruction ID: e0b7f837be8a676f7a10d260a5953eee8763809b98edd152ac9b34f617eeeba1
Opcode Fuzzy Hash: 4d60a4d972bcdb814794c8d9f3f9aefbd12c0d9148c63ef18a101a44cf0d5003
Instruction Fuzzy Hash: 36A14E71A042289BCB24DF64CC98BED73B5AF85308F2041D9E44A6B690DF35AF89CF50

Function 6CE21200 Relevance: 3.2, APIs: 2, Instructions: 223fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(00000000,00000000,?), ref: 6CE21311
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 6CE214B3

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 613d461007fb9c44fccc015debf851af98bb51209d16dd4223fd9de401c1d153
Instruction ID: 209d1e31b7854025e5b393e38ec938aa071c83568070496e98d3491c74a3c855
Opcode Fuzzy Hash: 613d461007fb9c44fccc015debf851af98bb51209d16dd4223fd9de401c1d153
Instruction Fuzzy Hash: 1DA17E719042689BDB24DF64CC98BEE7775AF45308F2041D9E40A6BA90DF35AF88CF50

Function 6CE42B60 Relevance: 1.6, APIs: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,00001001,?,00000078), ref: 6CE42BDF

Part of subcall function 6CE42FA0: GetLocaleInfoW.KERNEL32(00000000,20000001,?,00000002,?,?,00000000,?), ref: 6CE42FDB

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 3f622d1905ad23e4af0ec0221f7f3ef83c768e9d7bda4dadf08c3ff015e5f25c
Instruction ID: 8b300d050d299c18631630f2d7e84c9f059d714238f715d5fa1c347fc2eb4e1e
Opcode Fuzzy Hash: 3f622d1905ad23e4af0ec0221f7f3ef83c768e9d7bda4dadf08c3ff015e5f25c
Instruction Fuzzy Hash: 58511FB5E4021A8BDB64CF14D884BE9B3B5AB58308F11C1E8D80DA7B40E771AEC5DF50

Function 6CE10E40 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,91CE9983), ref: 6CE10E96

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 6fec0062dea64b36bb47005d2d5a20e841f9e195babb46e18a0fa8014dbcb9c8
Instruction ID: a253d81e280a9f1b58e615dab88d05702743971e2fb4d7e0e50387b6f8a420ca
Opcode Fuzzy Hash: 6fec0062dea64b36bb47005d2d5a20e841f9e195babb46e18a0fa8014dbcb9c8
Instruction Fuzzy Hash: FC31DD75D09258DFCF10CFA8C981ADEBBB1BB4A320F20826AE419B3A40D3356951CB64

Function 6CE420D0 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,00001002,?,00000078), ref: 6CE4214F

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 47dc104ddc41fba0b69fb92663c1a9188cff5026ad6cbe8589324307fa4409cc
Instruction ID: fb24a08f570213eae72ce0e9139329bf04d76d7ef739dc91207cb921589c612e
Opcode Fuzzy Hash: 47dc104ddc41fba0b69fb92663c1a9188cff5026ad6cbe8589324307fa4409cc
Instruction Fuzzy Hash: 373159B1E0021ACBDB24CF14DC84BEAB7B4AB18304F1181E9D909A7740EB70AEC4DF50

Function 6CE42330 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(6CE425A0,00000001), ref: 6CE423D9

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: ecc079373d14fe796ad84fc27fa02a513fdbcfe110aac374d8243fb90f59cc9d
Instruction ID: e7875b5ad6a2d535d1b5318a002a550c4c2c80281e8bbb4bcf82bf257fe666d9
Opcode Fuzzy Hash: ecc079373d14fe796ad84fc27fa02a513fdbcfe110aac374d8243fb90f59cc9d
Instruction Fuzzy Hash: 38212AB5A00209EFDB04CF94D488B9EBBB2FB59308F208598D8159B791D775EE85CB81

Function 6CE42FA0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,20000001,?,00000002,?,?,00000000,?), ref: 6CE42FDB

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e02b421bac2f9fa11dc73ba3eec4fcb69d6e8c469f5f6da22fead2ba9471b1c0
Instruction ID: dffd6f4117b36845daa13239d2b4990dadddc31779d9c138e29598f8e68374e9
Opcode Fuzzy Hash: e02b421bac2f9fa11dc73ba3eec4fcb69d6e8c469f5f6da22fead2ba9471b1c0
Instruction Fuzzy Hash: 1701B5B2D00114ABDB10DBA5E885BBE77B9AB44309F20C665E815DB780E635EE409BA1

Function 6CE42450 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(6CE42B60,00000001), ref: 6CE424C2

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 8f96f54b95935e429005b98c38ca58438640180460d0b9ad02d61672c3e769dd
Instruction ID: f17f1059e87b7657933cd2170b40ee9947364b7b419ee86380a10073260b4af1
Opcode Fuzzy Hash: 8f96f54b95935e429005b98c38ca58438640180460d0b9ad02d61672c3e769dd
Instruction Fuzzy Hash: 031169B4E00208EFDB00CF94D488B9DBBB2FB99308F208598D815AB740D775AE85CF81

Function 6CE1FA50 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,?,?), ref: 6CE1FAA2

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 8af8e50885f0fc0164b2b9a7981d5920a5f16f48bafd3e28e32ef4e6929feb96
Instruction ID: 1433f1d988c09430dcd0c62f0e6fd5b3766f717af75c36de4b53b9b75ce6a83d
Opcode Fuzzy Hash: 8af8e50885f0fc0164b2b9a7981d5920a5f16f48bafd3e28e32ef4e6929feb96
Instruction Fuzzy Hash: 8B01EC75A04108FFCB04DF98D858EAF77B9EF89301F208558F91997650D734AE51CBA1

Function 6CE42260 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(Function_000E20D0,00000001), ref: 6CE422A7

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: f44681dde674df501fee042bb0477f23805f48ebff572e917d17eb9dd7955b8a
Instruction ID: 37b8f7ef89624785ddd40f4722b5ac739585f362584fe4025ca5a074881c94e8
Opcode Fuzzy Hash: f44681dde674df501fee042bb0477f23805f48ebff572e917d17eb9dd7955b8a
Instruction Fuzzy Hash: B8F054B5E00208EFDB00DF94D888B8E7BB1EB45318F248594E8099B740D771EE84CBD1

Function 6CE1EA90 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(00000000,00000001), ref: 6CE1EAB9

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 13cf7eeb61f0655139d0dc89fcab583503d57a455fa759b04ef70e5b04cba093
Instruction ID: e168a9ae6c5c97030deb492e77a150d2cdc6acd0743fdaedf22c301771005ad0
Opcode Fuzzy Hash: 13cf7eeb61f0655139d0dc89fcab583503d57a455fa759b04ef70e5b04cba093
Instruction Fuzzy Hash: C7F012B1D093486BDF00DFA4D84AADE7F749B15244F0440A9E80AA7780EA71AA1CCB62

Function 6CE1FAD0 Relevance: 1.5, APIs: 1, Instructions: 22timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 6CE1FB02

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 439751679031f8997756e972d6c91ed9f92d59cb7cd611009c4e3dd038f0ed22
Instruction ID: 203f2fb26a409c5b79009336a81f056a4933b40853be60808641c62d04be5cd5
Opcode Fuzzy Hash: 439751679031f8997756e972d6c91ed9f92d59cb7cd611009c4e3dd038f0ed22
Instruction Fuzzy Hash: 2AE01275905108EBCB00DFA8C4489DDBF75EB85301F208169F90597B40DB345F55DB91

Function 6CDC1690 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(6CDB2EA4), ref: 6CDC1698

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e1436ea85442fc5830459ce4ef2753163e364948392d06a61b49ec2310b0a991
Instruction ID: e34eecfeee6d7da34a5816e362718ceed7b725ee8676a089b4aec941ff84a6a1
Opcode Fuzzy Hash: e1436ea85442fc5830459ce4ef2753163e364948392d06a61b49ec2310b0a991
Instruction Fuzzy Hash: 35A022B220220CAB0A0033C3A80C8203B3CCA030A83000080FA0E088200B22A80000F3

Function 6CDBD3B0 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

0, xrefs: 6CDBD42F

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 298c53da0bea7c7aea81ee972b8ad5dccbfc9b8249e86a434f1a5563ba5210f3
Instruction ID: 9eae4c703e9004db62b9e915cb1cd7b3244719370ffde9d1da53793f31230dd3
Opcode Fuzzy Hash: 298c53da0bea7c7aea81ee972b8ad5dccbfc9b8249e86a434f1a5563ba5210f3
Instruction Fuzzy Hash: 6A21D2B5E01208DFCB04CF98D594AEDFBB5FB49314F10406AE80ABBB64D734A945CBA1

Function 6CDB0ED8 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51bde81ecb97f5faec1888add91adb6984f6402456a2f311ca70219574dafe0a
Instruction ID: d5fa17da0a90752c8a50682aac3312c6ada422a56d37f5b3b010c91c1eb183cf
Opcode Fuzzy Hash: 51bde81ecb97f5faec1888add91adb6984f6402456a2f311ca70219574dafe0a
Instruction Fuzzy Hash:

Function 6CDB019A Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2680a777aee5739fa26acd961692cb3e0ea7db0d2bb2725d31725b4632fc1eb6
Instruction ID: 7613f45f7c81b4d6f0b429c86eecba375c121f2f7f981deefb9d399fca50e3bc
Opcode Fuzzy Hash: 2680a777aee5739fa26acd961692cb3e0ea7db0d2bb2725d31725b4632fc1eb6
Instruction Fuzzy Hash:

Function 6CDB013B Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96ec4d85f0ae5d25d511165f6e49977c588385641b28382695bcff3dc60fdac
Instruction ID: 8df3cd9a4c0b9ab967d7e5b5e4614ffa0ace237ae96bc1caeb1c6b3f611089a9
Opcode Fuzzy Hash: f96ec4d85f0ae5d25d511165f6e49977c588385641b28382695bcff3dc60fdac
Instruction Fuzzy Hash:

Function 6CDB3679 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f705626199d356711a944149a4bfafe2969aa4768b69521a559410c4e830581a
Instruction ID: c4632f29725b87659d9d76dc622997f8ecaa74a56e919c2d64210e365425eed9
Opcode Fuzzy Hash: f705626199d356711a944149a4bfafe2969aa4768b69521a559410c4e830581a
Instruction Fuzzy Hash:

Function 6CDDA800 Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 299COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,00000000), ref: 6CDDA840

Strings

@, xrefs: 6CDDA90C
traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character())), xrefs: 6CDDA8C0
_CrtDbgReport: String too long or IO Error, xrefs: 6CDDAC50
minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp, xrefs: 6CDDA8B6, 6CDDAC01, 6CDDAC41
wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error"), xrefs: 6CDDAC4B
common_message_window, xrefs: 6CDDA8BB, 6CDDAC06, 6CDDAC46
@, xrefs: 6CDDA9AF
..., xrefs: 6CDDAB1E
(*_errno()), xrefs: 6CDDAC0B
Microsoft Visual C++ Runtime Library, xrefs: 6CDDAC77

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: HandleModule
String ID: (*_errno())$...$@$@$Microsoft Visual C++ Runtime Library$_CrtDbgReport: String too long or IO Error$common_message_window$minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp$traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character()))$wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error")
API String ID: 4139908857-1633980848
Opcode ID: 312f9412fa9ca37f7ceb4d5f40ab176da204299f7164342b48a64edf3ed015fb
Instruction ID: 29874a0997c18cc8cc8cf607f4994ba7f95d14d8496639410a16bc35ce8e3343
Opcode Fuzzy Hash: 312f9412fa9ca37f7ceb4d5f40ab176da204299f7164342b48a64edf3ed015fb
Instruction Fuzzy Hash: 20D190B1E41229EBDB24DF94CC89BDAB374AB44304F1181D9E40D67AA0D774ABC5CF91

Function 6CDDA1E0 Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 296COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,00000000), ref: 6CDDA220

Strings

@, xrefs: 6CDDA2EC
traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character())), xrefs: 6CDDA2A0
_CrtDbgReport: String too long or IO Error, xrefs: 6CDDA621
minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp, xrefs: 6CDDA296, 6CDDA5D2, 6CDDA612
wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error"), xrefs: 6CDDA61C
common_message_window, xrefs: 6CDDA29B, 6CDDA5D7, 6CDDA617
..., xrefs: 6CDDA4EF
(*_errno()), xrefs: 6CDDA5DC
@, xrefs: 6CDDA380
Microsoft Visual C++ Runtime Library, xrefs: 6CDDA648

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: HandleModule
String ID: (*_errno())$...$@$@$Microsoft Visual C++ Runtime Library$_CrtDbgReport: String too long or IO Error$common_message_window$minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp$traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character()))$wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error")
API String ID: 4139908857-1633980848
Opcode ID: 74b0917a639993a8cc48015ae6fcd3818dd3af91321d2bd9b78a40729698ac31
Instruction ID: f8251b74e0c6161985480b60b24db1a6ecbd7faf586db7a644cbddb97fdede13
Opcode Fuzzy Hash: 74b0917a639993a8cc48015ae6fcd3818dd3af91321d2bd9b78a40729698ac31
Instruction Fuzzy Hash: A6D1CCB0D00268CBDB24CF50CC4EBDAB775AB69304F2181D9E60D67AA0D770AAD5CF91

Function 6CE304E0 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 142COMMON

Download Yara Rule

Strings

wcscpy_s(progname, progname_size, L"<program name unknown>"), xrefs: 6CE305B8
wcsncpy_s(pch, progname_size - (pch - progname), L"...", 3), xrefs: 6CE30616
minkernel\crts\ucrt\src\appcrt\internal\report_runtime_error.cpp, xrefs: 6CE3054F, 6CE305AE, 6CE3060C, 6CE3064C, 6CE30682
wcscpy_s(outmsg, (sizeof(*__countof_helper(outmsg)) + 0), L"Runtime Error!\n\nProgram: "), xrefs: 6CE30559
wcscat_s(outmsg, (sizeof(*__countof_helper(outmsg)) + 0), message), xrefs: 6CE3068C
wcscat_s(outmsg, (sizeof(*__countof_helper(outmsg)) + 0), L"\n\n"), xrefs: 6CE30656
..., xrefs: 6CE3061D
Runtime Error!Program: , xrefs: 6CE3055E
<program name unknown>, xrefs: 6CE305BD
Microsoft Visual C++ Runtime Library, xrefs: 6CE306B5
__acrt_report_runtime_error, xrefs: 6CE30554, 6CE305B3, 6CE30611, 6CE30651, 6CE30687

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID:
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $__acrt_report_runtime_error$minkernel\crts\ucrt\src\appcrt\internal\report_runtime_error.cpp$wcscat_s(outmsg, (sizeof(*__countof_helper(outmsg)) + 0), L"\n\n")$wcscat_s(outmsg, (sizeof(*__countof_helper(outmsg)) + 0), message)$wcscpy_s(outmsg, (sizeof(*__countof_helper(outmsg)) + 0), L"Runtime Error!\n\nProgram: ")$wcscpy_s(progname, progname_size, L"<program name unknown>")$wcsncpy_s(pch, progname_size - (pch - progname), L"...", 3)
API String ID: 0-4242594854
Opcode ID: ee8fcacb7606052a0ac22a032da5ef91cea0be0aaaa6447251241fe9fbdfc9c0
Instruction ID: e09a329587055b7cfc9c63ad1ab6c7b8ae6484a62f37a9fcfeab942adb27c497
Opcode Fuzzy Hash: ee8fcacb7606052a0ac22a032da5ef91cea0be0aaaa6447251241fe9fbdfc9c0
Instruction Fuzzy Hash: 3A4105F2E41204B7EB14E7A48D42FAE37795B40308F704959F50DBAB92EA30AA04C6B5

Function 6CDC0900 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 79COMMON

Download Yara Rule

APIs

failwithmessage.LIBCMTD ref: 6CDC093D

Part of subcall function 6CDC0C20: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,6CDC09D2,000000FF,00000000,00000000,?), ref: 6CDC0C81
Part of subcall function 6CDC0C20: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,6CDC09D2,000000FF,?,00000000), ref: 6CDC0CA0
Part of subcall function 6CDC0C20: DebuggerProbe.LIBCMTD ref: 6CDC0CBA
Part of subcall function 6CDC0C20: DebuggerRuntime.LIBCMTD ref: 6CDC0CD6
Part of subcall function 6CDC0C20: IsDebuggerPresent.KERNEL32 ref: 6CDC0CFF

_getMemBlockDataString.LIBCMTD ref: 6CDC0969
failwithmessage.LIBCMTD ref: 6CDC09CD

Strings

Data: <, xrefs: 6CDC0983
Stack area around _alloca memory reserved by this function is corrupted, xrefs: 6CDC0934
Address: 0x, xrefs: 6CDC099A
Stack area around _alloca memory reserved by this function is corrupted, xrefs: 6CDC099F
Allocation number within this function: , xrefs: 6CDC098E
Size: , xrefs: 6CDC0994
%s%s%p%s%zd%s%d%s%s%s%s%s, xrefs: 6CDC09A4

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: Debugger$ByteCharMultiWidefailwithmessage$BlockDataPresentProbeRuntimeString_get
String ID: Address: 0x$Allocation number within this function: $Data: <$Size: $%s%s%p%s%zd%s%d%s%s%s%s%s$Stack area around _alloca memory reserved by this function is corrupted$Stack area around _alloca memory reserved by this function is corrupted
API String ID: 4067135985-3301296223
Opcode ID: 08d61120fa61d77e165a73f71ecbb302cef11656e6aa5fc856d8d83f26009731
Instruction ID: cb606990fefefffb735e5043b7a56e25558f83f85b215b661efac60113ae243b
Opcode Fuzzy Hash: 08d61120fa61d77e165a73f71ecbb302cef11656e6aa5fc856d8d83f26009731
Instruction Fuzzy Hash: 1321D7B6A00108BBCB10CFA5CD84EEEB7BCEB08314F540656FA0DA7550D631A6598761

Function 6CE279B0 Relevance: 16.8, APIs: 1, Strings: 10, Instructions: 265COMMON

Download Yara Rule

Strings

destination_count <= INT_MAX, xrefs: 6CE27A0E, 6CE27A50
_wctomb_s_l, xrefs: 6CE27A4B, 6CE27BC0, 6CE27CFC
*, xrefs: 6CE27B40
%ls, xrefs: 6CE27A13, 6CE27B88, 6CE27CBE
", xrefs: 6CE27BD2
", xrefs: 6CE27D0E
("Buffer too small", 0), xrefs: 6CE27CB9, 6CE27D01
*, xrefs: 6CE27D2D
minkernel\crts\ucrt\src\appcrt\convert\wctomb.cpp, xrefs: 6CE27A1C, 6CE27A46, 6CE27B91, 6CE27BBB, 6CE27CCA, 6CE27CF7
destination_count > 0, xrefs: 6CE27B83, 6CE27BC5

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID:
String ID: "$"$%ls$("Buffer too small", 0)$*$*$_wctomb_s_l$destination_count <= INT_MAX$destination_count > 0$minkernel\crts\ucrt\src\appcrt\convert\wctomb.cpp
API String ID: 0-2198373435
Opcode ID: 7663175df4526f3f4807833324a9ca71849413998423e554804e33582ab6336e
Instruction ID: b72fc7a64a314f6b1c46a43ad8582b7e210be29cc6f83d02489e2df4bb5eb164
Opcode Fuzzy Hash: 7663175df4526f3f4807833324a9ca71849413998423e554804e33582ab6336e
Instruction Fuzzy Hash: BFB14CB1D00208EFDB14DF90D895BEE77B0BB0531CF308519E4116BB90D779AA89CBA1

Function 6CE55E5E Relevance: 15.1, APIs: 10, Instructions: 135COMMON

Download Yara Rule

APIs

_cmpDWORD.LIBCMTD ref: 6CE55E6C

Part of subcall function 6CE55560: _cmpBYTE.LIBCMTD ref: 6CE55596

_cmpDWORD.LIBCMTD ref: 6CE55E93

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: _cmp
String ID:
API String ID: 2028851527-0
Opcode ID: dcf5647540f9869c7e8f67cfd3f3416951bda7d1ccddd060f364bd93f6ce725b
Instruction ID: 52d790fdcd16ef6bafc9d4821a1d15189565c19ce76c9aaef2177742562cfe79
Opcode Fuzzy Hash: dcf5647540f9869c7e8f67cfd3f3416951bda7d1ccddd060f364bd93f6ce725b
Instruction Fuzzy Hash: 51510AB1902108EFCB04CFBCDA45A9D7BB5AB41308FB08558F419AB749EB32AB54DB50

Function 6CE207E0 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 221COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMTD ref: 6CE20875

Strings

%ls, xrefs: 6CE2080F
common_expand_argv_wildcards, xrefs: 6CE2084D, 6CE20A3D
*, xrefs: 6CE20897
traits::tcsncpy_s( character_it, character_count - (character_it - character_first), *it, count), xrefs: 6CE20A42
result != nullptr, xrefs: 6CE2080A, 6CE20852
?, xrefs: 6CE2089B
minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp, xrefs: 6CE2081B, 6CE20848, 6CE20A38

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: std::exception::exception
String ID: %ls$*$?$common_expand_argv_wildcards$minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp$result != nullptr$traits::tcsncpy_s( character_it, character_count - (character_it - character_first), *it, count)
API String ID: 2807920213-976376051
Opcode ID: 3bb576866edb291e51630d0cd27c148eed3a5c977c8aa58a8f82a63cc56eef2b
Instruction ID: cde1880a821df2b5d416bab2843a95830d7cac828b3ee7e548352cbe0f459319
Opcode Fuzzy Hash: 3bb576866edb291e51630d0cd27c148eed3a5c977c8aa58a8f82a63cc56eef2b
Instruction Fuzzy Hash: 48913DB1D00249EFDB04DFD4C9A4BEEB7B4AF54308F204519E4167B790EB78AA49CB61

Function 6CE41CE0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 251COMMON

Download Yara Rule

APIs

GetACP.KERNEL32 ref: 6CE41E44
IsValidCodePage.KERNEL32(0000FDE8), ref: 6CE41E61

Strings

wcsncpy_s(lpOutStr->szCodePage, (sizeof(*__countof_helper(lpOutStr->szCodePage)) + 0), L"utf8", 5), xrefs: 6CE41FAE
minkernel\crts\ucrt\src\appcrt\locale\get_qualified_locale.cpp, xrefs: 6CE41EA6, 6CE41FA4
utf8, xrefs: 6CE41FB5
wcsncpy_s(lpOutStr->szLocaleName, (sizeof(*__countof_helper(lpOutStr->szLocaleName)) + 0), _psetloc_data->_cacheLocaleName, wcslen, xrefs: 6CE41EB0
__acrt_get_qualified_locale, xrefs: 6CE41EAB, 6CE41FA9

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: CodePageValid
String ID: __acrt_get_qualified_locale$minkernel\crts\ucrt\src\appcrt\locale\get_qualified_locale.cpp$utf8$wcsncpy_s(lpOutStr->szCodePage, (sizeof(*__countof_helper(lpOutStr->szCodePage)) + 0), L"utf8", 5)$wcsncpy_s(lpOutStr->szLocaleName, (sizeof(*__countof_helper(lpOutStr->szLocaleName)) + 0), _psetloc_data->_cacheLocaleName, wcslen
API String ID: 1911128615-3002009667
Opcode ID: 10a13d569ba75e86416b896657a302caeaac2471c916811468087000d103a937
Instruction ID: c3c7b6ed6eb2e6ceb01e56dcb7dc74ed4fa9220329fddc070c8b250475b1b72a
Opcode Fuzzy Hash: 10a13d569ba75e86416b896657a302caeaac2471c916811468087000d103a937
Instruction Fuzzy Hash: 7591D3B5A00204ABEF04CFA4DC46FAA73B5AF4530DF34C568E805AB781E775EA61C764

Function 6CE2F460 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

HeapSize.KERNEL32(01310000,00000000,00000000), ref: 6CE2F505
HeapReAlloc.KERNEL32(01310000,00000010,00000000,?), ref: 6CE2F53A

Strings

%ls, xrefs: 6CE2F490
_expand_base, xrefs: 6CE2F4C8
block != nullptr, xrefs: 6CE2F48B, 6CE2F4CD
minkernel\crts\ucrt\src\appcrt\heap\expand.cpp, xrefs: 6CE2F499, 6CE2F4C3

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: Heap$AllocSize
String ID: %ls$_expand_base$block != nullptr$minkernel\crts\ucrt\src\appcrt\heap\expand.cpp
API String ID: 3906553864-3244948836
Opcode ID: 6e2928dbe3c18d0bf650401c01841e5677b1bb0225c6ce1aeb8282541b8b43f6
Instruction ID: 52b52451cadeb1fbe819d8f9f106db797566433309ad8efe5cbcec418adbaf2e
Opcode Fuzzy Hash: 6e2928dbe3c18d0bf650401c01841e5677b1bb0225c6ce1aeb8282541b8b43f6
Instruction Fuzzy Hash: 0331C4B0D40269AFEB00DFA4C844B9E77B5EB45309F308514E511ABB80D7BCD980CBA0

Function 6CE55C06 Relevance: 12.1, APIs: 8, Instructions: 103COMMON

Download Yara Rule

APIs

_cmpDWORD.LIBCMTD ref: 6CE55C14

Part of subcall function 6CE55560: _cmpBYTE.LIBCMTD ref: 6CE55596

_cmpDWORD.LIBCMTD ref: 6CE55C3B

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: _cmp
String ID:
API String ID: 2028851527-0
Opcode ID: 2640301d4570daf9c888c71c09274a33e47595d280c6422622a01629a6ba161a
Instruction ID: b3e339ec4586169710e05554125cb10175105bf4237eff4ec218f34844962cd7
Opcode Fuzzy Hash: 2640301d4570daf9c888c71c09274a33e47595d280c6422622a01629a6ba161a
Instruction Fuzzy Hash: 47313C71902108EFCB04DFBCDA88A9D7B75AB41308FF08559E419AB709E732AB54DB90

Function 6CE55D32 Relevance: 12.1, APIs: 8, Instructions: 103COMMON

Download Yara Rule

APIs

_cmpDWORD.LIBCMTD ref: 6CE55D40

Part of subcall function 6CE55560: _cmpBYTE.LIBCMTD ref: 6CE55596

_cmpDWORD.LIBCMTD ref: 6CE55D67

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: _cmp
String ID:
API String ID: 2028851527-0
Opcode ID: cab4e5dea73df74ae65bb80adee57d74dc798646feee793aae844ddc1c4fb3b9
Instruction ID: 66169842f85f7ec63e9489f61684d7c9d52d70958b4531ca4eaf36ffa6c271d9
Opcode Fuzzy Hash: cab4e5dea73df74ae65bb80adee57d74dc798646feee793aae844ddc1c4fb3b9
Instruction Fuzzy Hash: 3F31F871902108EFCB04DFBCDA48A9E7B75AB41349FB08158E409AB749DB32AB54DB90

Function 6CDC5F80 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 422COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIMED ref: 6CDC60D5
CatchIt.LIBCMTD ref: 6CDC62CB

Strings

csm, xrefs: 6CDC5FD0
csm, xrefs: 6CDC6051
csm, xrefs: 6CDC6126

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: CatchIs_bad_exception_allowed
String ID: csm$csm$csm
API String ID: 974221251-393685449
Opcode ID: afd3f527901a7c6c43230666276314416fd2046b272f582ab56d50fe39fbb032
Instruction ID: 82616ec16b01019f4e7daf7ccca0d4bde1be22fa860be4267bc25c56b3211bf8
Opcode Fuzzy Hash: afd3f527901a7c6c43230666276314416fd2046b272f582ab56d50fe39fbb032
Instruction Fuzzy Hash: CBF185F5A04209DFCB04CFA5C8809EF7779BF44308F148159E915ABB61DB35EA46CBA2

Function 6CDD6150 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 236COMMON

Download Yara Rule

APIs

und_strncmp.LIBCMTD ref: 6CDD6235

Strings

template-parameter-, xrefs: 6CDD622A
`generic-type-, xrefs: 6CDD6291
generic-type-, xrefs: 6CDD6274
`template-parameter-, xrefs: 6CDD6247

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: und_strncmp
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 2034953485-3207858774
Opcode ID: d1394afa589d48134038a8d4567e515297b9213216a8400754ba7f5a172e385d
Instruction ID: f26bbf1907eeaabe3b919bf98c04ee8a6e70d4c3fcc7bebc8000b824d6738f99
Opcode Fuzzy Hash: d1394afa589d48134038a8d4567e515297b9213216a8400754ba7f5a172e385d
Instruction Fuzzy Hash: 639141B1E05248DBDF04DFE4CC90AEEB7B5AF49304F144529E416B7764EB34AA09CBA1

Function 6CE20B70 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 232COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMTD ref: 6CE20C0F

Strings

%ls, xrefs: 6CE20BA9
common_expand_argv_wildcards, xrefs: 6CE20BE7, 6CE20DE5
traits::tcsncpy_s( character_it, character_count - (character_it - character_first), *it, count), xrefs: 6CE20DEA
result != nullptr, xrefs: 6CE20BA4, 6CE20BEC
minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp, xrefs: 6CE20BB5, 6CE20BE2, 6CE20DE0

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: std::exception::exception
String ID: %ls$common_expand_argv_wildcards$minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp$result != nullptr$traits::tcsncpy_s( character_it, character_count - (character_it - character_first), *it, count)
API String ID: 2807920213-1103401458
Opcode ID: dd82dba07e64b017c5419fa42045b1a4bd7044304f16ce16290692b6b92e9424
Instruction ID: 997c3f37aa7efd72c23510d6b6b735c5bef10dbb09a5b9b5e16c6b592c901a7c
Opcode Fuzzy Hash: dd82dba07e64b017c5419fa42045b1a4bd7044304f16ce16290692b6b92e9424
Instruction Fuzzy Hash: 9DA108B1D002499FDB04DFD4C9A5BEEB7B5BF55308F204529E0067B790EB39AA49CB60

Function 6CDDCC30 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 198COMMON

Download Yara Rule

Strings

%ls, xrefs: 6CDDCC73
minkernel\crts\ucrt\src\appcrt\startup\argv_parsing.cpp, xrefs: 6CDDCC7F, 6CDDCCAC
mode == _crt_argv_expanded_arguments || mode == _crt_argv_unexpanded_arguments, xrefs: 6CDDCC6E, 6CDDCCB6
HZl, xrefs: 6CDDCD4C
common_configure_argv, xrefs: 6CDDCCB1

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID:
String ID: %ls$HZl$common_configure_argv$minkernel\crts\ucrt\src\appcrt\startup\argv_parsing.cpp$mode == _crt_argv_expanded_arguments || mode == _crt_argv_unexpanded_arguments
API String ID: 0-335035211
Opcode ID: cd8f7e5dcdeff599c50d6a896d177332fec36949b224d59d6dee47d11326aff8
Instruction ID: 74f3ca6f1dc11997cf7f3bf87341544128ae32158a2010b3e568146b1e5d23b3
Opcode Fuzzy Hash: cd8f7e5dcdeff599c50d6a896d177332fec36949b224d59d6dee47d11326aff8
Instruction Fuzzy Hash: 48716FF1D40209EBDF04EF94D995BEEB7B4AF44308F114169D1067BAA0EB746A48CBB1

Function 6CDDC8E0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 198COMMON

Download Yara Rule

Strings

%ls, xrefs: 6CDDC923
minkernel\crts\ucrt\src\appcrt\startup\argv_parsing.cpp, xrefs: 6CDDC92F, 6CDDC95C
C:\Windows\system32\loaddll32.exe, xrefs: 6CDDC999, 6CDDC9B2, 6CDDC9F5
mode == _crt_argv_expanded_arguments || mode == _crt_argv_unexpanded_arguments, xrefs: 6CDDC91E, 6CDDC966
common_configure_argv, xrefs: 6CDDC961

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID:
String ID: %ls$C:\Windows\system32\loaddll32.exe$common_configure_argv$minkernel\crts\ucrt\src\appcrt\startup\argv_parsing.cpp$mode == _crt_argv_expanded_arguments || mode == _crt_argv_unexpanded_arguments
API String ID: 0-1914081238
Opcode ID: 5d15556f485508b9df8d4e88b326b60a7e7c67aafdbca211e9d9a2edc93c7c33
Instruction ID: 076a14a4d9d971fb4dc81b41bd53ecfdab9f9925e0f0b7d29056c3fed95e762c
Opcode Fuzzy Hash: 5d15556f485508b9df8d4e88b326b60a7e7c67aafdbca211e9d9a2edc93c7c33
Instruction Fuzzy Hash: 7A7151F1D40208EFDF04DF94D895BEEB7B4AF45308F114569D5067BAA0EB706A48CBA1

Function 6CE4FDD0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 104COMMON

Download Yara Rule

Strings

%ls, xrefs: 6CE4FE2E, 6CE4FECC
(_osfile(fh) & FOPEN), xrefs: 6CE4FEC7, 6CE4FF14
minkernel\crts\ucrt\src\appcrt\lowio\close.cpp, xrefs: 6CE4FE37, 6CE4FE6C, 6CE4FED5, 6CE4FF0A
(fh >= 0 && (unsigned)fh < (unsigned)_nhandle), xrefs: 6CE4FE29, 6CE4FE76
_close, xrefs: 6CE4FE71, 6CE4FF0F

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID:
String ID: %ls$(_osfile(fh) & FOPEN)$(fh >= 0 && (unsigned)fh < (unsigned)_nhandle)$_close$minkernel\crts\ucrt\src\appcrt\lowio\close.cpp
API String ID: 0-1433886027
Opcode ID: 8a1e74a3612b8400fadff3772f52b9815958faf98f5b22dd741256d9b79c9161
Instruction ID: a2a2850402a61857fe42104a4d7582e781f250549303616e25d76bc78ae4111b
Opcode Fuzzy Hash: 8a1e74a3612b8400fadff3772f52b9815958faf98f5b22dd741256d9b79c9161
Instruction Fuzzy Hash: B131C5B0844204AFEB24DF95DD55F8D3A70AB0276DF308A48E0152BED1D778A645C7B5

Function 6CE45AD0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 98COMMON

Download Yara Rule

Strings

%ls, xrefs: 6CE45B23, 6CE45BB6
(_osfile(fh) & FOPEN), xrefs: 6CE45BB1, 6CE45BF3
(fh >= 0 && (unsigned)fh < (unsigned)_nhandle), xrefs: 6CE45B1E, 6CE45B60
_commit, xrefs: 6CE45B5B, 6CE45BEE
minkernel\crts\ucrt\src\appcrt\lowio\commit.cpp, xrefs: 6CE45B2C, 6CE45B56, 6CE45BBF, 6CE45BE9

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID:
String ID: %ls$(_osfile(fh) & FOPEN)$(fh >= 0 && (unsigned)fh < (unsigned)_nhandle)$_commit$minkernel\crts\ucrt\src\appcrt\lowio\commit.cpp
API String ID: 0-1026578051
Opcode ID: 8bb48c7409db8bf85d3afd0fc53ff145287496345ffc204340adfa43bba23cc1
Instruction ID: e73b2e486dd410609035d40ec00849748d8b5135f230a1ae83ba751464157127
Opcode Fuzzy Hash: 8bb48c7409db8bf85d3afd0fc53ff145287496345ffc204340adfa43bba23cc1
Instruction Fuzzy Hash: 7D31B2B1941208AFEB20CF54DC85BDD7B74BB0231CF308A49E1153BAD1D7B4A685CBA1

Function 6CE55AEE Relevance: 10.6, APIs: 7, Instructions: 96COMMON

Download Yara Rule

APIs

_cmpDWORD.LIBCMTD ref: 6CE55AFC

Part of subcall function 6CE55560: _cmpBYTE.LIBCMTD ref: 6CE55596

_cmpDWORD.LIBCMTD ref: 6CE55B23

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: _cmp
String ID:
API String ID: 2028851527-0
Opcode ID: 886a3d6f066865c6bb5d327980fe2796885dd27cc38c0e45858bb95054f92fe6
Instruction ID: f2ec4c6ddad7bb5552f32ef4d7586a6c778ebf9396a816257a8f72df9c30c18e
Opcode Fuzzy Hash: 886a3d6f066865c6bb5d327980fe2796885dd27cc38c0e45858bb95054f92fe6
Instruction Fuzzy Hash: 9C313D71D02108EFCB00DFBCCA48A9D7BB5AB51309FB08158E409BB749D732AB54DBA0

Function 6CDDAE40 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

std::_Fac_node::_Fac_node.LIBCPMTD ref: 6CDDAF48

Strings

%ls, xrefs: 6CDDAE75, 6CDDAEEE
common_set_report_hook, xrefs: 6CDDAEAD, 6CDDAF26
mode == _CRT_RPTHOOK_INSTALL || mode == _CRT_RPTHOOK_REMOVE, xrefs: 6CDDAE70, 6CDDAEB2
minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp, xrefs: 6CDDAE7E, 6CDDAEA8, 6CDDAEF7, 6CDDAF21
new_hook != nullptr, xrefs: 6CDDAEE9, 6CDDAF2B

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: Fac_nodeFac_node::_std::_
String ID: %ls$common_set_report_hook$minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp$mode == _CRT_RPTHOOK_INSTALL || mode == _CRT_RPTHOOK_REMOVE$new_hook != nullptr
API String ID: 1114552684-2008714909
Opcode ID: 2b291e328d981b55c60bee776be60bd044826b4e8843233734659a5536f64395
Instruction ID: cad854b1ae87eae67b2581318cda5fb14034296458fdb3fb87566d9367ab32e4
Opcode Fuzzy Hash: 2b291e328d981b55c60bee776be60bd044826b4e8843233734659a5536f64395
Instruction Fuzzy Hash: E921E6B1D44209FBDB109B90CC06B9E3670AB01319F618A44F5183AEE1D7BAA198C7B6

Function 6CDDAFB0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

std::_Fac_node::_Fac_node.LIBCPMTD ref: 6CDDB0B8

Strings

%ls, xrefs: 6CDDAFE5, 6CDDB05E
common_set_report_hook, xrefs: 6CDDB01D, 6CDDB096
mode == _CRT_RPTHOOK_INSTALL || mode == _CRT_RPTHOOK_REMOVE, xrefs: 6CDDAFE0, 6CDDB022
minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp, xrefs: 6CDDAFEE, 6CDDB018, 6CDDB067, 6CDDB091
new_hook != nullptr, xrefs: 6CDDB059, 6CDDB09B

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: Fac_nodeFac_node::_std::_
String ID: %ls$common_set_report_hook$minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp$mode == _CRT_RPTHOOK_INSTALL || mode == _CRT_RPTHOOK_REMOVE$new_hook != nullptr
API String ID: 1114552684-2008714909
Opcode ID: e28bfe7db14b8ab340a7fee93538ec1779330ddd9f0dd398aa2695df60bbed90
Instruction ID: e33fd5ffc622a6811b176c791cf2519aa2d88f36620dcd813c11646d22451152
Opcode Fuzzy Hash: e28bfe7db14b8ab340a7fee93538ec1779330ddd9f0dd398aa2695df60bbed90
Instruction Fuzzy Hash: A021B6B0D40208FBEB209B91CC05BAE7774AB0631DF614644F5243AEE1D7BA6198C7A6

Function 6CE45210 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372COMMON

Download Yara Rule

Strings

%ls, xrefs: 6CE452FB
cchCount1==0 && cchCount2==1 || cchCount1==1 && cchCount2==0, xrefs: 6CE452F6
minkernel\crts\ucrt\src\appcrt\locale\comparestringa.cpp, xrefs: 6CE45304
minkernel\crts\ucrt\src\appcrt\locale\comparestringa.cpp, xrefs: 6CE45491, 6CE45592

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID:
String ID: %ls$cchCount1==0 && cchCount2==1 || cchCount1==1 && cchCount2==0$minkernel\crts\ucrt\src\appcrt\locale\comparestringa.cpp$minkernel\crts\ucrt\src\appcrt\locale\comparestringa.cpp
API String ID: 0-1085474390
Opcode ID: 1cd455faba828fbbb1e0a0f03271c9109ac3e23491bbdece17a568fa6f9c4e4f
Instruction ID: 384a0ee3a3d450a61dc05ec9ae17d58c369fd54d5f9d2fd1b7603c2686a7ffae
Opcode Fuzzy Hash: 1cd455faba828fbbb1e0a0f03271c9109ac3e23491bbdece17a568fa6f9c4e4f
Instruction Fuzzy Hash: ADE1D0B1E01109DBDB04CF94D890BEE77B1AF4A308F208169F412BBB90D779E945CBA1

Function 6CE1B000 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5), ref: 6CE1B0B3
GetStdHandle.KERNEL32(000000F4), ref: 6CE1B0CD

Strings

%ls, xrefs: 6CE1B035
nRptType >= 0 && nRptType < _CRT_ERRCNT, xrefs: 6CE1B030, 6CE1B078
_CrtSetReportFile, xrefs: 6CE1B073
minkernel\crts\ucrt\src\appcrt\misc\dbgrptt.cpp, xrefs: 6CE1B041, 6CE1B06E

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: Handle
String ID: %ls$_CrtSetReportFile$minkernel\crts\ucrt\src\appcrt\misc\dbgrptt.cpp$nRptType >= 0 && nRptType < _CRT_ERRCNT
API String ID: 2519475695-1451859211
Opcode ID: 85b83b137c267ca8c8dbc20c2de5f0a21866c8b5d56bce49668581ae8b005235
Instruction ID: 04872c0707d99bf8addb529a3d1ba1d1e43bfe60b8f1d7013e41f1207534a1ee
Opcode Fuzzy Hash: 85b83b137c267ca8c8dbc20c2de5f0a21866c8b5d56bce49668581ae8b005235
Instruction Fuzzy Hash: DA216BB4A48208FFCB10DF69C854B897BB4EB47368F30824AFA645BFC0D3359695CA45

Function 6CE3F7B0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 296COMMON

Download Yara Rule

APIs

_fix_grouping.LIBCMTD ref: 6CE3FA49

Strings

%ls, xrefs: 6CE3FAF2
ploci->lconv_num_refcount > 0, xrefs: 6CE3FAED
minkernel\crts\ucrt\src\appcrt\locale\initnum.cpp, xrefs: 6CE3FAFE
minkernel\crts\ucrt\src\appcrt\locale\initnum.cpp, xrefs: 6CE3F805, 6CE3F840, 6CE3F8CC

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: _fix_grouping
String ID: %ls$minkernel\crts\ucrt\src\appcrt\locale\initnum.cpp$minkernel\crts\ucrt\src\appcrt\locale\initnum.cpp$ploci->lconv_num_refcount > 0
API String ID: 3906328105-162942574
Opcode ID: 7a2401f54834143b9ed4eb09ce2ad3670d1ec233ad29f7acafb54f3513d94358
Instruction ID: 9d9ae38a046772b7d882530834a6fc15dd1b5862d79f55d1e529eae06c625aa0
Opcode Fuzzy Hash: 7a2401f54834143b9ed4eb09ce2ad3670d1ec233ad29f7acafb54f3513d94358
Instruction Fuzzy Hash: 54C181B1E00218ABDB00CF94C855BEEB7B1FF44308F148598E9597B791D7B9AA45CBA0

Function 6CDC1F20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

GetPdbDllFromInstallPath.LIBCMTD ref: 6CDC1F47

Part of subcall function 6CDC20C0: GetLastError.KERNEL32 ref: 6CDC2109
Part of subcall function 6CDC20C0: GetProcAddress.KERNEL32(00000000,RegOpenKeyExW), ref: 6CDC212F
Part of subcall function 6CDC20C0: GetProcAddress.KERNEL32(00000000,RegQueryValueExW), ref: 6CDC2141
Part of subcall function 6CDC20C0: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 6CDC2153
Part of subcall function 6CDC20C0: FreeLibrary.KERNEL32(00000000), ref: 6CDC2187

GetLastError.KERNEL32 ref: 6CDC1FBB
GetLastError.KERNEL32 ref: 6CDC1FF5

Strings

MSPDB140, xrefs: 6CDC1FE4
VCRUNTIME140D.dll, xrefs: 6CDC1F54

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: AddressErrorLastProc$FreeFromInstallLibraryPath
String ID: MSPDB140$VCRUNTIME140D.dll
API String ID: 3575457754-1916464790
Opcode ID: 2950ddfd47c3c843f2d2916091ff8c7742c59bb2ac4539ddc20cc9d76b6dc5f3
Instruction ID: 1806583ba0c468783ba9c37d3f93d0b0ece5f24ca43f42bd5604bc26774b9e11
Opcode Fuzzy Hash: 2950ddfd47c3c843f2d2916091ff8c7742c59bb2ac4539ddc20cc9d76b6dc5f3
Instruction Fuzzy Hash: 3231A4F1B01208A6EB1097628C4ABDA33BC9B00308F5005B6EE1AE79D1FB70D64DD677

Function 6CDD7370 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 83COMMON

Download Yara Rule

Strings

%ls, xrefs: 6CDD73F9, 6CDD744B
cached_fp == new_fp, xrefs: 6CDD7446
D:\a\_work\1\s\src\vctools\crt\vcruntime\src\internal\winapi_downlevel.cpp, xrefs: 6CDD7405, 6CDD7457
cached_fp == invalid_function_sentinel(), xrefs: 6CDD73F4

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID:
String ID: %ls$D:\a\_work\1\s\src\vctools\crt\vcruntime\src\internal\winapi_downlevel.cpp$cached_fp == invalid_function_sentinel()$cached_fp == new_fp
API String ID: 0-3288861829
Opcode ID: 2c5831611b80519d6dd8aecdce611f7994e45814d4067536be1700a08c638625
Instruction ID: 5490c42515aeb6b66a31c870af793a3604978c3ec3c9913b56f487052b5d2a60
Opcode Fuzzy Hash: 2c5831611b80519d6dd8aecdce611f7994e45814d4067536be1700a08c638625
Instruction Fuzzy Hash: 2221D7B0D01208FBDF00EFA4CD41BDE7B74BB05309F6248A9E51566A64E735F658CB61

Function 6CE2D2A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74timeCOMMON

Download Yara Rule

APIs

std::_Timevec::_Timevec.LIBCPMTD ref: 6CE2D35E

Strings

%ls, xrefs: 6CE2D2E3
LC_MIN <= _category && _category <= LC_MAX, xrefs: 6CE2D2DE, 6CE2D326
_wsetlocale, xrefs: 6CE2D321
minkernel\crts\ucrt\src\appcrt\locale\wsetlocale.cpp, xrefs: 6CE2D2EF, 6CE2D31C

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: TimevecTimevec::_std::_
String ID: %ls$LC_MIN <= _category && _category <= LC_MAX$_wsetlocale$minkernel\crts\ucrt\src\appcrt\locale\wsetlocale.cpp
API String ID: 4219598475-2399076032
Opcode ID: 1385d9740f602155e85ff1813873edbe3e6ae646eacb7c77678ec2b21d957e73
Instruction ID: 46a021a0a0a3941a6ad5719fd3bd1565e50eb7d8ceff82be78f1a94dab859839
Opcode Fuzzy Hash: 1385d9740f602155e85ff1813873edbe3e6ae646eacb7c77678ec2b21d957e73
Instruction Fuzzy Hash: 9A211DB6C0020CABDB10DBD0CD45BDE7774AF05309F308959E60676A80E779A749CBA5

Function 6CE459E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(00000000), ref: 6CE45A23
GetLastError.KERNEL32 ref: 6CE45A31

Strings

%ls, xrefs: 6CE45A54
("Invalid file descriptor. File possibly closed by a different thread",0), xrefs: 6CE45A4F
minkernel\crts\ucrt\src\appcrt\lowio\commit.cpp, xrefs: 6CE45A5D

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: BuffersErrorFileFlushLast
String ID: %ls$("Invalid file descriptor. File possibly closed by a different thread",0)$minkernel\crts\ucrt\src\appcrt\lowio\commit.cpp
API String ID: 1917127615-1268643607
Opcode ID: a95cc88591f8e038f65e52f0f859dea8f69bda524d547d2ba28d062143b48deb
Instruction ID: eabc9f2124cf4ecaee383d6ef80bd7256b4d102427e1c98b795ecb0f2b9502eb
Opcode Fuzzy Hash: a95cc88591f8e038f65e52f0f859dea8f69bda524d547d2ba28d062143b48deb
Instruction Fuzzy Hash: AA1182B16012009FCB04DB64DD85E5A3375EB0A318F344589F516ABB90E735ED019760

Function 6CE48500 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 236COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6CE4860D

Strings

strncpy_s(*char_result, local_length, local_buffer, local_length - 1), xrefs: 6CE485CF
minkernel\crts\ucrt\src\appcrt\locale\getlocaleinfoa.cpp, xrefs: 6CE48570, 6CE48651, 6CE48772
__acrt_GetLocaleInfoA, xrefs: 6CE485CA
minkernel\crts\ucrt\src\appcrt\locale\getlocaleinfoa.cpp, xrefs: 6CE485C5

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: ErrorLast
String ID: __acrt_GetLocaleInfoA$minkernel\crts\ucrt\src\appcrt\locale\getlocaleinfoa.cpp$minkernel\crts\ucrt\src\appcrt\locale\getlocaleinfoa.cpp$strncpy_s(*char_result, local_length, local_buffer, local_length - 1)
API String ID: 1452528299-34002772
Opcode ID: 9176e781b0b7123a038231b2da84286723620d9c86bd2da9b18acbc6a152871a
Instruction ID: 11e9bd78506bb9912e4041cc21c466c586bbe5aad7fa52ef541689a63b333397
Opcode Fuzzy Hash: 9176e781b0b7123a038231b2da84286723620d9c86bd2da9b18acbc6a152871a
Instruction Fuzzy Hash: C2A13AB1900218DBDB64DF24DC44FDA7374BF45318F6086D9E51AA7AD0DB30AA89CFA1

Function 6CE4B1F0 Relevance: 7.6, APIs: 5, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,?,?,00000001), ref: 6CE4B216
GetLastError.KERNEL32 ref: 6CE4B220
SetFilePointerEx.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 6CE4B26D
GetLastError.KERNEL32 ref: 6CE4B277

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: de6665021ae205d10a60588a4881549410ec3cf40ab37db1748cb98c089291fd
Instruction ID: 2b89bb4afca1482a201a5c8c4e45c6d069287dcebb23e837d752c5866312d042
Opcode Fuzzy Hash: de6665021ae205d10a60588a4881549410ec3cf40ab37db1748cb98c089291fd
Instruction Fuzzy Hash: 212153B1E00509ABDB00CFE9DD45BEFBBB8BF49314F208659F529E3690DB7095448B61

Function 6CDC44C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMTD ref: 6CDC450D
_ValidateLocalCookies.LIBCMTD ref: 6CDC4640
_ValidateLocalCookies.LIBCMTD ref: 6CDC4693

Strings

csm, xrefs: 6CDC45BF

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: CookiesLocalValidate
String ID: csm
API String ID: 2268201637-1018135373
Opcode ID: f5993c078db7fe7f2bbca69ebd59bfecbd1062c0dd52246c8b1300f39dcfd708
Instruction ID: 042b862719e43c0522d058f7a5f5a8205c265401f866bf8fdf6e11f9b3ba4da6
Opcode Fuzzy Hash: f5993c078db7fe7f2bbca69ebd59bfecbd1062c0dd52246c8b1300f39dcfd708
Instruction Fuzzy Hash: 1351FDB4E00209DFCB04CF94D890AEEBBB5BF49318F208259D4156B754D735EA85CBA6

Function 6CDD7640 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(6CDD7507,00000000,00000800,?,?,6CDD7507,00000000), ref: 6CDD764F
GetLastError.KERNEL32(?,?,6CDD7507), ref: 6CDD7663
LoadLibraryExW.KERNEL32(6CDD7507,00000000,00000000,?,6CDD7507), ref: 6CDD768D

Strings

api-ms-, xrefs: 6CDD7670

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 4e9f313700c83f28e459612b910e75d877cf6788f2cb6f2e1f6ff353053ddc25
Instruction ID: 7380475bd16a10b3c746d3841225a0ab61dd86a8c1ba96598d1594a9d82a6de9
Opcode Fuzzy Hash: 4e9f313700c83f28e459612b910e75d877cf6788f2cb6f2e1f6ff353053ddc25
Instruction Fuzzy Hash: E2F05E74B45304FBDB408FA8CC4AB9E3B74AB02705F224594F9199B6D4F775EA008B90

Function 6CE505B6 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 6CE505D0
GetLastError.KERNEL32 ref: 6CE505DC
___initconout.LIBCMT ref: 6CE505EC

Part of subcall function 6CE5066A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CE505F1), ref: 6CE5067D

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 6CE50600

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: ConsoleWrite$CreateErrorFileLast___initconout
String ID:
API String ID: 3431868840-0
Opcode ID: 9dfa13790a3e6ea3aa657ec7bbe31b3a0e91efb0fb4b8164589ae38e3ac151a0
Instruction ID: b83c5ecb5ff4b6be52db5d75a54ca557849b40ef098820134fb5952dd4367115
Opcode Fuzzy Hash: 9dfa13790a3e6ea3aa657ec7bbe31b3a0e91efb0fb4b8164589ae38e3ac151a0
Instruction Fuzzy Hash: DDF0823A201500ABCF621BDADC04D467FB6FFCB3157240519FA9A92A60DB3294209F20

Function 6CE506D2 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 6CE506E9
GetLastError.KERNEL32 ref: 6CE506F5
___initconout.LIBCMT ref: 6CE50705

Part of subcall function 6CE5066A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CE505F1), ref: 6CE5067D

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 6CE5071A

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: ConsoleWrite$CreateErrorFileLast___initconout
String ID:
API String ID: 3431868840-0
Opcode ID: 3eb4a60d418007813009c199594e71937236557082e8c5aee7abdec8d1a3d4ce
Instruction ID: 93bacf9c95b9e32e6682c39989a05ca7bc45c594f4326f198f92aa046250374d
Opcode Fuzzy Hash: 3eb4a60d418007813009c199594e71937236557082e8c5aee7abdec8d1a3d4ce
Instruction Fuzzy Hash: 3FF01C36601255BBCF521FD5DC04DCA3F7AFB0A3A9B544254FE1999620D7328830AFA0

Function 6CE4E450 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 314COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?), ref: 6CE4E467

Strings

$l, xrefs: 6CE4E807
;, xrefs: 6CE4E4A4

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: DecodePointer
String ID: $l$;
API String ID: 3527080286-2507470238
Opcode ID: dd0ee162e0c4b0fc267b99164069e7a41149ca2b5002e6f7f04518b0b6a5eab1
Instruction ID: fa1eb9756942bf17926ccbc77ac02970e8e95e58785857ea2104b6a512f986bd
Opcode Fuzzy Hash: dd0ee162e0c4b0fc267b99164069e7a41149ca2b5002e6f7f04518b0b6a5eab1
Instruction Fuzzy Hash: 23E1EA70A00A4DDBDF00DF94E8896DDBF71FF46304F618094D8956F2A8CB31996ACB95

Function 6CE23420 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(0000FDE9,?), ref: 6CE23453

Strings

, xrefs: 6CE23524
z, xrefs: 6CE23727

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: Info
String ID: $z
API String ID: 1807457897-2251613814
Opcode ID: 15cca76bec27eaaf596bcb94a8e6ca41fe88b3467215b42d265936530e55d462
Instruction ID: 56cfd7c3661a8a22fb60911fdcb22c790a3bda0fea1b8b2737e2665ffdc26f69
Opcode Fuzzy Hash: 15cca76bec27eaaf596bcb94a8e6ca41fe88b3467215b42d265936530e55d462
Instruction Fuzzy Hash: C4A17F70A4825C9FDB26CF48C891BE9BB75EF45308F1481D9D94D5B782C278AB92CF90

Function 6CE1E400 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNEL32(Function_000BDA80,00000001), ref: 6CE1E4B7

Strings

minkernel\crts\ucrt\src\appcrt\misc\signal.cpp, xrefs: 6CE1E5A6

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: ConsoleCtrlHandler
String ID: minkernel\crts\ucrt\src\appcrt\misc\signal.cpp
API String ID: 1513847179-3244217075
Opcode ID: b378fe27f3607bccf2bf530ee1892e49768ff655bb4cc0fb9b512f69f7e9ca9c
Instruction ID: dffc17a1d4941db317836adaf19a582163287a4910135f0bd65eaa3c43b5f5e4
Opcode Fuzzy Hash: b378fe27f3607bccf2bf530ee1892e49768ff655bb4cc0fb9b512f69f7e9ca9c
Instruction Fuzzy Hash: E47182B5A08248DFDB01CF95D884ADE77B5AF4A30CF248628F8156BF50D731DA54CBA1

Function 6CDC65F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

MOC, xrefs: 6CDC662B
RCC, xrefs: 6CDC6636

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID:
String ID: MOC$RCC
API String ID: 0-2084237596
Opcode ID: b2dc3ac64752cbd06419b0413ee9f0bf834f750fe9aca944e03664c59c7f7e1e
Instruction ID: 1766bc80b341580da8f60e722c27f0f2aacc7fb23aa6a1a9f288d419f6047c13
Opcode Fuzzy Hash: b2dc3ac64752cbd06419b0413ee9f0bf834f750fe9aca944e03664c59c7f7e1e
Instruction Fuzzy Hash: E15155B1A40109EBCB04DF94C990EFE77BDAF48308F148259E916E76A0DB34ED56CB61

Function 6CE24F97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,6CDDDFE4,?,?,6CDDDF74,6CDDE98A), ref: 6CE24FA0
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CE2501C

Strings

minkernel\crts\ucrt\src\desktopcrt\env\get_environment_from_os.cpp, xrefs: 6CE24FD3

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID: minkernel\crts\ucrt\src\desktopcrt\env\get_environment_from_os.cpp
API String ID: 3328510275-170101930
Opcode ID: 67caebd923c99f66db54f0b49ae45afcd1674f6ffbbcb0ced858ca9e20ce8b30
Instruction ID: 457c462aea006e74f1afe2dfdc2896ee77fd1f285328205006d2c12731be186c
Opcode Fuzzy Hash: 67caebd923c99f66db54f0b49ae45afcd1674f6ffbbcb0ced858ca9e20ce8b30
Instruction Fuzzy Hash: 2C012BA3A033103BF32105660D8DE7B787DCBC6E5CB200018F91197744FE69CC0181B0

Function 6CE2CE40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63timeCOMMON

Download Yara Rule

APIs

std::_Timevec::_Timevec.LIBCPMTD ref: 6CE2CEC6
std::_Timevec::_Timevec.LIBCPMTD ref: 6CE2CEDD

Strings

minkernel\crts\ucrt\src\appcrt\locale\wsetlocale.cpp, xrefs: 6CE2CE55

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: TimevecTimevec::_std::_
String ID: minkernel\crts\ucrt\src\appcrt\locale\wsetlocale.cpp
API String ID: 4219598475-2192260110
Opcode ID: a8ed5f18df816b572a81e00c2acab2618dff1e01475df5e9edd1d0754ebe8958
Instruction ID: 05186821ec9472e0cb181c863d85d1816076709d6e659685a29ebae7ed0d1751
Opcode Fuzzy Hash: a8ed5f18df816b572a81e00c2acab2618dff1e01475df5e9edd1d0754ebe8958
Instruction Fuzzy Hash: A321F1B5D40108ABD704EF94C996AEEB774AF10208F604199950777BA1EF706F09DB61

Function 6CDBF630 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 6CDBF63B

Strings

|f1n, xrefs: 6CDBF71C
Ql8Rl, xrefs: 6CDBF726

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID: |f1n$Ql8Rl
API String ID: 2325560087-736391129
Opcode ID: 898d5284facad0635bdeed272579f123f4ee51dfd330aa67a07ede8073bef51a
Instruction ID: 52638b611c27b3c2cc36e96bedc2bf6227fa2fba4ae04952548d229be25a5abf
Opcode Fuzzy Hash: 898d5284facad0635bdeed272579f123f4ee51dfd330aa67a07ede8073bef51a
Instruction Fuzzy Hash: 8821C0B97036058BFB05CF19D1847487BF4FB0B318F60416AE91A9B3A1EFB559818F85

Function 6CDD8410 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,00000000,?,6CDD8230,?), ref: 6CDD8436

Strings

mscoree.dll, xrefs: 6CDD842F
CorExitProcess, xrefs: 6CDD844A

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: HandleModule
String ID: CorExitProcess$mscoree.dll
API String ID: 4139908857-1276376045
Opcode ID: 1809f524262c775f51f8c563d69ce4fcadff78deedc7e7e19d712ab7d3475093
Instruction ID: 838be7a99e030bb94a919c068f266bc51215f23a978c38c32c474c1a34c52dd1
Opcode Fuzzy Hash: 1809f524262c775f51f8c563d69ce4fcadff78deedc7e7e19d712ab7d3475093
Instruction Fuzzy Hash: 86014FB1D04108FBCB04EBA5CD59ADD7B79AF11309F5040A9E40772A70EF346B08CBA1

Function 6CE2504D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,6CDDE04E,?,?,6CDDDFAB,6CDDE9A3), ref: 6CE25051
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CE2509E

Strings

minkernel\crts\ucrt\src\desktopcrt\env\get_environment_from_os.cpp, xrefs: 6CE2506C

Memory Dump Source

Source File: 00000000.00000002.1800636456.000000006CDB9000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD60000, based on PE: true

Associated: 00000000.00000002.1800618530.000000006CD60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CDB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800636456.000000006CE59000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800706037.000000006CE5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800724654.000000006CE84000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800735219.000000006CE87000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800744992.000000006CE8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd60000_loaddll32.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID: minkernel\crts\ucrt\src\desktopcrt\env\get_environment_from_os.cpp
API String ID: 3328510275-170101930
Opcode ID: 0c1a6b8c3c502001947bfea56148f595c2bf8eda30eb0caa4db47bd7d3962225
Instruction ID: b46251dbb3c919e95715d8a75b2cebbf4c8a7d1c91c29ffe0e57478ca53d0b75
Opcode Fuzzy Hash: 0c1a6b8c3c502001947bfea56148f595c2bf8eda30eb0caa4db47bd7d3962225
Instruction Fuzzy Hash: D0F02E5374561136E32112351C8DFAB35799BC6E7CF250211F61566BC5AF688C0200F0

Analysis Process: rundll32.exePID: 2472, Parent PID: 3864COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	114
Total number of Limit Nodes:	16

Executed Functions

Function 6CB8F350 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

cached_handle == INVALID_HANDLE_VALUE, xrefs: 6CB8F3C9
%ls, xrefs: 6CB8F3CE, 6CB8F420
cached_handle == new_handle, xrefs: 6CB8F41B
minkernel\crts\ucrt\src\appcrt\internal\winapi_thunks.cpp, xrefs: 6CB8F3DA, 6CB8F42C

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID:
String ID: %ls$cached_handle == INVALID_HANDLE_VALUE$cached_handle == new_handle$minkernel\crts\ucrt\src\appcrt\internal\winapi_thunks.cpp
API String ID: 0-442401637
Opcode ID: b0c243636c1cf9466b2f24552680a586e931768eed65f6689f4823a79a055f8c
Instruction ID: c57494d6bae173f22591742e88e20fc4c7a983ca98677478dacfe1c8080a0b09
Opcode Fuzzy Hash: b0c243636c1cf9466b2f24552680a586e931768eed65f6689f4823a79a055f8c
Instruction Fuzzy Hash: BC21E470E02289EBCF10DBB4DC45FAE7774EB05329F244A55E525A7A80D734A644CB92

Function 6CB8F4F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(6CB8F399,00000000,00000800,?,?,6CB8F399,00000000), ref: 6CB8F501
GetLastError.KERNEL32(?,?,6CB8F399), ref: 6CB8F515
LoadLibraryExW.KERNEL32(6CB8F399,00000000,00000000,?,?,?,?,6CB8F399), ref: 6CB8F556

Strings

ext-ms-, xrefs: 6CB8F539
api-ms-, xrefs: 6CB8F522

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-$ext-ms-
API String ID: 3177248105-537541572
Opcode ID: dd3f0a3495b0d03c39cdfd3d971c031e70834f4565921616dc60ff0f685fc211
Instruction ID: e07e1b1abd637c2e36d971415a5482a3ceaa191605fbe5a6a27d5a3471e32dba
Opcode Fuzzy Hash: dd3f0a3495b0d03c39cdfd3d971c031e70834f4565921616dc60ff0f685fc211
Instruction Fuzzy Hash: F2018174A52249FBDB00CFA4DD0AFDE3778AB05714F104450FA18ABAC0D7B5EE008791

Function 6CB80A00 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 255
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(02DF0000,00000000,?), ref: 6CB80B8F

Strings

Client hook allocation failure at file %hs line %d., xrefs: 6CB80ABB
Error: memory allocation: bad memory block type., xrefs: 6CB80B5A
Client hook allocation failure., xrefs: 6CB80AD8

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID: Client hook allocation failure at file %hs line %d.$Client hook allocation failure.$Error: memory allocation: bad memory block type.
API String ID: 1279760036-2973468218
Opcode ID: 6a86d0632f8ae3ada7d47dbf138b43d0ab2a3be09446d2f6f304a560e4f560ee
Instruction ID: 1716c554afbdb60ae051e996dd8322be1f56479e1efb9178c4b495f7e7e4a40d
Opcode Fuzzy Hash: 6a86d0632f8ae3ada7d47dbf138b43d0ab2a3be09446d2f6f304a560e4f560ee
Instruction Fuzzy Hash: 12B19174A02289EFDF00CF94EC90B9EB7B5FB49318F148219E9256B780D735A944CFA5

Function 6CB2D800 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32(00000000,00000001,00000001,VerifyNetworkConnectExpired), ref: 6CB2D846
GetLastError.KERNEL32 ref: 6CB2D865
CloseHandle.KERNEL32(00000000), ref: 6CB2D87F

Strings

VerifyNetworkConnectExpired, xrefs: 6CB2D83B

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: CloseCreateErrorEventHandleLast
String ID: VerifyNetworkConnectExpired
API String ID: 937152468-916440064
Opcode ID: c31e0188ac006d822259373a0eef1ba2d8b07fd95e30fb97d65b67522a3774f8
Instruction ID: 83be3a0d1d119eb9a34a1055b35df1333224da9febf680fc4e11c177caf1e515
Opcode Fuzzy Hash: c31e0188ac006d822259373a0eef1ba2d8b07fd95e30fb97d65b67522a3774f8
Instruction Fuzzy Hash: C211A531E54154ABDB2067B8E84ABEC7625DF01326F400551EA1CBBB80C7BD4845C6E3

Function 6CB93420 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(0000FDE9,?), ref: 6CB93453

Strings

z, xrefs: 6CB93727
, xrefs: 6CB93524

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: Info
String ID: $z
API String ID: 1807457897-2251613814
Opcode ID: 59349737c538c9b6442bad421697826955b0a502dc3c85cb2807939b79494536
Instruction ID: 55b46bde282ba1ded2a67186f4bacec3efeed1f1bc41f5a8528dd2eb48c3392c
Opcode Fuzzy Hash: 59349737c538c9b6442bad421697826955b0a502dc3c85cb2807939b79494536
Instruction Fuzzy Hash: FEA15D74A4829C9FDB16CF48C891BE9BB71EF45308F0481E9D94D5B382C278AA91CF91

Function 6CB48260 Relevance: 4.5, APIs: 3, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(6CB48230,?,6CB48230,?), ref: 6CB48275
TerminateProcess.KERNEL32(00000000,?,6CB48230,?), ref: 6CB4827C
ExitProcess.KERNEL32 ref: 6CB48292

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 23ef8954ced2e4195da524762edad83012a2f1d1c1314ab9b5aff1bb87c31837
Instruction ID: 3bb18ffc8e248824742ccce813baa7284c278a46837ebf17b751b8b82ffba6d3
Opcode Fuzzy Hash: 23ef8954ced2e4195da524762edad83012a2f1d1c1314ab9b5aff1bb87c31837
Instruction Fuzzy Hash: 1CE012B5604244BBCF40ABB1E84CCAF3B7DAF442457008451B919CB345DE75D554D7F5

Function 6CBA57C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 6CBA594E

Strings

minkernel\crts\ucrt\src\appcrt\locale\getstringtypea.cpp, xrefs: 6CBA5863

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: StringType
String ID: minkernel\crts\ucrt\src\appcrt\locale\getstringtypea.cpp
API String ID: 4177115715-24854585
Opcode ID: 38ea8ff777cb29a3a5478b8eadb8e7241ad380d1e5bc863eb10ac3f937f3e0ec
Instruction ID: c2e4d7681dbc4c5d7ad5723493814a06ec40f1b32b113fe1347edb7e14de8b12
Opcode Fuzzy Hash: 38ea8ff777cb29a3a5478b8eadb8e7241ad380d1e5bc863eb10ac3f937f3e0ec
Instruction Fuzzy Hash: E0514971D10188EBDB04DF94C895BEEB774EF54308F104158E519BB680DB79AE49CB91

Function 6CB93870 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

minkernel\crts\ucrt\src\appcrt\mbstring\mbctype.cpp, xrefs: 6CB938B3

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID:
String ID: minkernel\crts\ucrt\src\appcrt\mbstring\mbctype.cpp
API String ID: 0-426720447
Opcode ID: 0890551dfc0aaad8b2daf597ab07b040a77b91268ca631460cf4d265bc310860
Instruction ID: 99b68b9f4d542e86f664aff3ed93972e9f5dfb835fac145e5acfdc0fc8a26c1d
Opcode Fuzzy Hash: 0890551dfc0aaad8b2daf597ab07b040a77b91268ca631460cf4d265bc310860
Instruction Fuzzy Hash: 3851B4B1900289DBCB04DFA4CC91AEEB774FF45318F144568E429AB790EB35DE09CB51

Function 6CB93E60 Relevance: 3.3, APIs: 2, Instructions: 297
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795b7896290ec0dfee3160cddf8126b6d13b2bb7b0034195d9095aeef24bdcea
Instruction ID: c8eeb5d12bf3cb7173a9fef058c4cfc9b2a623012e05a97741f9b01cfc9a9b3c
Opcode Fuzzy Hash: 795b7896290ec0dfee3160cddf8126b6d13b2bb7b0034195d9095aeef24bdcea
Instruction Fuzzy Hash: 5ED13774A04189DBDB04CFA8C494BAEBBB1FF4A308F14C16AD8296B741D339DA45CF91

Function 6CB8F4A0 Relevance: 1.5, APIs: 1, Instructions: 23
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 6CB8F4CB

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: ebf96b598931c03067c1bde03a2a7698e24e29057f6263e31277a45696fa190a
Instruction ID: cf5c58f0449c39d09c7db34d621b33ea3665c023fb1bf25ea67902dfe81a6240
Opcode Fuzzy Hash: ebf96b598931c03067c1bde03a2a7698e24e29057f6263e31277a45696fa190a
Instruction Fuzzy Hash: AAE046B6A0524CFBCB00DFA9D804E9E77BCEB89314F148599FE0DD3200E631DA008BA4

Non-executed Functions

Function 6CBB2E60 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 6CBB2E9D
GetACP.KERNEL32 ref: 6CBB2EB1
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 6CBB2EE2

Strings

ACP, xrefs: 6CBB2E76
OCP, xrefs: 6CBB2EBB

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 298e6de0f2b6521416e1250be522086baddde57ca9edb8f334d86459bb80567d
Instruction ID: b7ad790da0ba50b6a61cae7f19b7dcc112ef40acf6bdc6ea2982a26a9deee0a3
Opcode Fuzzy Hash: 298e6de0f2b6521416e1250be522086baddde57ca9edb8f334d86459bb80567d
Instruction Fuzzy Hash: 36118E75600184EBEB04CF66C888AAB3378EB45358F108558FD09EAA00EB71EA41CB53

Function 6CBB30F0 Relevance: 6.2, APIs: 4, Instructions: 228COMMON

Download Yara Rule

APIs

IsValidCodePage.KERNEL32(00000000), ref: 6CBB32AE

Part of subcall function 6CBB22E0: GetUserDefaultLCID.KERNEL32 ref: 6CBB22F6

IsValidLocale.KERNEL32(00000000,00000001), ref: 6CBB32C8
GetLocaleInfoW.KERNEL32(00000000,00001001,00000000,00000040,00000000,-00000120,00000055,00000000,00000000,?,00000055,00000000), ref: 6CBB3331

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: LocaleValid$CodeDefaultInfoPageUser
String ID:
API String ID: 334263767-0
Opcode ID: f54d12b940791622d8736aec977cdf8602f857fb206ec73202fdbbfdc0f27bcc
Instruction ID: 14fea0dbc9c266fdc8f6b312cf4eb226340da8d085d1220780bff4d3d97ce81f
Opcode Fuzzy Hash: f54d12b940791622d8736aec977cdf8602f857fb206ec73202fdbbfdc0f27bcc
Instruction Fuzzy Hash: 87914CB4A002459BEB04CFA4C995BBFB7B5EF49309F248118E505BB780DF35E945CBA2

Function 6CB313E0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 6CB313EB
IsDebuggerPresent.KERNEL32 ref: 6CB314BB
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CB314E7
UnhandledExceptionFilter.KERNEL32(?), ref: 6CB314F1

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 7f2d5453c56474d4d62ea90a60c495a7ce3cd4a512271e61895833fc964d9bcd
Instruction ID: 0cdcae5795cbf8f5a98af41a3764aaae988b03f2e06fa50947ebd28812438b03
Opcode Fuzzy Hash: 7f2d5453c56474d4d62ea90a60c495a7ce3cd4a512271e61895833fc964d9bcd
Instruction Fuzzy Hash: C2311778D052689BDF11DF60C8497DDBBB8AF18304F1491D9E40D6B380E7B59A88CF42

Function 6CB4A800 Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 299COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,00000000), ref: 6CB4A840

Strings

traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character())), xrefs: 6CB4A8C0
Microsoft Visual C++ Runtime Library, xrefs: 6CB4AC77
_CrtDbgReport: String too long or IO Error, xrefs: 6CB4AC50
..., xrefs: 6CB4AB1E
minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp, xrefs: 6CB4A8B6, 6CB4AC01, 6CB4AC41
(*_errno()), xrefs: 6CB4AC0B
@, xrefs: 6CB4A90C
common_message_window, xrefs: 6CB4A8BB, 6CB4AC06, 6CB4AC46
wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error"), xrefs: 6CB4AC4B
@, xrefs: 6CB4A9AF

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: HandleModule
String ID: (*_errno())$...$@$@$Microsoft Visual C++ Runtime Library$_CrtDbgReport: String too long or IO Error$common_message_window$minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp$traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character()))$wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error")
API String ID: 4139908857-1633980848
Opcode ID: 1709790748645fc3ae85b690183302418328917b41dddaf26293596fbd3c6c4c
Instruction ID: f7b9f42c2aa41fef8a3049265a0c07de65a3261496941925032af3442712c7a7
Opcode Fuzzy Hash: 1709790748645fc3ae85b690183302418328917b41dddaf26293596fbd3c6c4c
Instruction Fuzzy Hash: EED1BFB19482A9FBDB24DF90CC89BEEB374EB54304F1081E9E40867694D3349AC5DF92

Function 6CB4A1E0 Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 296COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,00000000), ref: 6CB4A220

Strings

traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character())), xrefs: 6CB4A2A0
Microsoft Visual C++ Runtime Library, xrefs: 6CB4A648
_CrtDbgReport: String too long or IO Error, xrefs: 6CB4A621
..., xrefs: 6CB4A4EF
minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp, xrefs: 6CB4A296, 6CB4A5D2, 6CB4A612
(*_errno()), xrefs: 6CB4A5DC
@, xrefs: 6CB4A2EC
common_message_window, xrefs: 6CB4A29B, 6CB4A5D7, 6CB4A617
wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error"), xrefs: 6CB4A61C
@, xrefs: 6CB4A380

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: HandleModule
String ID: (*_errno())$...$@$@$Microsoft Visual C++ Runtime Library$_CrtDbgReport: String too long or IO Error$common_message_window$minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp$traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character()))$wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error")
API String ID: 4139908857-1633980848
Opcode ID: 87590b99eaab195444c369246a90897cb474fa9dbe8e040c356bc9c340a77ea8
Instruction ID: fb410bd827f61f60bc2b896142f44fc12c6737f88fb8fd348c74192626686d78
Opcode Fuzzy Hash: 87590b99eaab195444c369246a90897cb474fa9dbe8e040c356bc9c340a77ea8
Instruction Fuzzy Hash: 25D1AFB09042A8DBDB24CF14CC49BDEB775EB69304F1081E9E60867784D374AAC5DF92

Function 6CBA04E0 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 142COMMON

Download Yara Rule

Strings

wcscpy_s(progname, progname_size, L"<program name unknown>"), xrefs: 6CBA05B8
wcsncpy_s(pch, progname_size - (pch - progname), L"...", 3), xrefs: 6CBA0616
wcscat_s(outmsg, (sizeof(*__countof_helper(outmsg)) + 0), message), xrefs: 6CBA068C
Microsoft Visual C++ Runtime Library, xrefs: 6CBA06B5
wcscpy_s(outmsg, (sizeof(*__countof_helper(outmsg)) + 0), L"Runtime Error!\n\nProgram: "), xrefs: 6CBA0559
..., xrefs: 6CBA061D
__acrt_report_runtime_error, xrefs: 6CBA0554, 6CBA05B3, 6CBA0611, 6CBA0651, 6CBA0687
Runtime Error!Program: , xrefs: 6CBA055E
wcscat_s(outmsg, (sizeof(*__countof_helper(outmsg)) + 0), L"\n\n"), xrefs: 6CBA0656
<program name unknown>, xrefs: 6CBA05BD
minkernel\crts\ucrt\src\appcrt\internal\report_runtime_error.cpp, xrefs: 6CBA054F, 6CBA05AE, 6CBA060C, 6CBA064C, 6CBA0682

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID:
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $__acrt_report_runtime_error$minkernel\crts\ucrt\src\appcrt\internal\report_runtime_error.cpp$wcscat_s(outmsg, (sizeof(*__countof_helper(outmsg)) + 0), L"\n\n")$wcscat_s(outmsg, (sizeof(*__countof_helper(outmsg)) + 0), message)$wcscpy_s(outmsg, (sizeof(*__countof_helper(outmsg)) + 0), L"Runtime Error!\n\nProgram: ")$wcscpy_s(progname, progname_size, L"<program name unknown>")$wcsncpy_s(pch, progname_size - (pch - progname), L"...", 3)
API String ID: 0-4242594854
Opcode ID: b446e36b5198863465bb2e24079c9d29922d996f6455f3c536bd219d8f648ec7
Instruction ID: 53ac76f3f2bca2f6d4a5ba3773edd2ff17b148e3357873c6170135cb046b50ab
Opcode Fuzzy Hash: b446e36b5198863465bb2e24079c9d29922d996f6455f3c536bd219d8f648ec7
Instruction Fuzzy Hash: 6E418EB9E402C477E700EAF49C52FEE37689B48718F444914F909BBB82E731DB19479A

Function 6CB30900 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 79COMMON

Download Yara Rule

APIs

failwithmessage.LIBCMTD ref: 6CB3093D

Part of subcall function 6CB30C20: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,6CB309D2,000000FF,00000000,00000000,?), ref: 6CB30C81
Part of subcall function 6CB30C20: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,6CB309D2,000000FF,?,00000000), ref: 6CB30CA0
Part of subcall function 6CB30C20: DebuggerProbe.LIBCMTD ref: 6CB30CBA
Part of subcall function 6CB30C20: DebuggerRuntime.LIBCMTD ref: 6CB30CD6
Part of subcall function 6CB30C20: IsDebuggerPresent.KERNEL32 ref: 6CB30CFF

_getMemBlockDataString.LIBCMTD ref: 6CB30969
failwithmessage.LIBCMTD ref: 6CB309CD

Strings

Size: , xrefs: 6CB30994
Address: 0x, xrefs: 6CB3099A
Stack area around _alloca memory reserved by this function is corrupted, xrefs: 6CB30934
Data: <, xrefs: 6CB30983
Allocation number within this function: , xrefs: 6CB3098E
%s%s%p%s%zd%s%d%s%s%s%s%s, xrefs: 6CB309A4
Stack area around _alloca memory reserved by this function is corrupted, xrefs: 6CB3099F

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: Debugger$ByteCharMultiWidefailwithmessage$BlockDataPresentProbeRuntimeString_get
String ID: Address: 0x$Allocation number within this function: $Data: <$Size: $%s%s%p%s%zd%s%d%s%s%s%s%s$Stack area around _alloca memory reserved by this function is corrupted$Stack area around _alloca memory reserved by this function is corrupted
API String ID: 4067135985-3301296223
Opcode ID: 235ef4bf56ab7eb695cfc38e170d218c04444f0f440615db8c57eb27b5b7175c
Instruction ID: ec1bfc87cb7867f855019256ac0f9251e3eac269480dca10b5703435aa1b28a5
Opcode Fuzzy Hash: 235ef4bf56ab7eb695cfc38e170d218c04444f0f440615db8c57eb27b5b7175c
Instruction Fuzzy Hash: E421C97AE401987BCB10CEB9EC84DEEB7BCEF48325F400556FA1DE7A40D63099498B51

Function 6CB979B0 Relevance: 16.8, APIs: 1, Strings: 10, Instructions: 265COMMON

Download Yara Rule

Strings

destination_count <= INT_MAX, xrefs: 6CB97A0E, 6CB97A50
_wctomb_s_l, xrefs: 6CB97A4B, 6CB97BC0, 6CB97CFC
minkernel\crts\ucrt\src\appcrt\convert\wctomb.cpp, xrefs: 6CB97A1C, 6CB97A46, 6CB97B91, 6CB97BBB, 6CB97CCA, 6CB97CF7
destination_count > 0, xrefs: 6CB97B83, 6CB97BC5
*, xrefs: 6CB97D2D
", xrefs: 6CB97D0E
%ls, xrefs: 6CB97A13, 6CB97B88, 6CB97CBE
", xrefs: 6CB97BD2
("Buffer too small", 0), xrefs: 6CB97CB9, 6CB97D01
*, xrefs: 6CB97B40

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID:
String ID: "$"$%ls$("Buffer too small", 0)$*$*$_wctomb_s_l$destination_count <= INT_MAX$destination_count > 0$minkernel\crts\ucrt\src\appcrt\convert\wctomb.cpp
API String ID: 0-2198373435
Opcode ID: 0905134bdc92367caadbd917a662f812c100274efecb5bf119dc9036810d39ce
Instruction ID: e66ece5e7d1d8c7ac8757e5c8fd68ee84564af384960b91df5d2def5efeab9a5
Opcode Fuzzy Hash: 0905134bdc92367caadbd917a662f812c100274efecb5bf119dc9036810d39ce
Instruction Fuzzy Hash: 8AB15EB4D40288EFDB14CF90C855BED77F4EF06318F208528E4157BAA0D7B99A49CB92

Function 6CBC5E5E Relevance: 15.1, APIs: 10, Instructions: 135COMMON

Download Yara Rule

APIs

_cmpDWORD.LIBCMTD ref: 6CBC5E6C

Part of subcall function 6CBC5560: _cmpBYTE.LIBCMTD ref: 6CBC5596

_cmpDWORD.LIBCMTD ref: 6CBC5E93

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: _cmp
String ID:
API String ID: 2028851527-0
Opcode ID: dcf5647540f9869c7e8f67cfd3f3416951bda7d1ccddd060f364bd93f6ce725b
Instruction ID: b9a01a90b31d1b0273e768c60f1e67d9e88d60c5bb228d03f9aa64974505c655
Opcode Fuzzy Hash: dcf5647540f9869c7e8f67cfd3f3416951bda7d1ccddd060f364bd93f6ce725b
Instruction Fuzzy Hash: CF510AB1A11188EFCB04CFBCDA44A9D7BB5EB40309F508558F419AB645EB309F48EB56

Function 6CB907E0 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 221COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMTD ref: 6CB90875

Strings

*, xrefs: 6CB90897
%ls, xrefs: 6CB9080F
common_expand_argv_wildcards, xrefs: 6CB9084D, 6CB90A3D
minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp, xrefs: 6CB9081B, 6CB90848, 6CB90A38
traits::tcsncpy_s( character_it, character_count - (character_it - character_first), *it, count), xrefs: 6CB90A42
result != nullptr, xrefs: 6CB9080A, 6CB90852
?, xrefs: 6CB9089B

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: std::exception::exception
String ID: %ls$*$?$common_expand_argv_wildcards$minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp$result != nullptr$traits::tcsncpy_s( character_it, character_count - (character_it - character_first), *it, count)
API String ID: 2807920213-976376051
Opcode ID: f8aad47e90e6dae42c2f2bfb25a6b01e674d1c6cc4a1990f4de64c04da7bbdbf
Instruction ID: 17d2e2d280c46b894058448d2bb9ecf1c99029de456267e44b5f8510344d9621
Opcode Fuzzy Hash: f8aad47e90e6dae42c2f2bfb25a6b01e674d1c6cc4a1990f4de64c04da7bbdbf
Instruction Fuzzy Hash: 0C913CB0D00289EFDB04DFD4D894BEEB7B5AF59304F244529D415BB780EB34AA48CB91

Function 6CB324C0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 310memorylibraryloaderCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 6CB324E5
GetProcAddress.KERNEL32(00000000,PDBOpenValidate5), ref: 6CB325AF
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6CB3270C
HeapFree.KERNEL32(00000000), ref: 6CB32713
GetProcessHeap.KERNEL32 ref: 6CB32784
HeapAlloc.KERNEL32(00000000,00000000,?), ref: 6CB3278E

Strings

PDBOpenValidate5, xrefs: 6CB325A9

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: Heap$Process$AddressAllocFreeProcQueryVirtual
String ID: PDBOpenValidate5
API String ID: 1898765391-413491164
Opcode ID: 16deb34161f56d96e3fdb6620c00f9935343efa4d9dd65e0da67ddf8450fe6f6
Instruction ID: f06ffd6a9a283fcf379d77066b20ac6697fa041c2f9c0ce467e319f103f2d2b9
Opcode Fuzzy Hash: 16deb34161f56d96e3fdb6620c00f9935343efa4d9dd65e0da67ddf8450fe6f6
Instruction Fuzzy Hash: 1AB15835B002299BDF049FA4C858BAE7BBAFF48714F254055E925A7781DB31AD02CBD2

Function 6CBB1CE0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 251COMMON

Download Yara Rule

APIs

GetACP.KERNEL32 ref: 6CBB1E44
IsValidCodePage.KERNEL32(0000FDE8), ref: 6CBB1E61

Strings

minkernel\crts\ucrt\src\appcrt\locale\get_qualified_locale.cpp, xrefs: 6CBB1EA6, 6CBB1FA4
utf8, xrefs: 6CBB1FB5
__acrt_get_qualified_locale, xrefs: 6CBB1EAB, 6CBB1FA9
wcsncpy_s(lpOutStr->szLocaleName, (sizeof(*__countof_helper(lpOutStr->szLocaleName)) + 0), _psetloc_data->_cacheLocaleName, wcslen, xrefs: 6CBB1EB0
wcsncpy_s(lpOutStr->szCodePage, (sizeof(*__countof_helper(lpOutStr->szCodePage)) + 0), L"utf8", 5), xrefs: 6CBB1FAE

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: CodePageValid
String ID: __acrt_get_qualified_locale$minkernel\crts\ucrt\src\appcrt\locale\get_qualified_locale.cpp$utf8$wcsncpy_s(lpOutStr->szCodePage, (sizeof(*__countof_helper(lpOutStr->szCodePage)) + 0), L"utf8", 5)$wcsncpy_s(lpOutStr->szLocaleName, (sizeof(*__countof_helper(lpOutStr->szLocaleName)) + 0), _psetloc_data->_cacheLocaleName, wcslen
API String ID: 1911128615-3002009667
Opcode ID: bbd1ef434f747672fd0685210414be4a8118fc8d542a3460aa25d8697e0c5011
Instruction ID: 0fa2fc90abf3f71327b7fa4aeadb6bde491570beea1c58e8a4a4d05aa9cc3c00
Opcode Fuzzy Hash: bbd1ef434f747672fd0685210414be4a8118fc8d542a3460aa25d8697e0c5011
Instruction Fuzzy Hash: 90918DB4A00284ABEB04DF64CD45BBE73B5EF44708F188568F804BB781EB79EA54C795

Function 6CB9F460 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

HeapSize.KERNEL32(02DF0000,00000000,00000000), ref: 6CB9F505
HeapReAlloc.KERNEL32(02DF0000,00000010,00000000,?), ref: 6CB9F53A

Strings

block != nullptr, xrefs: 6CB9F48B, 6CB9F4CD
%ls, xrefs: 6CB9F490
minkernel\crts\ucrt\src\appcrt\heap\expand.cpp, xrefs: 6CB9F499, 6CB9F4C3
_expand_base, xrefs: 6CB9F4C8

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: Heap$AllocSize
String ID: %ls$_expand_base$block != nullptr$minkernel\crts\ucrt\src\appcrt\heap\expand.cpp
API String ID: 3906553864-3244948836
Opcode ID: 22d2aea797a3f5e78b094d9becef73c4465b289d331e4dc549dad19d31c88cef
Instruction ID: 4f1f8636a74dd7f8131eb9595f0bc3af585926fe6a6c147002414d3a32f8db57
Opcode Fuzzy Hash: 22d2aea797a3f5e78b094d9becef73c4465b289d331e4dc549dad19d31c88cef
Instruction Fuzzy Hash: 823182B0E44288EFDB00DFA4C845BDE77B5EB4A325F108564F514ABB80D7B5DA44CB92

Function 6CBC5C06 Relevance: 12.1, APIs: 8, Instructions: 103COMMON

Download Yara Rule

APIs

_cmpDWORD.LIBCMTD ref: 6CBC5C14

Part of subcall function 6CBC5560: _cmpBYTE.LIBCMTD ref: 6CBC5596

_cmpDWORD.LIBCMTD ref: 6CBC5C3B

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: _cmp
String ID:
API String ID: 2028851527-0
Opcode ID: 2640301d4570daf9c888c71c09274a33e47595d280c6422622a01629a6ba161a
Instruction ID: 20fd35f97242420a9b546ae67eb5f7f7b25045a5367b958e0374165f3e798750
Opcode Fuzzy Hash: 2640301d4570daf9c888c71c09274a33e47595d280c6422622a01629a6ba161a
Instruction Fuzzy Hash: 983154B1A11188EFCB04DFBCDA44A9D7B75AB50308F908158F419AB605EB309F48EB96

Function 6CBC5D32 Relevance: 12.1, APIs: 8, Instructions: 103COMMON

Download Yara Rule

APIs

_cmpDWORD.LIBCMTD ref: 6CBC5D40

Part of subcall function 6CBC5560: _cmpBYTE.LIBCMTD ref: 6CBC5596

_cmpDWORD.LIBCMTD ref: 6CBC5D67

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: _cmp
String ID:
API String ID: 2028851527-0
Opcode ID: cab4e5dea73df74ae65bb80adee57d74dc798646feee793aae844ddc1c4fb3b9
Instruction ID: 72147c9449740e0ca49625c6e235c475adbbd3b1abd043e0d8d6e9d271af3000
Opcode Fuzzy Hash: cab4e5dea73df74ae65bb80adee57d74dc798646feee793aae844ddc1c4fb3b9
Instruction Fuzzy Hash: 323125B1E11188EFCB04DFBCDA48A9D7B75AB50349F50C158F409A7605DB309F48EB5A

Function 6CBA3690 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 439COMMONLIBRARYCODE

Download Yara Rule

Strings

minkernel\crts\ucrt\src\appcrt\convert\wcstombs.cpp, xrefs: 6CBA370E, 6CBA3738
%ls, xrefs: 6CBA3705
_wcstombs_l_helper, xrefs: 6CBA373D
pwcs != nullptr, xrefs: 6CBA3700, 6CBA3742

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID:
String ID: %ls$_wcstombs_l_helper$minkernel\crts\ucrt\src\appcrt\convert\wcstombs.cpp$pwcs != nullptr
API String ID: 0-287901994
Opcode ID: e3fc6e407935ed411af4c94cd89a61af97ff78ec7409fced7d7330f9b8022234
Instruction ID: 5edc8bbf4fe66414ba134afe728a07ed0057061b7fcf5527d5f1085fc88a4b2f
Opcode Fuzzy Hash: e3fc6e407935ed411af4c94cd89a61af97ff78ec7409fced7d7330f9b8022234
Instruction Fuzzy Hash: B3121970914298EFDB14CF98D894BEDB771FF05328F208259E8696B6D0D734AA46CF41

Function 6CB35F80 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 422COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIMED ref: 6CB360D5
CatchIt.LIBCMTD ref: 6CB362CB

Strings

csm, xrefs: 6CB35FD0
csm, xrefs: 6CB36126
csm, xrefs: 6CB36051

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: CatchIs_bad_exception_allowed
String ID: csm$csm$csm
API String ID: 974221251-393685449
Opcode ID: afe80ce9b5eb19ff7632915b33f20f477810cc94887881300b222c55b3b8b19f
Instruction ID: 21f55d6af79a256d89f22f6b30c7977abcd3aa2fec94e6589bc5d0dde418001d
Opcode Fuzzy Hash: afe80ce9b5eb19ff7632915b33f20f477810cc94887881300b222c55b3b8b19f
Instruction Fuzzy Hash: 7AF193B59002999FCB04CFA4C890AEF7779FF54308F149158E81D9BB41DB35EA49CBA2

Function 6CB46150 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 236COMMON

Download Yara Rule

APIs

und_strncmp.LIBCMTD ref: 6CB46235

Strings

generic-type-, xrefs: 6CB46274
`template-parameter-, xrefs: 6CB46247
`generic-type-, xrefs: 6CB46291
template-parameter-, xrefs: 6CB4622A

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: und_strncmp
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 2034953485-3207858774
Opcode ID: 6572f9c6a42491adeff06c86282cfbcfa5e256a61b13cb6c2ee581ffab6c3cef
Instruction ID: d9a9b99a2e57a4f848c2f050f9e9c5dc0041596d56bc49ace22406ce24f30849
Opcode Fuzzy Hash: 6572f9c6a42491adeff06c86282cfbcfa5e256a61b13cb6c2ee581ffab6c3cef
Instruction Fuzzy Hash: 669164B1E042C8ABDF04DFA4D890AEEB7B5AF49304F148129E419A7754EB359A48CB61

Function 6CB90B70 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 232COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMTD ref: 6CB90C0F

Strings

%ls, xrefs: 6CB90BA9
common_expand_argv_wildcards, xrefs: 6CB90BE7, 6CB90DE5
minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp, xrefs: 6CB90BB5, 6CB90BE2, 6CB90DE0
traits::tcsncpy_s( character_it, character_count - (character_it - character_first), *it, count), xrefs: 6CB90DEA
result != nullptr, xrefs: 6CB90BA4, 6CB90BEC

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: std::exception::exception
String ID: %ls$common_expand_argv_wildcards$minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp$result != nullptr$traits::tcsncpy_s( character_it, character_count - (character_it - character_first), *it, count)
API String ID: 2807920213-1103401458
Opcode ID: 2b040785e985b3d0081b58998ef1eedc8b1ee14d72b4aabbbc8e314d8063d7ca
Instruction ID: 35adba5d8f019103268ba049aabbcfc60b05fd58ab5c6388145d02f06acef6da
Opcode Fuzzy Hash: 2b040785e985b3d0081b58998ef1eedc8b1ee14d72b4aabbbc8e314d8063d7ca
Instruction Fuzzy Hash: F1A148B0D002899FDB04DFE4D895BEEB7B5EF49308F244529E415BB780EB34AA49CB51

Function 6CB4C8E0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 198COMMON

Download Yara Rule

Strings

mode == _crt_argv_expanded_arguments || mode == _crt_argv_unexpanded_arguments, xrefs: 6CB4C91E, 6CB4C966
C:\Windows\SysWOW64\rundll32.exe, xrefs: 6CB4C999, 6CB4C9B2, 6CB4C9F5
%ls, xrefs: 6CB4C923
common_configure_argv, xrefs: 6CB4C961
minkernel\crts\ucrt\src\appcrt\startup\argv_parsing.cpp, xrefs: 6CB4C92F, 6CB4C95C

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID:
String ID: %ls$C:\Windows\SysWOW64\rundll32.exe$common_configure_argv$minkernel\crts\ucrt\src\appcrt\startup\argv_parsing.cpp$mode == _crt_argv_expanded_arguments || mode == _crt_argv_unexpanded_arguments
API String ID: 0-445158968
Opcode ID: ce5a8349694b080315aa9ec555b5d05907777d3e663ec7d78fe00880346caa29
Instruction ID: 5e0e3e5d0ed6ae3735fbf7947deba03c50fee92895014410f9b2b2e75e80a6f3
Opcode Fuzzy Hash: ce5a8349694b080315aa9ec555b5d05907777d3e663ec7d78fe00880346caa29
Instruction Fuzzy Hash: B27181B1D04288EBDB04EFE4D855BEEB774AF04708F108558D505BB784DB745A4CDBA2

Function 6CBBFDD0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 104COMMON

Download Yara Rule

Strings

minkernel\crts\ucrt\src\appcrt\lowio\close.cpp, xrefs: 6CBBFE37, 6CBBFE6C, 6CBBFED5, 6CBBFF0A
(fh >= 0 && (unsigned)fh < (unsigned)_nhandle), xrefs: 6CBBFE29, 6CBBFE76
(_osfile(fh) & FOPEN), xrefs: 6CBBFEC7, 6CBBFF14
%ls, xrefs: 6CBBFE2E, 6CBBFECC
_close, xrefs: 6CBBFE71, 6CBBFF0F

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID:
String ID: %ls$(_osfile(fh) & FOPEN)$(fh >= 0 && (unsigned)fh < (unsigned)_nhandle)$_close$minkernel\crts\ucrt\src\appcrt\lowio\close.cpp
API String ID: 0-1433886027
Opcode ID: ed9ea40668168f19f02f422b9248b4dea873edf5247132c51d2834726bffd238
Instruction ID: afe49db0ceccad7081fa03e6fa8cd5de9b231faa5b59546703209f284207837b
Opcode Fuzzy Hash: ed9ea40668168f19f02f422b9248b4dea873edf5247132c51d2834726bffd238
Instruction Fuzzy Hash: 503122BC8402C4ABEB109F94CC51BBD3B74AF06369F140A44F0283AEC1DBB49644CB96

Function 6CBB5AD0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 98COMMON

Download Yara Rule

Strings

(fh >= 0 && (unsigned)fh < (unsigned)_nhandle), xrefs: 6CBB5B1E, 6CBB5B60
(_osfile(fh) & FOPEN), xrefs: 6CBB5BB1, 6CBB5BF3
minkernel\crts\ucrt\src\appcrt\lowio\commit.cpp, xrefs: 6CBB5B2C, 6CBB5B56, 6CBB5BBF, 6CBB5BE9
_commit, xrefs: 6CBB5B5B, 6CBB5BEE
%ls, xrefs: 6CBB5B23, 6CBB5BB6

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID:
String ID: %ls$(_osfile(fh) & FOPEN)$(fh >= 0 && (unsigned)fh < (unsigned)_nhandle)$_commit$minkernel\crts\ucrt\src\appcrt\lowio\commit.cpp
API String ID: 0-1026578051
Opcode ID: 57ec90ad992d9fa95316e4fc42f3ead125a2f46a12b8da4d17b8fd20c9ce61a8
Instruction ID: 4ab74c34c30ce08a667d3ff4951bb667b95ee697e8e6ddd6ed545c515b5dc6b1
Opcode Fuzzy Hash: 57ec90ad992d9fa95316e4fc42f3ead125a2f46a12b8da4d17b8fd20c9ce61a8
Instruction Fuzzy Hash: CA31E6B49402C8ABDB308F94CC42BAC7B74EB05769F144A45E5247AAC1DBB4964CCB9B

Function 6CBC5AEE Relevance: 10.6, APIs: 7, Instructions: 96COMMON

Download Yara Rule

APIs

_cmpDWORD.LIBCMTD ref: 6CBC5AFC

Part of subcall function 6CBC5560: _cmpBYTE.LIBCMTD ref: 6CBC5596

_cmpDWORD.LIBCMTD ref: 6CBC5B23

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: _cmp
String ID:
API String ID: 2028851527-0
Opcode ID: 886a3d6f066865c6bb5d327980fe2796885dd27cc38c0e45858bb95054f92fe6
Instruction ID: 38d3a956c1ba275b7be4048d3ac295b03b035353a55ebafec42b62c184d3f532
Opcode Fuzzy Hash: 886a3d6f066865c6bb5d327980fe2796885dd27cc38c0e45858bb95054f92fe6
Instruction Fuzzy Hash: 813110B1A11188EFCB04DFBCCA44B9D7B759B50309F508158E409B7649DB349F48EB56

Function 6CB4AE40 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

std::_Fac_node::_Fac_node.LIBCPMTD ref: 6CB4AF48

Strings

common_set_report_hook, xrefs: 6CB4AEAD, 6CB4AF26
mode == _CRT_RPTHOOK_INSTALL || mode == _CRT_RPTHOOK_REMOVE, xrefs: 6CB4AE70, 6CB4AEB2
minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp, xrefs: 6CB4AE7E, 6CB4AEA8, 6CB4AEF7, 6CB4AF21
%ls, xrefs: 6CB4AE75, 6CB4AEEE
new_hook != nullptr, xrefs: 6CB4AEE9, 6CB4AF2B

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: Fac_nodeFac_node::_std::_
String ID: %ls$common_set_report_hook$minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp$mode == _CRT_RPTHOOK_INSTALL || mode == _CRT_RPTHOOK_REMOVE$new_hook != nullptr
API String ID: 1114552684-2008714909
Opcode ID: e5ad3daa68931cf481920fe6d17de3724324af798ab4401ed3e19e017f6b3f7c
Instruction ID: 9fedbdea32c77487096fa9b1e75dd32513e0bbf432f3c15f273b46907a9256f5
Opcode Fuzzy Hash: e5ad3daa68931cf481920fe6d17de3724324af798ab4401ed3e19e017f6b3f7c
Instruction Fuzzy Hash: 3F21D8B4E882C9FADF109A90CC05FDE7770EB01729F20C9A5E52829DC5D3B55188DE93

Function 6CB4AFB0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

std::_Fac_node::_Fac_node.LIBCPMTD ref: 6CB4B0B8

Strings

common_set_report_hook, xrefs: 6CB4B01D, 6CB4B096
mode == _CRT_RPTHOOK_INSTALL || mode == _CRT_RPTHOOK_REMOVE, xrefs: 6CB4AFE0, 6CB4B022
minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp, xrefs: 6CB4AFEE, 6CB4B018, 6CB4B067, 6CB4B091
%ls, xrefs: 6CB4AFE5, 6CB4B05E
new_hook != nullptr, xrefs: 6CB4B059, 6CB4B09B

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: Fac_nodeFac_node::_std::_
String ID: %ls$common_set_report_hook$minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp$mode == _CRT_RPTHOOK_INSTALL || mode == _CRT_RPTHOOK_REMOVE$new_hook != nullptr
API String ID: 1114552684-2008714909
Opcode ID: 7a2bfec4f77251af77b784958f660962e5615e3d5812cf9c8f30d7f540cd5f09
Instruction ID: 3638af62f0c97369924fd547a674620392513e4b3c45a6b2437bcd1eca5b8521
Opcode Fuzzy Hash: 7a2bfec4f77251af77b784958f660962e5615e3d5812cf9c8f30d7f540cd5f09
Instruction Fuzzy Hash: D321D674E482C8FAEF209A90CC05BDE7774EF0132BF10C695E62429EC5D3B55288DA97

Function 6CBB5210 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372COMMON

Download Yara Rule

Strings

minkernel\crts\ucrt\src\appcrt\locale\comparestringa.cpp, xrefs: 6CBB5304
minkernel\crts\ucrt\src\appcrt\locale\comparestringa.cpp, xrefs: 6CBB5491, 6CBB5592
cchCount1==0 && cchCount2==1 || cchCount1==1 && cchCount2==0, xrefs: 6CBB52F6
%ls, xrefs: 6CBB52FB

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID:
String ID: %ls$cchCount1==0 && cchCount2==1 || cchCount1==1 && cchCount2==0$minkernel\crts\ucrt\src\appcrt\locale\comparestringa.cpp$minkernel\crts\ucrt\src\appcrt\locale\comparestringa.cpp
API String ID: 0-1085474390
Opcode ID: f47e2852cefec3960616543e78e13867e714676c576e250e71e306ff1667b40f
Instruction ID: 000a535d60871961e5f29d242b2df49fd208dde2661a87ddf2a3bff95fe85154
Opcode Fuzzy Hash: f47e2852cefec3960616543e78e13867e714676c576e250e71e306ff1667b40f
Instruction Fuzzy Hash: 81E1B271E001899BDB04CF94C8A0BFE7775EF49308F144129E916BBB80DB79D949CBA6

Function 6CB8B000 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5), ref: 6CB8B0B3
GetStdHandle.KERNEL32(000000F4), ref: 6CB8B0CD

Strings

minkernel\crts\ucrt\src\appcrt\misc\dbgrptt.cpp, xrefs: 6CB8B041, 6CB8B06E
%ls, xrefs: 6CB8B035
_CrtSetReportFile, xrefs: 6CB8B073
nRptType >= 0 && nRptType < _CRT_ERRCNT, xrefs: 6CB8B030, 6CB8B078

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: Handle
String ID: %ls$_CrtSetReportFile$minkernel\crts\ucrt\src\appcrt\misc\dbgrptt.cpp$nRptType >= 0 && nRptType < _CRT_ERRCNT
API String ID: 2519475695-1451859211
Opcode ID: 4b081e2761c12b5f45532bc8843668a76beebc130b1043a0c6d54b11702d46dd
Instruction ID: 7c7c9c0fec2bd52d18ad974b012a1cd7bb63e02fa24a94264ac18ce0953acf32
Opcode Fuzzy Hash: 4b081e2761c12b5f45532bc8843668a76beebc130b1043a0c6d54b11702d46dd
Instruction Fuzzy Hash: 67216D78905289FBCB208E78DC44B4C7BB8EB06368F148245EA745BBC0D371A684CF46

Function 6CBAF7B0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 296COMMON

Download Yara Rule

APIs

_fix_grouping.LIBCMTD ref: 6CBAFA49

Strings

minkernel\crts\ucrt\src\appcrt\locale\initnum.cpp, xrefs: 6CBAF805, 6CBAF840, 6CBAF8CC
minkernel\crts\ucrt\src\appcrt\locale\initnum.cpp, xrefs: 6CBAFAFE
%ls, xrefs: 6CBAFAF2
ploci->lconv_num_refcount > 0, xrefs: 6CBAFAED

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: _fix_grouping
String ID: %ls$minkernel\crts\ucrt\src\appcrt\locale\initnum.cpp$minkernel\crts\ucrt\src\appcrt\locale\initnum.cpp$ploci->lconv_num_refcount > 0
API String ID: 3906328105-162942574
Opcode ID: 99f02b8ab04408d55638a2380cd3a795f2fc21aa2b669a8d4a34166730247fed
Instruction ID: e7c1d4f6d91c3a3cee92110395603d06134d71922a24a34a49e8cd6685a95a07
Opcode Fuzzy Hash: 99f02b8ab04408d55638a2380cd3a795f2fc21aa2b669a8d4a34166730247fed
Instruction Fuzzy Hash: 7FC1C3B4E04248AFDB00CF94C855FEEBBB1FF44314F048558E958AB781D7B6AA85CB91

Function 6CB4CC30 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 198COMMON

Download Yara Rule

Strings

mode == _crt_argv_expanded_arguments || mode == _crt_argv_unexpanded_arguments, xrefs: 6CB4CC6E, 6CB4CCB6
%ls, xrefs: 6CB4CC73
common_configure_argv, xrefs: 6CB4CCB1
minkernel\crts\ucrt\src\appcrt\startup\argv_parsing.cpp, xrefs: 6CB4CC7F, 6CB4CCAC

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID:
String ID: %ls$common_configure_argv$minkernel\crts\ucrt\src\appcrt\startup\argv_parsing.cpp$mode == _crt_argv_expanded_arguments || mode == _crt_argv_unexpanded_arguments
API String ID: 0-3792389471
Opcode ID: 5d756aef5c398e6d8ba8696e9a24d4d3f55e8d42c6657a36c2d8f2bd4439b972
Instruction ID: d1c0aab03232145f1a1a3b4bbd20888940cfac46e2487cfd5d826493c9f9eab9
Opcode Fuzzy Hash: 5d756aef5c398e6d8ba8696e9a24d4d3f55e8d42c6657a36c2d8f2bd4439b972
Instruction Fuzzy Hash: A4718FB1D04188EBDB04EFA4D895BEEB774EF04708F108158E5056B785EB746A0CDBA2

Function 6CB31F20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

GetPdbDllFromInstallPath.LIBCMTD ref: 6CB31F47

Part of subcall function 6CB320C0: GetLastError.KERNEL32 ref: 6CB32109
Part of subcall function 6CB320C0: GetProcAddress.KERNEL32(00000000,RegOpenKeyExW), ref: 6CB3212F
Part of subcall function 6CB320C0: GetProcAddress.KERNEL32(00000000,RegQueryValueExW), ref: 6CB32141
Part of subcall function 6CB320C0: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 6CB32153
Part of subcall function 6CB320C0: FreeLibrary.KERNEL32(00000000), ref: 6CB32187

GetLastError.KERNEL32 ref: 6CB31FBB
GetLastError.KERNEL32 ref: 6CB31FF5

Strings

MSPDB140, xrefs: 6CB31FE4
VCRUNTIME140D.dll, xrefs: 6CB31F54

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: AddressErrorLastProc$FreeFromInstallLibraryPath
String ID: MSPDB140$VCRUNTIME140D.dll
API String ID: 3575457754-1916464790
Opcode ID: b96afffd17ec557b0728e1330a02ad694b952f3dd40b52c2de5d59520d99e79c
Instruction ID: c23ec89388dbd23a624588db4dc675df11294f90e0a7aa53893f152f370b191f
Opcode Fuzzy Hash: b96afffd17ec557b0728e1330a02ad694b952f3dd40b52c2de5d59520d99e79c
Instruction Fuzzy Hash: CE31D6B1A0429866EB1096719C4AFDE33AC9F04308F5405A1EE1DE6AC2FB75D64CC693

Function 6CB47370 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 83COMMON

Download Yara Rule

Strings

%ls, xrefs: 6CB473F9, 6CB4744B
D:\a\_work\1\s\src\vctools\crt\vcruntime\src\internal\winapi_downlevel.cpp, xrefs: 6CB47405, 6CB47457
cached_fp == invalid_function_sentinel(), xrefs: 6CB473F4
cached_fp == new_fp, xrefs: 6CB47446

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID:
String ID: %ls$D:\a\_work\1\s\src\vctools\crt\vcruntime\src\internal\winapi_downlevel.cpp$cached_fp == invalid_function_sentinel()$cached_fp == new_fp
API String ID: 0-3288861829
Opcode ID: 4074bc572848ecf33a957ca863fe269e3c259f31b9ff4cc9ae4974650c1be0b0
Instruction ID: 6721e25c5b866fba165ec142f92e488468c03a450086e62bec15ae6efb186b9d
Opcode Fuzzy Hash: 4074bc572848ecf33a957ca863fe269e3c259f31b9ff4cc9ae4974650c1be0b0
Instruction Fuzzy Hash: 5921C370E14188EBCF10DFA4CC45BAD7B74EB05309F10C965E514B7A84E7B4A658DB92

Function 6CB9D2A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74timeCOMMON

Download Yara Rule

APIs

std::_Timevec::_Timevec.LIBCPMTD ref: 6CB9D35E

Strings

_wsetlocale, xrefs: 6CB9D321
%ls, xrefs: 6CB9D2E3
minkernel\crts\ucrt\src\appcrt\locale\wsetlocale.cpp, xrefs: 6CB9D2EF, 6CB9D31C
LC_MIN <= _category && _category <= LC_MAX, xrefs: 6CB9D2DE, 6CB9D326

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: TimevecTimevec::_std::_
String ID: %ls$LC_MIN <= _category && _category <= LC_MAX$_wsetlocale$minkernel\crts\ucrt\src\appcrt\locale\wsetlocale.cpp
API String ID: 4219598475-2399076032
Opcode ID: e53dd7dff161c978c92fab49831a9376907df10b10a9f7abd7e19026108bf4e5
Instruction ID: 674f14f0999f43328ad0a9dfde64a8571c1e04256404f3b01a68ad51ef1b3094
Opcode Fuzzy Hash: e53dd7dff161c978c92fab49831a9376907df10b10a9f7abd7e19026108bf4e5
Instruction Fuzzy Hash: FF21B0B6C0028CBBDB00DFE0DC45BEF7778AF06719F108965E50567A80E775A648CBA2

Function 6CBB59E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(00000000), ref: 6CBB5A23
GetLastError.KERNEL32 ref: 6CBB5A31

Strings

("Invalid file descriptor. File possibly closed by a different thread",0), xrefs: 6CBB5A4F
minkernel\crts\ucrt\src\appcrt\lowio\commit.cpp, xrefs: 6CBB5A5D
%ls, xrefs: 6CBB5A54

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: BuffersErrorFileFlushLast
String ID: %ls$("Invalid file descriptor. File possibly closed by a different thread",0)$minkernel\crts\ucrt\src\appcrt\lowio\commit.cpp
API String ID: 1917127615-1268643607
Opcode ID: f75a9460bebe6f3571a03c4a135608916aae2f9426dedea21d0eb2c1c645b6df
Instruction ID: c0d7cf6a4f6743729c04a154257d46dc6a08268e1cedde50114709773518147b
Opcode Fuzzy Hash: f75a9460bebe6f3571a03c4a135608916aae2f9426dedea21d0eb2c1c645b6df
Instruction Fuzzy Hash: A0110470A40280AFCB04CB74DC95E6E3379EB0A315F240988F525FBB90EB74ED048796

Function 6CBA2C50 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 293COMMONLIBRARYCODE

Download Yara Rule

Strings

%ls, xrefs: 6CBA2CAD
minkernel\crts\ucrt\src\appcrt\convert\mbstowcs.cpp, xrefs: 6CBA2CB6, 6CBA2CE0
s != nullptr, xrefs: 6CBA2CA8, 6CBA2CEA
_mbstowcs_l_helper, xrefs: 6CBA2CE5

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID:
String ID: %ls$_mbstowcs_l_helper$minkernel\crts\ucrt\src\appcrt\convert\mbstowcs.cpp$s != nullptr
API String ID: 0-454128329
Opcode ID: 65024372dce95e0ac8c85eb24668fcdff55c33bf1c9522857dce13a1101b6115
Instruction ID: 77489ed48f206d76b6f22ece23f27a338b52fd09a3fd84673a52fc4aaa4b2cb5
Opcode Fuzzy Hash: 65024372dce95e0ac8c85eb24668fcdff55c33bf1c9522857dce13a1101b6115
Instruction Fuzzy Hash: 44C16C70904288EFCB14CF95C898BEDB771FF45318F248259E859ABB90D734AE45CB42

Function 6CBB8500 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 236COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6CBB860D

Strings

strncpy_s(*char_result, local_length, local_buffer, local_length - 1), xrefs: 6CBB85CF
minkernel\crts\ucrt\src\appcrt\locale\getlocaleinfoa.cpp, xrefs: 6CBB85C5
__acrt_GetLocaleInfoA, xrefs: 6CBB85CA
minkernel\crts\ucrt\src\appcrt\locale\getlocaleinfoa.cpp, xrefs: 6CBB8570, 6CBB8651, 6CBB8772

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID: __acrt_GetLocaleInfoA$minkernel\crts\ucrt\src\appcrt\locale\getlocaleinfoa.cpp$minkernel\crts\ucrt\src\appcrt\locale\getlocaleinfoa.cpp$strncpy_s(*char_result, local_length, local_buffer, local_length - 1)
API String ID: 1452528299-34002772
Opcode ID: 75abe06ccd3e4f2d6ab51e044c183d5b5ac6138488d83cac83231616058f1b87
Instruction ID: 740fe2a4d101c8bf9f096a001758572932c5685ba9d963ee95b9577d7fc76dba
Opcode Fuzzy Hash: 75abe06ccd3e4f2d6ab51e044c183d5b5ac6138488d83cac83231616058f1b87
Instruction Fuzzy Hash: 91A125709002999BDB64DF28CC50FAEB3B4AF54318F108699E51DA76C0DB359E89CF61

Function 6CBBB1F0 Relevance: 7.6, APIs: 5, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,?,?,00000001), ref: 6CBBB216
GetLastError.KERNEL32 ref: 6CBBB220
SetFilePointerEx.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 6CBBB26D
GetLastError.KERNEL32 ref: 6CBBB277

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 8e2462ccab13b2fdfbee245613863a50d4136df03e9a94f5a84f9bbf32a5f6dd
Instruction ID: 6241fda90041cdf93961b0f55a5509bafa4b6e812e5e692ffc0d4e95a198e579
Opcode Fuzzy Hash: 8e2462ccab13b2fdfbee245613863a50d4136df03e9a94f5a84f9bbf32a5f6dd
Instruction Fuzzy Hash: A3212FB1E10548ABDB00CFE9CC85BAEBBB8BF49314F108659F528E3290DBB496048B51

Function 6CB344C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMTD ref: 6CB3450D
_ValidateLocalCookies.LIBCMTD ref: 6CB34640
_ValidateLocalCookies.LIBCMTD ref: 6CB34693

Strings

csm, xrefs: 6CB345BF

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: CookiesLocalValidate
String ID: csm
API String ID: 2268201637-1018135373
Opcode ID: bc1518713084720fe58f237af8a20f6b9a7a944227231d0be631df721becb5f1
Instruction ID: 0921d56277df44488e18c6311bc3fea710bf92e67faedb9e26179dde7bb8e6d8
Opcode Fuzzy Hash: bc1518713084720fe58f237af8a20f6b9a7a944227231d0be631df721becb5f1
Instruction Fuzzy Hash: 35512F74E00259DFCB04CF98D890AEEBBB1FF49318F108199D8296B750D735AA85CFA1

Function 6CB47640 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(6CB47507,00000000,00000800,?,?,6CB47507,00000000), ref: 6CB4764F
GetLastError.KERNEL32(?,?,6CB47507), ref: 6CB47663
LoadLibraryExW.KERNEL32(6CB47507,00000000,00000000,?,6CB47507), ref: 6CB4768D

Strings

api-ms-, xrefs: 6CB47670

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: edc804e12e423edc51f4dcae33237915c8c252f0cf268a075deccf6d1d57d390
Instruction ID: 34fc7c3735958b4dd3f1e9c5b939135eae07e5e1be9d576911eb5d43d988df16
Opcode Fuzzy Hash: edc804e12e423edc51f4dcae33237915c8c252f0cf268a075deccf6d1d57d390
Instruction Fuzzy Hash: 90F05EB4A58244FBDB008FB8DC49B9E3B7AAB01704F108554F919BB6C4D6F5EA00DB95

Function 6CBC05B6 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 6CBC05D0
GetLastError.KERNEL32 ref: 6CBC05DC
___initconout.LIBCMT ref: 6CBC05EC

Part of subcall function 6CBC066A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CBC05F1), ref: 6CBC067D

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 6CBC0600

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: ConsoleWrite$CreateErrorFileLast___initconout
String ID:
API String ID: 3431868840-0
Opcode ID: f173b4fb0a70f5357944862188271ceb4d11fc5af31fa10e1b1573298a4c76c0
Instruction ID: 7b7b8e82bb0aa8a0b9f861f3fc0bced1b3c3d00d6a0a4199a47c8ce0b04fa37e
Opcode Fuzzy Hash: f173b4fb0a70f5357944862188271ceb4d11fc5af31fa10e1b1573298a4c76c0
Instruction Fuzzy Hash: A1F05E36200140ABCB221F9AEC04D467BBAEFCA3157140465F6AAD3B20CB7194209F25

Function 6CBC06D2 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 6CBC06E9
GetLastError.KERNEL32 ref: 6CBC06F5
___initconout.LIBCMT ref: 6CBC0705

Part of subcall function 6CBC066A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CBC05F1), ref: 6CBC067D

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 6CBC071A

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: ConsoleWrite$CreateErrorFileLast___initconout
String ID:
API String ID: 3431868840-0
Opcode ID: 121d6b1bc265db21275dde2ceff1cd703208be7f30de7ceb0a1a8bfa67b5a5c8
Instruction ID: 97d4fcc0e3b9d58c3881ebbc5143c9d9af358d9f4defe14f99e5d46e9d6ecd76
Opcode Fuzzy Hash: 121d6b1bc265db21275dde2ceff1cd703208be7f30de7ceb0a1a8bfa67b5a5c8
Instruction Fuzzy Hash: E9F09836604194BBCF121FA5AC0498A3E7AFF4A3A5B044555FA29A6620CB72D8309F95

Function 6CB8E400 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNEL32(Function_000BDA80,00000001), ref: 6CB8E4B7

Strings

minkernel\crts\ucrt\src\appcrt\misc\signal.cpp, xrefs: 6CB8E5A6

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: ConsoleCtrlHandler
String ID: minkernel\crts\ucrt\src\appcrt\misc\signal.cpp
API String ID: 1513847179-3244217075
Opcode ID: f820739d0972f25db84b34acabd4d52412369ce140bfe89e22045ea86f29a6b8
Instruction ID: 6898b6968ca002c4e9bd484b90b0570d031c2c8984d3ce741aaad5ebe44e5b05
Opcode Fuzzy Hash: f820739d0972f25db84b34acabd4d52412369ce140bfe89e22045ea86f29a6b8
Instruction Fuzzy Hash: 447161B9A062C8EFDB00CF64D880EDD77B5EB49318F148529E8196BB50D735D944CFA2

Function 6CB365F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

RCC, xrefs: 6CB36636
MOC, xrefs: 6CB3662B

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID:
String ID: MOC$RCC
API String ID: 0-2084237596
Opcode ID: b2dc3ac64752cbd06419b0413ee9f0bf834f750fe9aca944e03664c59c7f7e1e
Instruction ID: 6182ae98d60e6659b90d9f88d2e6c7c1521d568ebe7e9da64d003570215652d0
Opcode Fuzzy Hash: b2dc3ac64752cbd06419b0413ee9f0bf834f750fe9aca944e03664c59c7f7e1e
Instruction Fuzzy Hash: 27516E71A00159EBCB04CF94C990EEE73B9FF58348F148258E919E7690DB35EE05CBA2

Function 6CB94F97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,6CB4DFE4,?,?,6CB4DF74,6CB4E98A), ref: 6CB94FA0
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CB9501C

Strings

minkernel\crts\ucrt\src\desktopcrt\env\get_environment_from_os.cpp, xrefs: 6CB94FD3

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID: minkernel\crts\ucrt\src\desktopcrt\env\get_environment_from_os.cpp
API String ID: 3328510275-170101930
Opcode ID: 81960b785f960524ed4c45bcfe28af156be12e874f731bfac1e60eb5d9cac723
Instruction ID: b46bf312d0c6ae13f2ba70a3b47c523aebe732cf98493a23efac78d44cd87dac
Opcode Fuzzy Hash: 81960b785f960524ed4c45bcfe28af156be12e874f731bfac1e60eb5d9cac723
Instruction Fuzzy Hash: 1E014962A816D13BB72105B60C8DEBF386CCBCBB99B100234F919D7640FA69CD05C1F2

Function 6CB9CE40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63timeCOMMON

Download Yara Rule

APIs

std::_Timevec::_Timevec.LIBCPMTD ref: 6CB9CEC6
std::_Timevec::_Timevec.LIBCPMTD ref: 6CB9CEDD

Strings

minkernel\crts\ucrt\src\appcrt\locale\wsetlocale.cpp, xrefs: 6CB9CE55

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: TimevecTimevec::_std::_
String ID: minkernel\crts\ucrt\src\appcrt\locale\wsetlocale.cpp
API String ID: 4219598475-2192260110
Opcode ID: 8cf4ae352c53333cd403a35e20be3756181e3f601651ff45f4bc113308b24417
Instruction ID: 5488e29ed4c9ad7c6e8f4b6890e1b5ed3bef5702fe1235fa60c283bb57eefc68
Opcode Fuzzy Hash: 8cf4ae352c53333cd403a35e20be3756181e3f601651ff45f4bc113308b24417
Instruction Fuzzy Hash: F5216075950188ABCB04EF94C956AFEB374AF11708F1040A5990AA7790EF356F0DCB51

Function 6CB48410 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,00000000,?,6CB48230,?), ref: 6CB48436

Strings

CorExitProcess, xrefs: 6CB4844A
mscoree.dll, xrefs: 6CB4842F

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: HandleModule
String ID: CorExitProcess$mscoree.dll
API String ID: 4139908857-1276376045
Opcode ID: 767ebd5f286004f6541b8f1aa58620bbc4daf14b89017b7b647f9f9a052a39d5
Instruction ID: 06975a1870112f603e7f36e8dff7e39e76df3804c0f9140a81c49bfe6ffe0c01
Opcode Fuzzy Hash: 767ebd5f286004f6541b8f1aa58620bbc4daf14b89017b7b647f9f9a052a39d5
Instruction Fuzzy Hash: A0012C30D0418CFBCB04EFA4D859AEDB739AF10318F5480A5E40AB3A50DB395F08DB92

Function 6CB9504D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,6CB4E04E,?,?,6CB4DFAB,6CB4E9A3), ref: 6CB95051
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CB9509E

Strings

minkernel\crts\ucrt\src\desktopcrt\env\get_environment_from_os.cpp, xrefs: 6CB9506C

Memory Dump Source

Source File: 00000003.00000002.1710502824.000000006CB29000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CAD0000, based on PE: true

Associated: 00000003.00000002.1710471540.000000006CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CB20000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710502824.000000006CBC9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710634407.000000006CBCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710670869.000000006CBF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710694621.000000006CBF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1710716056.000000006CBFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cad0000_rundll32.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID: minkernel\crts\ucrt\src\desktopcrt\env\get_environment_from_os.cpp
API String ID: 3328510275-170101930
Opcode ID: 70ad741f90aa52e83045b4c03a88355632d144414e61788309de31959b927de0
Instruction ID: 1a72d66a0fa2e527beca93c89200aeb611cad167388ad838fa5f7bb89712cbf4
Opcode Fuzzy Hash: 70ad741f90aa52e83045b4c03a88355632d144414e61788309de31959b927de0
Instruction Fuzzy Hash: 12F02E126C465136E22211352C8DFEF155DCBC6B75F150320F52DA6B81AF584D0940E3

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wfdrproxy.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: loaddll32.exePID: 3864, Parent PID: 2580

General

File Activities

File Opened

File Created

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Windows Analysis Report
wfdrproxy.dll