Edit tour

Windows Analysis Report
AyCnklzHb7.dll

Overview

General Information

Sample name:	AyCnklzHb7.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:	32f82fc72003ea760425630e2c6a998f5c89d85e8a4adff669c24da0ef15ef42.exe
Analysis ID:	1543073
MD5:	3c9121d5389ae5b87885261c3efdf6da
SHA1:	0f6fb000293f957b4f0fc91540cfce6a1c07f63c
SHA256:	32f82fc72003ea760425630e2c6a998f5c89d85e8a4adff669c24da0ef15ef42
Tags:	exeuser-JAMESWT_MHT
Infos:

Detection

Score:	9
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 7300 cmdline: loaddll64.exe "C:\Users\user\Desktop\AyCnklzHb7.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 7308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7352 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AyCnklzHb7.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 7376 cmdline: rundll32.exe "C:\Users\user\Desktop\AyCnklzHb7.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

regsvr32.exe (PID: 7360 cmdline: regsvr32.exe /s C:\Users\user\Desktop\AyCnklzHb7.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

rundll32.exe (PID: 7384 cmdline: rundll32.exe C:\Users\user\Desktop\AyCnklzHb7.dll,DllCanUnloadNow MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7448 cmdline: rundll32.exe C:\Users\user\Desktop\AyCnklzHb7.dll,DllGetClassObject MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 7528 cmdline: C:\Windows\system32\WerFault.exe -u -p 7448 -s 420 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 7608 cmdline: rundll32.exe C:\Users\user\Desktop\AyCnklzHb7.dll,DllRegisterServer MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Code function: GetCurrentThreadId,GetTickCount,LoadLibraryExW,memset,wcstombs,GetProcAddress,GetTickCount,FreeLibrary,GetLastError,GetLastError,memset,swprintf_s,free,wcscpy_s,CreateProcessW,CloseHandle,CloseHandle,GetLastError, Shutdown

6_2_00007FFDFB7289E0

Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFDFB728BF0	6_2_00007FFDFB728BF0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFDFB72A3F0	6_2_00007FFDFB72A3F0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFDFB72A370	6_2_00007FFDFB72A370
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFDFB729B20	6_2_00007FFDFB729B20
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFDFB75335C	6_2_00007FFDFB75335C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFDFB724240	6_2_00007FFDFB724240
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFDFB7218F0	6_2_00007FFDFB7218F0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFDFB764134	6_2_00007FFDFB764134
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFDFB7257D0	6_2_00007FFDFB7257D0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFDFB7627D0	6_2_00007FFDFB7627D0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFDFB74C690	6_2_00007FFDFB74C690
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFDFB762DD8	6_2_00007FFDFB762DD8

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7448 -s 420

Source: AyCnklzHb7.dll

Static PE information: Resource name: RT_ICON type: COM executable for DOS

Source: AyCnklzHb7.dll

Binary or memory string: OriginalFilenamePNIDUI.DLLj% vs AyCnklzHb7.dll

Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\pnidui.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\wbem\fastprox.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\biwinrt.dllore.dllng
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\zh-CN\ntdll.dll.mui.0r
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\InputMethod\CHS\ChsPinyinDM49.lexe.lex\ChsChsPinyinHap_s.lex
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\zh-CN\ndis.sys.mui
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows.old\Windows\WinSxS\Tempe.exee1
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\CloudExperienceHostCommon.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\zh-CN\crypt32.dll.mui
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\SyncCenter.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\ProgramData\Microsoft\Windows\AppRepository\StateRepository-Machine.srd
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\stobject.dllprofile;
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\MosStorage.dllll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\ucrtbase_clr0400.dllF-
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Program Files (x86)\Mythware\
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\ClipRenew.exe
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows.old\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.906_none_6530c5981102f17fbwere.dat
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\StateRepository.Core.dllllstem32\WindowsPowerShell\v
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\zh-CN\rundll32.exe.mui
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\icuuc.dlles
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\INF\kdnic.PNFrStore\zh-CNcat
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\NetSetupApi.dllrfaceCl
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\ClipSp.sysPCI#
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\WofUtil.dll\EdgeCorei
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\WSDApi.dllcbda2}\0004010
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\Windows.Media.Devices.dllrogramDataPublic=C:\Users\Pu
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\authui.dllllost.exetificados CGN V20P
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\zh-CN\acpi.sys.mui
Source: AyCnklzHb7.dll	Binary string: S-1-5-21-582503613-890440277-4174216604-1001\Device\HarddiskVolume3\Windows\System32\GameBarPresenceWriter.exe
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\cscobj.dllxyewy3d8bbwe+
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\NetSetupApi.dll.dllA6
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\ProximityServicePal.dlla90-b076-33f57bf4eaa7}\#0}\#KBD
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\servicing\Packages\Microsoft-Windows-WinOcr-Package~31bf3856ad364e35~amd64~zh-CN~10.0.19041.1.mum35~amd64~~10.0.19041.1.mum\3\g95]_F_
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\zh-CN\processr.sys.mui
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\NcdAutoSetup.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\LogFiles\WMI\IntelA
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\svchost.exeiF
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\mssecflt.sysle
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\ProgramData\Huorong\Sysdiag\wlfile.db-shm
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\D3D12.dll0c75d6}\0008
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\thumbcache.dlls.dlll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\SleepStudyScreenOn
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Users\
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\servicing\Packages\Microsoft-Windows-TFTP-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mummlep-UqQSqnMp-FI[1].css.pngw
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\SecureTimeAggregator.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\batmeter.dlldll8f69f
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\RTWorkQ.dll3 G30N
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.79\identity_proxy\internal.identity_helper.exe.manifestD39FCE23AF8F277537F2613.scale-100_
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\fdPHost.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\RTWorkQ.dllmprofile+
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\WfNicPnp64.sysnterfaceClass\{97EBAACB-95BD-11D0-A3EA-00A0C9223196}InterfaceClass\{3C4852D6-D47B-4F46-B05E-B5EDC1AA440
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\Windows.Media.Devices.dllON=a503ProgramData=C:\Progra
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\mobsync.exeWERTemp
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows.old\Windows\System32\wbemgmp
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\BitsProxy.dll.dllLL
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\IntelTA.syslas
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\imageres.dlllure.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\zh-CN\mssmbios.sys.mui
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\INF\rt640x64.inforezh-CNcat
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\InputMethod\CHS\ChsPinyinDM49.lex.lexcontrast-white.pngdll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\netcenter.dllftdll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\Microsoft\Protectui
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\appcompat\ProgramsbowsApps
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\zh-CN\cscui.dll.muiat
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\servicing\Packages\Microsoft-Windows-WinOcr-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.746.mumV\3\g
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\SecureTimeAggregator.dllD$
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\RTWorkQ.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\wmilib.sysF5-6
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\pcw.sysCA-84AE
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\icu.dllup.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\acpiex.sys1_V
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\dxgiadaptercache.exe
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\RuntimeBroker.exel
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\BitLockerWizardElev.exe
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\ProgramData\Microsoft\Windows\Start Menu
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\wbem\wbemess.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\fontgroupsoverride.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\SettingMonitor.dllll6
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\srpapi.dllSLSApps
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\AuthBroker.dll.dllb
Source: AyCnklzHb7.dll	Binary string: S-1-5-19\Device\HarddiskVolume3\Windows\System32\svchost.exe
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\WinSxS\Manifests\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_51704e630f46ca5c.manifest
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\AppReadinessimeBroker.exe
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\zh-CN\sxs.dll.muixeL.c
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\InputMethod\CHS\ChsPinyinDM06.lex.CBS_cw5n1h2txyewy\d2d1.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\pnidui.dllkages
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\wmp.dllTempgesTemp7<
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\Windows.UI.Shell.dllApplicationCA2 Root0
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\WPDShServiceObj.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\cscobj.dlldllewywywyti
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\pris\resources.zh-CN.prie7$\Default
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\crypttpmeksvc.dll5FC59
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\shdocvw.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\SoftwareDistribution\PostRebootEventCache.V2e\Scheduled Start
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\InprocLogger.dlllf
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\AudioSrvPolicyManager.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\DXCore.dllsicDisplay.sys
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\bitsigd.dlldll.mui
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\ProximityServicePal.dll11d2-b082-00a0c91efb8b}\#r#or
Source: AyCnklzHb7.dll	Binary string: f\DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\MYTHWARE\
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\deviceassociation.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\ProgramData\Microsoft\Windows\AppRepository
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\CloudExperienceHostCommon.dllfb-MaxSessions
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\SyncInfrastructure.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\dbghelp.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\CloudExperienceHostCommon.dllALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Windows\system32\config\systemprofile\AppData\RoamingCommonPr
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\AudioSrvPolicyManager.dllem32;C:\Windows;C:\Windows\Sy
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\ProximityServicePal.dll-9409-add3064c0cad}\#color##
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\mlang.dll3F8646}
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\zh-CN\stobject.dll.mui
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\batmeter.dll.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Program Files\desktop.inidlle.dlls%
Source: AyCnklzHb7.dll	Binary string: ..\DEVICE\HARDDISKVOLUME31Y
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\SgrmAgent.sys_9BC8CompatibleId\PCI#VEN_8086&DEV_A382CompatibleId\PCI#VEN_8086&DEV_A396CompatibleId\PCI#VEN_8086&DEV_A3A1Compatiblenterface
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\dsreg.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrccache\en-US\ec4d5fdd-aa12-400f-83e2-7b0ea6023eb7\SoftwareInfo\SoftwareInfo.xml
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\NetSetupApi.dll4B3B-B7
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\ncryptprov.dlls.dllatcho
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\RuntimeBroker.exe.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\ProgramData\Microsoft\Networkte\Log9f
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\StateRepository.Core.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\webservices.dll}\0004
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\wbemed.exebled.exe
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\wbem\AutoRecover\0004
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\ktmw32.dllShell.dllt
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\zh-CN\sxs.dll.muiL.0"
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.67\pwahelper.exe
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\oobe\msoobedui.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\iphlpsvc.dllves.dllCS
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\srchadmin.dllwsAppse
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.79\Trust Protection Lists\Mu:$DSC:$LOGGED_UTILITY_STREAMBLE_
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\ActionCenter.dllLL
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\explorer.exeg.dlllework.dll)0
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\pris\resources.zh-CN.prial_cw5n1h2txyewyies
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\SettingMonitor.dllt
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\mobsync.exeWER\Tempg
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\aadWamExtension.dllll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\EdgeManager.dll.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\pris\resources.zh-CN.pri-3e7$\Default
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AAD.Core.dllService-0x0-3e7$\DefaultD
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\bcastdvr\KnownGameList.binllSzo
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\bcastdvrzh-HANSUI.Shell.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Program Files (x86)\Huorong\Sysdiag\bin\wsctrlsvc.exe
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB2808e.cdf-ms9a3ceb6c.manifestt
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\wbem\wmiutils.dll008
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.79\libGLESv2.dll:WofCompressedData
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\pnidui.dllkagesR
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\ncryptsslp.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\InputMethod\CHS\ChsPinyinFamilyName.lex\ChsChsPinyinHap_s.lex
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\Windows.UI.Shell.dll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows.old\ProgramDatas (x86)ftpsl
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\Windows.Media.Devices.dllerationId
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\zh-CN\twinui.dll.mui6
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\ActionCenter.dllester0
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\wscapi.dlllrt.dlll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\aadWamExtension.dll1pn
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\SecureTimeAggregator.dllSystemRoot=C:\WindowsSystemDrive=C:WinDir=C:\WindowsCommonProgramFile
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\Logs\CBS\CBS.logSlller.exe
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\StateRepository.Core.dllem32\config\systemprofilewind
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\AudioSrvPolicyManager.dllerationId
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\msftedit.dlle\common
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpolSysTray
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\cscobj.dllysdiag\bin
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\icuin.dllws\wfp
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\fdWSD.dllI.dllll
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\MCCSPal.dllll.mui
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\ProgramData\Huorong\Sysdiag\db\behav.db
Source: AyCnklzHb7.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\zh-CN\kernel32.dll.mui

Source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll	Binary or memory string: \BurnameDoxe.vbp
Source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll	Binary or memory string: 0\BurnameDoxe.vbp 0\BurnameDoxe.vbp%

Source: classification engine

Classification label: clean9.winDLL@15/5@1/0

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_00007FFDFB761A94 CoCreateInstance,

6_2_00007FFDFB761A94

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7448

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c7f2ebc2-0365-4122-9168-4c8cc2224e09

Jump to behavior

Source: AyCnklzHb7.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AyCnklzHb7.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\AyCnklzHb7.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AyCnklzHb7.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\AyCnklzHb7.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AyCnklzHb7.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyCnklzHb7.dll,DllCanUnloadNow
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyCnklzHb7.dll,DllGetClassObject
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7448 -s 420
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyCnklzHb7.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AyCnklzHb7.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\AyCnklzHb7.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyCnklzHb7.dll,DllCanUnloadNow	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyCnklzHb7.dll,DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyCnklzHb7.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AyCnklzHb7.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wldp.dll	Jump to behavior

Source: AyCnklzHb7.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: AyCnklzHb7.dll

Static file information: File size 2177024 > 1048576

Source: AyCnklzHb7.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1b5a00

Source: AyCnklzHb7.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: AyCnklzHb7.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: AyCnklzHb7.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: AyCnklzHb7.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: AyCnklzHb7.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: AyCnklzHb7.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: AyCnklzHb7.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF

Source: AyCnklzHb7.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: pnidui.pdbUGP source: rundll32.exe, 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: \ICS_Release\Setup.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: \magadan21\loader\objfre_wxp_x86\i386\Loader.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: \work\urlgl\driver2\objfre_wxp_x86\i386\MekeAttManage.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: 0\SearchRecover.pdb( source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: "0\7to\apphelp\Release\injectdll.pdbR source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: \Release\Wallpaper.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: 0\IrCS_Release\Setup.pdb/ source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: \SearchRecover.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: 0\BLDService.pdb6 source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: 0\ICS_Release\Setup.pdb9 source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: \IrCS_Release\Setup.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: \bbcomm.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: 90\work\urlgl\driver2\objfre_wxp_x86\i386\MekeAttManage.pdb= source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: 0\bbhelper.pdb$ source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: 0\setupplugins.pdb& source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: \bbhelper.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: \WallpaperInstall\release\WallpaperInstall.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: 0 \magadan21\loader\objfre_wxp_x86\i386\Loader.pdb% source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: \Release\Wallpaper.pdbG source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: \setupplugins.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: 0\bbcomm.pdb2 source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: \Release\Laban.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: 0\weiduan.pdb+ source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: \BLDService.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: 0\ExtWatcher.pdbB source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: pnidui.pdb source: rundll32.exe, 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: \weiduan.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: .0\WallpaperInstall\release\WallpaperInstall.pdbb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: \ExtWatcher.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: \Release\Laban.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source:	Binary string: \7to\apphelp\Release\injectdll.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll

Source: AyCnklzHb7.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: AyCnklzHb7.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: AyCnklzHb7.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: AyCnklzHb7.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: AyCnklzHb7.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: AyCnklzHb7.dll

Static PE information: 0xF8230CE3 [Sat Dec 3 09:50:27 2101 UTC]

Source: AyCnklzHb7.dll

Static PE information: real checksum: 0x220b18 should be: 0x218b28

Source: AyCnklzHb7.dll

Static PE information: section name: .didat

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\AyCnklzHb7.dll

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

API coverage: 0.0 %

Source: C:\Windows\System32\loaddll64.exe TID: 7304

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_00007FFDFB7217E0 ActivateActCtx,GetClassInfoExW,GetLastError,DeactivateActCtx,SetLastError,OutputDebugStringA,GetLastError,

6_2_00007FFDFB7217E0

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_00007FFDFB72A3F0 memset,GetProcAddress,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

6_2_00007FFDFB72A3F0

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_00007FFDFB72E144 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

6_2_00007FFDFB72E144

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AyCnklzHb7.dll",#1

Jump to behavior

Source: rundll32.exe	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll	Binary or memory string: \Comctl32.dllShell_TrayWndNetwork FlyoutAtlThunk_FreeDataAtlThunk_DataToCodeAtlThunk_InitDataAtlThunk_AllocateDataatlthunk.dllWilStaging_02

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_00007FFDFB724240 EnterCriticalSection,EnterCriticalSection,ConvertInterfaceGuidToLuid,GetIfEntry2Ex,LeaveCriticalSection,LeaveCriticalSection,OpenSCManagerW,OpenServiceW,CloseServiceHandle,QueryServiceStatus,SubscribeServiceChangeNotifications,EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,ConvertInterfaceGuidToLuid,GetIfEntry2Ex,LeaveCriticalSection,CreateThreadpoolTimer,GetSystemTimeAsFileTime,SetThreadpoolTimer,GetLastError,GetLastError,GetLastError,CloseServiceHandle,PostMessageW,GetLastError,

6_2_00007FFDFB724240

Source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: KSafeTray.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	12 Process Injection	21 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Process Injection	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Regsvr32	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
AyCnklzHb7.dll	5%	ReversingLabs	Win64.Packed.Generic

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
198.187.3.20.in-addr.arpa	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://95.143.193.138/xxxx_3/6	rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll	false		unknown
http://upx.sf.net	Amcache.hve.9.dr	false	URL Reputation: safe	unknown
http://95.143.193.138/xxxx_3/	rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll	false		unknown
http://get.fc-gosh.biz/launch_reb.php?	AyCnklzHb7.dll	false		unknown
http://%s/dupe.php?q=%d.%d.%d.%d.%d.%s.1.%d	rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll	false		unknown
http://%s/dupe.php?q=%d.%d.%d.%d.%d.%s.1.%d#	rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543073
Start date and time:	2024-10-27 07:55:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	AyCnklzHb7.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original Sample Name:	32f82fc72003ea760425630e2c6a998f5c89d85e8a4adff669c24da0ef15ef42.exe
Detection:	CLEAN
Classification:	clean9.winDLL@15/5@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 139

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: AyCnklzHb7.dll

Simulations

Behavior and APIs

Time	Type	Description
02:56:09	API Interceptor	1x Sleep call for process: loaddll64.exe modified
02:56:18	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_AyC_fb9b92f43c102562343d31e4f5178f3e88763e23_bd768f29_1443d499-630d-49fa-b14c-9e2eb45ef996\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7859978818662794
Encrypted:	false
SSDEEP:	96:9FkA6F2Si4yKy6ssjV4RvuP7fOQXIDcQpc6TcEkcw3vXaXz+HbHgSQgJjS+UaVx+:OZi4y6sI0nX+Lj7GzuiFHZ24lO8f
MD5:	D9A313D0A1B345A36E56EA85BE85573A
SHA1:	7C4543A9EFF6F186677175E5ACBB85607D61A65B
SHA-256:	3DCF0312F85BAA7ADE6C1D08D185A697604B7E3F2EF403AED42143F3E302FEBD
SHA-512:	18CAE64293C1B9604D27E6EA46D2190641E31AE9573C03C5CF17CBFD7BB2A7ABF6FD8C39AC6615C56110D7283CDE7A8AEB859663F6D7AE92E533AF3764062076
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.4.8.5.7.6.4.2.6.4.0.3.0.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.4.8.5.7.6.4.7.6.4.0.3.1.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.4.4.3.d.4.9.9.-.6.3.0.d.-.4.9.f.a.-.b.1.4.c.-.9.e.2.e.b.4.5.e.f.9.9.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.9.8.8.8.b.5.-.7.b.e.d.-.4.2.3.d.-.a.1.c.8.-.7.d.f.9.7.d.e.0.6.d.3.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.A.y.C.n.k.l.z.H.b.7...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.1.8.-.0.0.0.1.-.0.0.1.4.-.4.7.8.f.-.1.d.4.a.3.d.2.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER83D.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Oct 27 06:56:04 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	57860
Entropy (8bit):	1.696593469961296
Encrypted:	false
SSDEEP:	192:mIbARDXOMD1gr2uSn83Zn/InTMwUIEtAkLVfg+BS6iaijA:mSggr2x8pAnTKAkLVfg+BdJ
MD5:	2678ABAAAC55743FA3FFFD63A2766C14
SHA1:	6A740E2DD9A3C755022D0D2E2C287B95AD1489D9
SHA-256:	187F689F357D6FF85318B232D7038456477FA66457A9C3E65A8299C4D11F7121
SHA-512:	1AF56146213AA8345E23C3433E70AC47006DE266C3387F71CA9CEA972D5EFD9DC46B8F22D297B05429287A561CE7A0E90D24936BCE7541C73DA5D6FD4CEE15FF
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g.........................................*..........T.......8...........T...........................,...........................................................................................eJ..............Lw......................T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER919.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	3.703396088364154
Encrypted:	false
SSDEEP:	192:R6l7wVeJSl3tF6YNWL0LgmfDnsbprt89brsqfT5m:R6lXJwP6Y8UgmfDns8rZfw
MD5:	A6032999284785CE67CFBD06A0238765
SHA1:	2058AB92C1D9DAEA10731D77C074A51C861F174B
SHA-256:	51193FEF2AAE8BFE1193AC7BF9B7624615A3320F1B19F0F66D4322FB4FE23B86
SHA-512:	299290C876B558489D635ADF07CE90AAD7E4AB5D5DC09E719A1804F0E23880B0B52A66F0F1A29C30291A1662173BDEDF67E139EE4504E9D674CDC63B12C8189A
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER948.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4769
Entropy (8bit):	4.500239391745318
Encrypted:	false
SSDEEP:	48:cvIwWl8zs9NJg771I9ETrWpW8VYhYm8M4JCYCWc7FWNoyq85mvN0ptSTSyd:uIjf9nI73G7VJJlNoQpoOyd
MD5:	0042D20DA00193ED83C8D6912A5AD90C
SHA1:	5AAE514A779BF492A5DC2442C265365F6DB9065C
SHA-256:	F05970B65C69ADF4952330E9CCA13DB1A4DFBBA0CB61B72CE6D4D4A8B936D852
SHA-512:	D4ADEB4F78C407A1E1AC43E9CE845FB2DB828684A612D034ED598EDA045DF322F4861D4799F7733305FD0ACC72CA069A2DFDFBC0EA76BF69F6E1ADD5F939D1E5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="561478" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466386386299952
Encrypted:	false
SSDEEP:	6144:dIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNcdwBCswSb9:OXD94zWlLZMM6YFHa+9
MD5:	402853D64114B62016E9EB9CC19FCE6D
SHA1:	FC5D4A124B60893F0E25976844164161927CE9CA
SHA-256:	089101A59A7FD47E70F95ABD5D766A065697C019431FB273C806C3BFB4046C60
SHA-512:	A58A3590439296173FFA97230D86C1E43698F7E46AB9867DB40B9C16D75286BC38CF8AC55C02DDAC2D78CDC0132A9F7533204F99AF63E8EBCB691D4F7CB14E5B
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..EJ=(...............................................................................................................................................................................................................................................................................................................................................JR~........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):	3.9317477899410718
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	AyCnklzHb7.dll
File size:	2'177'024 bytes
MD5:	3c9121d5389ae5b87885261c3efdf6da
SHA1:	0f6fb000293f957b4f0fc91540cfce6a1c07f63c
SHA256:	32f82fc72003ea760425630e2c6a998f5c89d85e8a4adff669c24da0ef15ef42
SHA512:	52e9fc1a602d625ad19d8c7e1c9f17b885688eb37e1ec74b7025c5e331d8a300d658498140ea325cad1d7d7965c51c179c1ebd3ec4fccd85a0f7a35d4d4fa7e1
SSDEEP:	49152:6NqqCsmn766u55AJ1tEZV4+L1OPNKgB7dsv1pag+1P30VhftWmA/fH9jy3iJ4uCM:Mr6u55AJ1tEZV4+L1Pv1pag+1P30Vhf2
TLSH:	EBA52915F798C459F12746308BE6CB61A6357CA92BB283DB3190733F6D72AD49D32A03
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$.x.E.+.E.+.E.+.=i+.E.+....E.+....E.+.E.+mD.+....E.+....E.+....E.+....E.+...+.E.+...*.E.+Rich.E.+.......................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x18000de70
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Time Stamp:	0xF8230CE3 [Sat Dec 3 09:50:27 2101 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	1044c2f84c96d60cf6dd5546b851528d

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007F8430CC22E7h
call 00007F8430CC2D48h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007F8430CC22ECh
int3
int3
int3
int3
int3
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+20h], ebx
dec esp
mov dword ptr [eax+18h], eax
mov dword ptr [eax+10h], edx
dec eax
mov dword ptr [eax+08h], ecx
push esi
push edi
inc ecx
push esi
dec eax
sub esp, 00000150h
mov edi, edx
dec esp
mov esi, ecx
mov esi, 00000001h
mov ebx, esi
mov dword ptr [esp+20h], ebx
cmp edx, esi
jnbe 00007F8430CC22E8h
mov dword ptr [0004D595h], edx
test edx, edx
jne 00007F8430CC22F5h
cmp dword ptr [0004D5EBh], edx
jne 00007F8430CC22EDh
xor ebx, ebx
mov dword ptr [esp+20h], ebx
jmp 00007F8430CC24BFh
lea eax, dword ptr [edx-01h]
cmp eax, esi
ja 00007F8430CC2376h
dec esp
mov ecx, dword ptr [0004DBCCh]
dec ebp
test ecx, ecx
je 00007F8430CC2324h
mov eax, dword ptr [0004D5C5h]
cmp edx, esi
cmove eax, esi
mov dword ptr [0004D5BAh], eax
dec esp
mov eax, dword ptr [esp+00000180h]
dec ecx
mov eax, ecx
call dword ptr [000000F5h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x57960	0xa4	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x57a04	0x460	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x62000	0x1b5998	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x5d000	0x3db0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x218000	0x494	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4ccd0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x47810	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x48328	0xc00	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x57310	0x180	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x45390	0x45400	8f3d183b0ffea9c1bc166950c6e457b1	False	0.49611137748194944	data	6.259637261932694	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x47000	0x13982	0x13a00	5b8ddd8aa65f7b8ba373a329af76ee0f	False	0.3753607683121019	data	4.939521856889639	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5b000	0x1464	0x600	f9a9e06e2f8485183a4abc62e080a07d	False	0.181640625	data	1.9239565347029988	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x5d000	0x3db0	0x3e00	03c051ce5f3fd260b3b16544c30ab81c	False	0.5072454637096774	data	5.662030573096473	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x61000	0x150	0x200	8a5074ef5aedeeb1e9de64b05f49ba47	False	0.234375	data	1.7476356122505157	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x62000	0x1b5998	0x1b5a00	db50cd70fb06a5e8406173c4aa17c695	False	0.17802168130534132	data	3.2541997224945005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x218000	0x494	0x600	02a0f225871ae315990988c9d5a7de05	False	0.52734375	data	4.753045770171859	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
MUI	0x217898	0x100	data	English	United States	0.56640625
WEVT_TEMPLATE	0x665f8	0x1826	data	English	United States	0.2968295050145584
RT_ICON	0x67e20	0x4228	data	English	United States	0.27633443552196507
RT_ICON	0x6c048	0x25a8	data	English	United States	0.01784232365145228
RT_ICON	0x6e5f0	0x1a68	data	English	United States	0.03476331360946745
RT_ICON	0x70058	0x10a8	data	English	United States	0.06707317073170732
RT_ICON	0x71100	0xcd8	data	English	United States	0.10279805352798053
RT_ICON	0x71dd8	0x988	data	English	United States	0.2700819672131147
RT_ICON	0x72760	0x6b8	data	English	United States	0.022674418604651164
RT_ICON	0x72e18	0x468	data	English	United States	0.015957446808510637
RT_ICON	0x732f8	0x4228	data	English	United States	0.3620099196976854
RT_ICON	0x77520	0x25a8	data	English	United States	0.018775933609958505
RT_ICON	0x79ac8	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 0	English	United States	0.024556213017751478
RT_ICON	0x7b530	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.02978424015009381
RT_ICON	0x7c5d8	0xcd8	Device independent bitmap graphic, 28 x 56 x 32, image size 0	English	United States	0.035888077858880776
RT_ICON	0x7d2b0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.047540983606557376
RT_ICON	0x7dc38	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 0	English	United States	0.06453488372093023
RT_ICON	0x7e2f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.09042553191489362
RT_ICON	0x7e7d0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	English	United States	0.03129428436466698
RT_ICON	0x829f8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.04730290456431535
RT_ICON	0x84fa0	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 0	English	United States	0.051775147928994084
RT_ICON	0x86a08	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.05651969981238274
RT_ICON	0x87ab0	0xcd8	data	English	United States	0.007907542579075427
RT_ICON	0x88788	0x988	data	English	United States	0.010245901639344262
RT_ICON	0x89110	0x6b8	data	English	United States	0.012790697674418604
RT_ICON	0x897c8	0x468	data	English	United States	0.015957446808510637
RT_ICON	0x89ca8	0x4228	data	English	United States	0.051901275389702406
RT_ICON	0x8ded0	0x25a8	data	English	United States	0.0033195020746887966
RT_ICON	0x90478	0x1a68	data	English	United States	0.12174556213017751
RT_ICON	0x91ee0	0x10a8	data	English	United States	0.006332082551594747
RT_ICON	0x92f88	0xcd8	data	English	United States	0.007907542579075427
RT_ICON	0x93c60	0x988	data	English	United States	0.010245901639344262
RT_ICON	0x945e8	0x6b8	data	English	United States	0.12732558139534883
RT_ICON	0x94ca0	0x468	Matlab v4 mat-file (little endian) MSeg, numeric, rows 0, columns 0	English	United States	0.2721631205673759
RT_ICON	0x95180	0x4228	data	English	United States	0.02338214454416627
RT_ICON	0x993a8	0x25a8	data	English	United States	0.0033195020746887966
RT_ICON	0x9b950	0x1a68	data	English	United States	0.09511834319526627
RT_ICON	0x9d3b8	0x10a8	data	English	United States	0.08395872420262664
RT_ICON	0x9e460	0x988	data	English	United States	0.18114754098360655
RT_ICON	0x9ede8	0x6b8	data	English	United States	0.2436046511627907
RT_ICON	0x9f4a0	0x468	data	English	United States	0.2978723404255319
RT_ICON	0x9f970	0x4228	data	English	United States	0.12039442607463391
RT_ICON	0xa3b98	0x25a8	data	English	United States	0.37572614107883817
RT_ICON	0xa6140	0x1a68	data	English	United States	0.3886094674556213
RT_ICON	0xa7ba8	0x10a8	data	English	United States	0.41674484052532834
RT_ICON	0xa8c50	0xcd8	data	English	United States	0.41058394160583944
RT_ICON	0xa9928	0x988	data	English	United States	0.010245901639344262
RT_ICON	0xaa2b0	0x6b8	data	English	United States	0.1511627906976744
RT_ICON	0xaa968	0x468	data	English	United States	0.3820921985815603
RT_ICON	0xaae48	0x10a8	data	English	United States	0.44394934333958724
RT_ICON	0xabef0	0x1a68	data	English	United States	0.4760355029585799
RT_ICON	0xad958	0x25a8	COM executable for DOS	English	United States	0.29512448132780084
RT_ICON	0xaff00	0x4228	data	English	United States	0.47679499291450167
RT_ICON	0xb4128	0x468	data	English	United States	0.23049645390070922
RT_ICON	0xb4590	0x6b8	data	English	United States	0.36453488372093024
RT_ICON	0xb4c48	0x988	Matlab v4 mat-file (little endian) \207\322\377\377\001, numeric, rows 0, columns 0	English	United States	0.3139344262295082
RT_ICON	0xb55d0	0xcd8	data	English	United States	0.2150243309002433
RT_ICON	0xb6320	0x4228	Matlab v4 mat-file (little endian) -, numeric, rows 0, columns 0	English	United States	0.3012517713745867
RT_ICON	0xba548	0x25a8	data	English	United States	0.416597510373444
RT_ICON	0xbcaf0	0x1a68	data	English	United States	0.5235207100591716
RT_ICON	0xbe558	0x10a8	data	English	United States	0.09920262664165103
RT_ICON	0xbf600	0xcd8	data	English	United States	0.007907542579075427
RT_ICON	0xc02d8	0x988	data	English	United States	0.010245901639344262
RT_ICON	0xc0c60	0x6b8	data	English	United States	0.012790697674418604
RT_ICON	0xc1318	0x468	data	English	United States	0.015957446808510637
RT_ICON	0xc17f8	0x4228	data	English	United States	0.002302786962683042
RT_ICON	0xc5a20	0x25a8	data	English	United States	0.0033195020746887966
RT_ICON	0xc7fc8	0x1a68	data	English	United States	0.004289940828402367
RT_ICON	0xc9a30	0x10a8	data	English	United States	0.006332082551594747
RT_ICON	0xcaad8	0xcd8	data	English	United States	0.007907542579075427
RT_ICON	0xcb7b0	0x988	data	English	United States	0.010245901639344262
RT_ICON	0xcc138	0x6b8	data	English	United States	0.012790697674418604
RT_ICON	0xcc7f0	0x468	data	English	United States	0.015957446808510637
RT_ICON	0xcccd0	0x4228	data	English	United States	0.04209966934341049
RT_ICON	0xd0ef8	0x25a8	data	English	United States	0.15466804979253113
RT_ICON	0xd34a0	0x1a68	data	English	United States	0.2334319526627219
RT_ICON	0xd4f08	0x10a8	data	English	United States	0.1805816135084428
RT_ICON	0xd5fb0	0xcd8	data	English	United States	0.17791970802919707
RT_ICON	0xd6c88	0x988	data	English	United States	0.14959016393442623
RT_ICON	0xd7610	0x6b8	data	English	United States	0.31569767441860463
RT_ICON	0xd7cc8	0x468	data	English	United States	0.3945035460992908
RT_ICON	0xd81a8	0x4228	data	English	United States	0.05278696268304204
RT_ICON	0xdc3d0	0x25a8	data	English	United States	0.0033195020746887966
RT_ICON	0xde978	0x1a68	data	English	United States	0.004289940828402367
RT_ICON	0xe03e0	0x10a8	data	English	United States	0.006332082551594747
RT_ICON	0xe1488	0xcd8	data	English	United States	0.007907542579075427
RT_ICON	0xe2160	0x988	data	English	United States	0.010245901639344262
RT_ICON	0xe2ae8	0x6b8	data	English	United States	0.012790697674418604
RT_ICON	0xe31a0	0x468	data	English	United States	0.015957446808510637
RT_ICON	0xe3680	0x4228	data	English	United States	0.002302786962683042
RT_ICON	0xe78a8	0x25a8	data	English	United States	0.0033195020746887966
RT_ICON	0xe9e50	0x1a68	data	English	United States	0.004289940828402367
RT_ICON	0xeb8b8	0x10a8	data	English	United States	0.006332082551594747
RT_ICON	0xec960	0xcd8	data	English	United States	0.007907542579075427
RT_ICON	0xed638	0x988	data	English	United States	0.010245901639344262
RT_ICON	0xedfc0	0x6b8	data	English	United States	0.012790697674418604
RT_ICON	0xee678	0x468	data	English	United States	0.015957446808510637
RT_ICON	0xeeb58	0x4228	data	English	United States	0.002302786962683042
RT_ICON	0xf2d80	0x25a8	data	English	United States	0.0033195020746887966
RT_ICON	0xf5328	0x1a68	data	English	United States	0.01272189349112426
RT_ICON	0xf6d90	0x10a8	data	English	United States	0.006332082551594747
RT_ICON	0xf7e38	0xcd8	data	English	United States	0.007907542579075427
RT_ICON	0xf8b10	0x988	data	English	United States	0.010245901639344262
RT_ICON	0xf9498	0x6b8	data	English	United States	0.012790697674418604
RT_ICON	0xf9b50	0x468	data	English	United States	0.015957446808510637
RT_ICON	0xfa030	0x4228	data	English	United States	0.010510155880963629
RT_ICON	0xfe258	0x25a8	data	English	United States	0.0033195020746887966
RT_ICON	0x100800	0x1a68	data	English	United States	0.004289940828402367
RT_ICON	0x102268	0x10a8	data	English	United States	0.006332082551594747
RT_ICON	0x103310	0xcd8	data	English	United States	0.007907542579075427
RT_ICON	0x103fe8	0x988	data	English	United States	0.010245901639344262
RT_ICON	0x104970	0x6b8	data	English	United States	0.012790697674418604
RT_ICON	0x105028	0x468	data	English	United States	0.015957446808510637
RT_ICON	0x105508	0x4228	data	English	United States	0.002302786962683042
RT_ICON	0x109730	0x25a8	data	English	United States	0.03443983402489627
RT_ICON	0x10bcd8	0x1a68	data	English	United States	0.004289940828402367
RT_ICON	0x10d740	0x10a8	data	English	United States	0.006332082551594747
RT_ICON	0x10e7e8	0xcd8	data	English	United States	0.007907542579075427
RT_ICON	0x10f4c0	0x988	data	English	United States	0.010245901639344262
RT_ICON	0x10fe48	0x6b8	data	English	United States	0.012790697674418604
RT_ICON	0x110500	0x468	data	English	United States	0.015957446808510637
RT_ICON	0x1109e0	0x4228	data	English	United States	0.002302786962683042
RT_ICON	0x114c08	0x25a8	data	English	United States	0.0033195020746887966
RT_ICON	0x1171b0	0x1a68	data	English	United States	0.004289940828402367
RT_ICON	0x118c18	0x10a8	data	English	United States	0.006332082551594747
RT_ICON	0x119cc0	0x988	data	English	United States	0.010245901639344262
RT_ICON	0x11a648	0x6b8	data	English	United States	0.012790697674418604
RT_ICON	0x11ad00	0x468	data	English	United States	0.015957446808510637
RT_ICON	0x11b1d0	0x4228	data	English	United States	0.002302786962683042
RT_ICON	0x11f3f8	0x25a8	data	English	United States	0.0033195020746887966
RT_ICON	0x1219a0	0x1a68	data	English	United States	0.004289940828402367
RT_ICON	0x123408	0x10a8	data	English	United States	0.006332082551594747
RT_ICON	0x1244b0	0x988	data	English	United States	0.010245901639344262
RT_ICON	0x124e38	0x6b8	data	English	United States	0.012790697674418604
RT_ICON	0x1254f0	0x468	data	English	United States	0.015957446808510637
RT_ICON	0x1259c0	0x4228	data	English	United States	0.002302786962683042
RT_ICON	0x129be8	0x25a8	data	English	United States	0.0033195020746887966
RT_ICON	0x12c190	0x1a68	data	English	United States	0.11701183431952662
RT_ICON	0x12dbf8	0x10a8	data	English	United States	0.006332082551594747
RT_ICON	0x12eca0	0x988	data	English	United States	0.010245901639344262
RT_ICON	0x12f628	0x6b8	data	English	United States	0.13372093023255813
RT_ICON	0x12fce0	0x468	Matlab v4 mat-file (little endian) \207\322\377\377, numeric, rows 0, columns 0	English	United States	0.3803191489361702
RT_ICON	0x1301b0	0x4228	data	English	United States	0.12370099196976854
RT_ICON	0x1343d8	0x25a8	data	English	United States	0.15829875518672198
RT_ICON	0x136980	0x1a68	data	English	United States	0.178698224852071
RT_ICON	0x1383e8	0x10a8	data	English	United States	0.28095684803001875
RT_ICON	0x139490	0x988	data	English	United States	0.2569672131147541
RT_ICON	0x139e18	0x6b8	data	English	United States	0.3505813953488372
RT_ICON	0x13a4d0	0x468	data	English	United States	0.46897163120567376
RT_ICON	0x13a9a0	0x4228	data	English	United States	0.19296173830892774
RT_ICON	0x13ebc8	0x25a8	data	English	United States	0.23464730290456431
RT_ICON	0x141170	0x1a68	data	English	United States	0.1742603550295858
RT_ICON	0x142bd8	0x10a8	data	English	United States	0.3295028142589118
RT_ICON	0x143c80	0x988	data	English	United States	0.1627049180327869
RT_ICON	0x144608	0x6b8	data	English	United States	0.1447674418604651
RT_ICON	0x144cc0	0x468	data	English	United States	0.20124113475177305
RT_ICON	0x145190	0x4228	data	English	United States	0.3512045347189419
RT_ICON	0x1493b8	0x25a8	data	English	United States	0.5894190871369295
RT_ICON	0x14b960	0x1a68	data	English	United States	0.45724852071005917
RT_ICON	0x14d3c8	0x10a8	data	English	United States	0.4348030018761726
RT_ICON	0x14e470	0x988	data	English	United States	0.24098360655737705
RT_ICON	0x14edf8	0x6b8	data	English	United States	0.08023255813953488
RT_ICON	0x14f4b0	0x468	data	English	United States	0.14450354609929078
RT_ICON	0x14f980	0x4228	data	English	United States	0.08449456778460085
RT_ICON	0x153ba8	0x25a8	data	English	United States	0.18506224066390042
RT_ICON	0x156150	0x1a68	data	English	United States	0.21242603550295858
RT_ICON	0x157bb8	0x10a8	data	English	United States	0.41181988742964354
RT_ICON	0x158c60	0x988	data	English	United States	0.2594262295081967
RT_ICON	0x1595e8	0x6b8	data	English	United States	0.3686046511627907
RT_ICON	0x159ca0	0x468	data	English	United States	0.17375886524822695
RT_ICON	0x15a170	0x4228	data	English	United States	0.6463745866792631
RT_ICON	0x15e398	0x25a8	data	English	United States	0.6343360995850622
RT_ICON	0x160940	0x1a68	data	English	United States	0.6627218934911243
RT_ICON	0x1623a8	0x10a8	data	English	United States	0.5724671669793621
RT_ICON	0x163450	0x988	data	English	United States	0.18278688524590164
RT_ICON	0x163dd8	0x6b8	data	English	United States	0.056976744186046514
RT_ICON	0x164490	0x468	data	English	United States	0.44769503546099293
RT_ICON	0x164960	0x4228	data	English	United States	0.30562116202172884
RT_ICON	0x168b88	0x25a8	Matlab v4 mat-file (little endian) \207\322\377\377\267%\221Zg\363$I\254\342\010\003\244\243\244q\002, numeric, rows 0, columns 7, imaginary	English	United States	0.4367219917012448
RT_ICON	0x16b130	0x1a68	Matlab v4 mat-file (little endian) \330\352\377\377, numeric, rows 0, columns 0	English	United States	0.2541420118343195
RT_ICON	0x16cb98	0x10a8	OpenPGP Public Key	English	United States	0.26055347091932457
RT_ICON	0x16dc40	0x988	data	English	United States	0.27295081967213114
RT_ICON	0x16e5c8	0x6b8	data	English	United States	0.29534883720930233
RT_ICON	0x16ec80	0x468	data	English	United States	0.3528368794326241
RT_ICON	0x16f150	0x4228	data	English	United States	0.2543103448275862
RT_ICON	0x173378	0x25a8	data	English	United States	0.22614107883817428
RT_ICON	0x175920	0x1a68	data	English	United States	0.33550295857988166
RT_ICON	0x177388	0x10a8	data	English	United States	0.14188555347091933
RT_ICON	0x178430	0x988	data	English	United States	0.2774590163934426
RT_ICON	0x178db8	0x6b8	data	English	United States	0.42034883720930233
RT_ICON	0x179470	0x468	data	English	United States	0.2987588652482269
RT_ICON	0x179940	0x4228	data	English	United States	0.1716461974492206
RT_ICON	0x17db68	0x25a8	data	English	United States	0.28827800829875516
RT_ICON	0x180110	0x1a68	Matlab v4 mat-file (little endian) CMNb{C=#\237\027n\242\001, numeric, rows 0, columns 4915280, imaginary	English	United States	0.3890532544378698
RT_ICON	0x181b78	0x10a8	data	English	United States	0.3719512195121951
RT_ICON	0x182c20	0x988	data	English	United States	0.4627049180327869
RT_ICON	0x1835a8	0x6b8	data	English	United States	0.42965116279069765
RT_ICON	0x183c60	0x468	data	English	United States	0.3900709219858156
RT_ICON	0x184130	0x4228	data	English	United States	0.40983703353802553
RT_ICON	0x188358	0x25a8	data	English	United States	0.3329875518672199
RT_ICON	0x18a900	0x1a68	data	English	United States	0.23254437869822486
RT_ICON	0x18c368	0x10a8	data	English	United States	0.27861163227016883
RT_ICON	0x18d410	0x988	data	English	United States	0.3319672131147541
RT_ICON	0x18dd98	0x6b8	data	English	United States	0.3075581395348837
RT_ICON	0x18e450	0x468	data	English	United States	0.449468085106383
RT_ICON	0x18e920	0x4228	data	English	United States	0.5378483703353802
RT_ICON	0x192b48	0x25a8	data	English	United States	0.22738589211618257
RT_ICON	0x1950f0	0x1a68	dBase III DBT, version number 0, next free block index 3753, 1st item "b\253\027l\207\322\377\377$"	English	United States	0.27307692307692305
RT_ICON	0x196b58	0x10a8	data	English	United States	0.2790806754221388
RT_ICON	0x197c00	0x988	data	English	United States	0.23647540983606558
RT_ICON	0x198588	0x6b8	data	English	United States	0.37209302325581395
RT_ICON	0x198c40	0x468	data	English	United States	0.4778368794326241
RT_ICON	0x199110	0x4228	data	English	United States	0.32510628247520074
RT_ICON	0x19d338	0x25a8	data	English	United States	0.308298755186722
RT_ICON	0x19f8e0	0x1a68	Matlab v4 mat-file (little endian) \207\322\377\377\0113\206k\207\322\377\377, numeric, rows 480, columns 0	English	United States	0.17736686390532544
RT_ICON	0x1a1348	0x10a8	data	English	United States	0.20309568480300189
RT_ICON	0x1a23f0	0x988	data	English	United States	0.4024590163934426
RT_ICON	0x1a2d78	0x6b8	data	English	United States	0.43953488372093025
RT_ICON	0x1a3430	0x468	data	English	United States	0.4583333333333333
RT_ICON	0x1a3900	0x4228	data	English	United States	0.05083845063769485
RT_ICON	0x1a7b28	0x25a8	data	English	United States	0.06514522821576764
RT_ICON	0x1aa0d0	0x1a68	Matlab v4 mat-file (little endian) \207\322\377\3772, numeric, rows 0, columns 2228258	English	United States	0.2650887573964497
RT_ICON	0x1abb38	0x10a8	data	English	United States	0.3482645403377111
RT_ICON	0x1acbe0	0x988	data	English	United States	0.3094262295081967
RT_ICON	0x1ad568	0x6b8	data	English	United States	0.3127906976744186
RT_ICON	0x1adc20	0x468	data	English	United States	0.37056737588652483
RT_ICON	0x1ae0f0	0x4228	data	English	United States	0.5901039206424186
RT_ICON	0x1b2318	0x25a8	data	English	United States	0.21452282157676347
RT_ICON	0x1b48c0	0x1a68	data	English	United States	0.16538461538461538
RT_ICON	0x1b6328	0x10a8	data	English	United States	0.19418386491557224
RT_ICON	0x1b73d0	0x988	Matlab v4 mat-file (little endian) \207\322\377\377, numeric, rows 0, columns 0	English	United States	0.2774590163934426
RT_ICON	0x1b7d58	0x6b8	data	English	United States	0.3447674418604651
RT_ICON	0x1b8410	0x468	data	English	United States	0.5425531914893617
RT_ICON	0x1b88e0	0x4228	data	English	United States	0.319674067076051
RT_ICON	0x1bcb08	0x25a8	data	English	United States	0.35394190871369297
RT_ICON	0x1bf0b0	0x1a68	data	English	United States	0.32292899408284026
RT_ICON	0x1c0b18	0x10a8	data	English	United States	0.32387429643527205
RT_ICON	0x1c1bc0	0x988	data	English	United States	0.26885245901639343
RT_ICON	0x1c2548	0x6b8	data	English	United States	0.2936046511627907
RT_ICON	0x1c2c00	0x468	data	English	United States	0.32890070921985815
RT_ICON	0x1c30d0	0x4228	data	English	United States	0.2771020311761927
RT_ICON	0x1c72f8	0x25a8	data	English	United States	0.19491701244813278
RT_ICON	0x1c98a0	0x1a68	data	English	United States	0.06183431952662722
RT_ICON	0x1cb308	0x10a8	data	English	United States	0.05276735459662289
RT_ICON	0x1cc3b0	0x988	data	English	United States	0.20245901639344263
RT_ICON	0x1ccd38	0x6b8	data	English	United States	0.3563953488372093
RT_ICON	0x1cd3f0	0x468	data	English	United States	0.2641843971631206
RT_ICON	0x1cd8c0	0x4228	data	English	United States	0.38787198866320266
RT_ICON	0x1d1ae8	0x25a8	data	English	United States	0.5092323651452282
RT_ICON	0x1d4090	0x1a68	data	English	United States	0.47810650887573963
RT_ICON	0x1d5af8	0x10a8	data	English	United States	0.17706378986866791
RT_ICON	0x1d6ba0	0x988	data	English	United States	0.714344262295082
RT_ICON	0x1d7528	0x6b8	data	English	United States	0.5494186046511628
RT_ICON	0x1d7be0	0x468	data	English	United States	0.19326241134751773
RT_ICON	0x1d80b0	0x4228	data	English	United States	0.09772083136513934
RT_ICON	0x1dc2d8	0x25a8	data	English	United States	0.22188796680497924
RT_ICON	0x1de880	0x1a68	data	English	United States	0.07647928994082841
RT_ICON	0x1e02e8	0x10a8	data	English	United States	0.07903377110694183
RT_ICON	0x1e1390	0x988	data	English	United States	0.07418032786885245
RT_ICON	0x1e1d18	0x6b8	PDP-11 UNIX/RT ldp	English	United States	0.11162790697674418
RT_ICON	0x1e23d0	0x468	data	English	United States	0.17287234042553193
RT_ICON	0x1e28a0	0x4228	data	English	United States	0.06831601322626359
RT_ICON	0x1e6ae0	0x4228	data	English	United States	0.002302786962683042
RT_ICON	0x1ead20	0x4228	data	English	United States	0.16089985829003306
RT_ICON	0x1eef60	0x4228	data	English	United States	0.2656471421823335
RT_ICON	0x1f31a0	0x4228	data	English	United States	0.2713155408597071
RT_ICON	0x1f73e0	0x4228	data	English	United States	0.34559518186112426
RT_ICON	0x1fb608	0x25a8	data	English	United States	0.21887966804979253
RT_ICON	0x1fdbb0	0x1a68	data	English	United States	0.5366863905325444
RT_ICON	0x1ff618	0x10a8	data	English	United States	0.11796435272045028
RT_ICON	0x2006c0	0x988	data	English	United States	0.010245901639344262
RT_ICON	0x201048	0x6b8	data	English	United States	0.012790697674418604
RT_ICON	0x201700	0x468	data	English	United States	0.015957446808510637
RT_ICON	0x201bd0	0x4228	data	English	United States	0.19662257912139822
RT_ICON	0x205df8	0x25a8	SysEx File -	English	United States	0.35466804979253114
RT_ICON	0x2083a0	0x1a68	OpenPGP Public Key	English	United States	0.38284023668639056
RT_ICON	0x209e08	0x10a8	data	English	United States	0.009146341463414634
RT_ICON	0x20aeb0	0x988	data	English	United States	0.029918032786885245
RT_ICON	0x20b838	0x6b8	data	English	United States	0.3569767441860465
RT_ICON	0x20bef0	0x468	data	English	United States	0.3537234042553192
RT_ICON	0x20c3c0	0x4228	data	English	United States	0.17099669343410487
RT_ICON	0x2105e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.12603734439834025
RT_ICON	0x212b90	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 0	English	United States	0.14142011834319526
RT_ICON	0x2145f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.17589118198874296
RT_ICON	0x2156a0	0xcd8	Device independent bitmap graphic, 28 x 56 x 32, image size 0	English	United States	0.17062043795620438
RT_ICON	0x216378	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.20204918032786887
RT_ICON	0x216d00	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 0	English	United States	0.2505813953488372
RT_ICON	0x2173b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.30851063829787234
RT_GROUP_ICON	0x73280	0x76	data	English	United States	0.1016949152542373
RT_GROUP_ICON	0xaadd0	0x76	Matlab v4 mat-file (little endian) `\373\033\010!, numeric, rows 0, columns 0	English	United States	0.635593220338983
RT_GROUP_ICON	0xb62a8	0x76	data	English	United States	0.1016949152542373
RT_GROUP_ICON	0xc1780	0x76	data	English	United States	0.1016949152542373
RT_GROUP_ICON	0xccc58	0x76	data	English	United States	0.1016949152542373
RT_GROUP_ICON	0xd8130	0x76	data	English	United States	0.7711864406779662
RT_GROUP_ICON	0xe3608	0x76	data	English	United States	0.1016949152542373
RT_GROUP_ICON	0xeeae0	0x76	data	English	United States	0.1016949152542373
RT_GROUP_ICON	0xf9fb8	0x76	data	English	United States	0.1016949152542373
RT_GROUP_ICON	0x105490	0x76	data	English	United States	0.1016949152542373
RT_GROUP_ICON	0x110968	0x76	data	English	United States	0.1016949152542373
RT_GROUP_ICON	0x11b168	0x68	data	English	United States	0.11538461538461539
RT_GROUP_ICON	0x7e758	0x76	data	English	United States	0.7542372881355932
RT_GROUP_ICON	0x89c30	0x76	data	English	United States	0.1016949152542373
RT_GROUP_ICON	0x95108	0x76	Matlab v4 mat-file (little endian) \377\377\377\377@\362\031=\004\301\377\377, numeric, rows 0, columns 0	English	United States	0.3983050847457627
RT_GROUP_ICON	0x217820	0x76	data	English	United States	0.7711864406779662
RT_GROUP_ICON	0x125958	0x68	data	English	United States	0.11538461538461539
RT_GROUP_ICON	0x130148	0x68	data	English	United States	0.11538461538461539
RT_GROUP_ICON	0x13a938	0x68	data	English	United States	0.75
RT_GROUP_ICON	0x145128	0x68	data	English	United States	0.11538461538461539
RT_GROUP_ICON	0x14f918	0x68	data	English	United States	0.28846153846153844
RT_GROUP_ICON	0x15a108	0x68	data	English	United States	0.375
RT_GROUP_ICON	0x1648f8	0x68	Non-ISO extended-ASCII text, with no line terminators	English	United States	0.8365384615384616
RT_GROUP_ICON	0x16f0e8	0x68	data	English	United States	0.17307692307692307
RT_GROUP_ICON	0x1798d8	0x68	data	English	United States	0.16346153846153846
RT_GROUP_ICON	0x1840c8	0x68	data	English	United States	0.7307692307692307
RT_GROUP_ICON	0x18e8b8	0x68	data	English	United States	1.1057692307692308
RT_GROUP_ICON	0x1990a8	0x68	data	English	United States	0.8557692307692307
RT_GROUP_ICON	0x1a3898	0x68	data	English	United States	0.11538461538461539
RT_GROUP_ICON	0x1ae088	0x68	data	English	United States	0.5384615384615384
RT_GROUP_ICON	0x1b8878	0x68	data	English	United States	0.7596153846153846
RT_GROUP_ICON	0x1c3068	0x68	data	English	United States	0.47115384615384615
RT_GROUP_ICON	0x1cd858	0x68	data	English	United States	0.7115384615384616
RT_GROUP_ICON	0x1d8048	0x68	data	English	United States	0.3173076923076923
RT_GROUP_ICON	0x1e2838	0x68	data	English	United States	0.3942307692307692
RT_GROUP_ICON	0x1e6ac8	0x14	data	English	United States	0.55
RT_GROUP_ICON	0x1ead08	0x14	data	English	United States	0.55
RT_GROUP_ICON	0x1eef48	0x14	data	English	United States	1.35
RT_GROUP_ICON	0x1f3188	0x14	data	English	United States	0.85
RT_GROUP_ICON	0x1f73c8	0x14	data	English	United States	1.15
RT_GROUP_ICON	0x201b68	0x68	data	English	United States	0.11538461538461539
RT_GROUP_ICON	0x20c358	0x68	data	English	United States	0.6153846153846154
RT_GROUP_ICON	0x9f908	0x68	data	English	United States	0.11538461538461539
RT_VERSION	0x66240	0x3b4	data	English	United States	0.4578059071729958
RT_MANIFEST	0x65f40	0x2fa	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.479002624671916

Imports

DLL	Import
msvcrt.dll	wcschr, wcsncmp, __CxxFrameHandler3, floorf, memcmp, wcstombs, _wcsnicmp, toupper, iswspace, _wtoi, memmove, _errno, ??1type_info@@UEAA@XZ, _onexit, __dllonexit, _unlock, _lock, ?terminate@@YAXXZ, _initterm, _amsg_exit, _XcptFilter, _CxxThrowException, _callnewh, ??0exception@@QEAA@AEBQEBDH@Z, wcsstr, realloc, calloc, _get_errno, _set_errno, ??0exception@@QEAA@AEBQEBD@Z, ?what@exception@@UEBAPEBDXZ, memmove_s, swprintf_s, _purecall, wcscat_s, wcscpy_s, free, malloc, wcsncpy_s, __C_specific_handler, _vsnprintf_s, ??0exception@@QEAA@AEBV0@@Z, ??0exception@@QEAA@XZ, ??1exception@@UEAA@XZ, memcpy_s, _vsnwprintf, memset
api-ms-win-core-libraryloader-l1-2-0.dll	LoadLibraryExW, FreeLibrary, LoadLibraryExA, LoadResource, SizeofResource, GetProcAddress, GetModuleFileNameA, LoadStringW, GetModuleHandleW, GetModuleHandleExW, GetModuleFileNameW, FindResourceExW
api-ms-win-core-synch-l1-1-0.dll	CreateMutexExW, OpenSemaphoreW, InitializeCriticalSection, WaitForSingleObjectEx, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, InitializeCriticalSectionEx, DeleteCriticalSection, ReleaseMutex, WaitForSingleObject, CreateEventW, LeaveCriticalSection, ReleaseSemaphore, AcquireSRWLockShared, CreateEventExW, SetEvent, InitializeSRWLock, EnterCriticalSection, CreateSemaphoreExW, ReleaseSRWLockShared
api-ms-win-core-heap-l1-1-0.dll	HeapAlloc, GetProcessHeap, HeapFree
api-ms-win-core-errorhandling-l1-1-0.dll	SetUnhandledExceptionFilter, UnhandledExceptionFilter, SetLastError, GetLastError, RaiseException
api-ms-win-core-processthreads-l1-1-0.dll	OpenProcessToken, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, CreateProcessW, GetCurrentThreadId, ProcessIdToSessionId
api-ms-win-core-localization-l1-2-0.dll	GetLocaleInfoW, FormatMessageW
api-ms-win-core-debug-l1-1-0.dll	IsDebuggerPresent, DebugBreak, OutputDebugStringW, OutputDebugStringA
api-ms-win-core-handle-l1-1-0.dll	CloseHandle
OLEAUT32.dll	VarBstrCmp, SysAllocStringLen, SysAllocString, SysStringLen, VarBstrCat, VariantClear, VariantInit, SysStringByteLen, SysAllocStringByteLen, VarUI4FromStr, SysFreeString
api-ms-win-eventing-classicprovider-l1-1-0.dll	RegisterTraceGuidsW, GetTraceLoggerHandle, TraceMessage, UnregisterTraceGuids, GetTraceEnableFlags, GetTraceEnableLevel
api-ms-win-core-com-l1-1-0.dll	CoTaskMemFree, CoGetMalloc, CoSetProxyBlanket, CoTaskMemAlloc, CoCreateInstance, IIDFromString, StringFromIID, CoRegisterClassObject, CoRevokeClassObject, CoTaskMemRealloc, CoUninitialize, CoInitializeEx, CoWaitForMultipleHandles, StringFromGUID2, CoGetApartmentType
api-ms-win-core-string-l2-1-0.dll	CharNextW, CharUpperBuffW
api-ms-win-core-libraryloader-l1-2-1.dll	LoadLibraryW
api-ms-win-core-registry-l1-1-0.dll	RegOpenKeyExW, RegGetValueW, RegQueryValueExW, RegSetValueExW, RegCreateKeyExW, RegEnumKeyExW, RegDeleteValueW, RegQueryInfoKeyW, RegCloseKey
api-ms-win-core-string-l1-1-0.dll	CompareStringOrdinal, CompareStringW, MultiByteToWideChar
api-ms-win-eventing-provider-l1-1-0.dll	EventActivityIdControl, EventProviderEnabled, EventRegister, EventSetInformation, EventWriteTransfer, EventUnregister, EventEnabled
api-ms-win-core-sysinfo-l1-1-0.dll	GetWindowsDirectoryW, GetSystemTimeAsFileTime, GetTickCount
api-ms-win-core-heap-l2-1-0.dll	LocalFree, LocalAlloc
api-ms-win-core-threadpool-l1-2-0.dll	WaitForThreadpoolTimerCallbacks, CloseThreadpoolTimer, CreateThreadpoolTimer, SetThreadpoolTimer
api-ms-win-core-profile-l1-1-0.dll	QueryPerformanceCounter, QueryPerformanceFrequency
api-ms-win-core-winrt-error-l1-1-0.dll	RoTransformError, RoOriginateError
api-ms-win-core-synch-l1-2-0.dll	Sleep, InitOnceBeginInitialize, InitOnceExecuteOnce, InitOnceComplete
api-ms-win-service-management-l1-1-0.dll	CloseServiceHandle, OpenServiceW, OpenSCManagerW
api-ms-win-service-winsvc-l1-1-0.dll	QueryServiceStatus
IPHLPAPI.DLL	ConvertInterfaceLuidToGuid, ConvertInterfaceIndexToLuid, ConvertInterfaceLuidToIndex, FreeMibTable, ConvertInterfaceGuidToLuid, GetIfStackTable, GetIfEntry2Ex
api-ms-win-core-winrt-string-l1-1-0.dll	WindowsDeleteString, WindowsCreateStringReference, WindowsGetStringRawBuffer, WindowsCreateString, WindowsConcatString
api-ms-win-security-sddl-l1-1-0.dll	ConvertStringSidToSidW
api-ms-win-core-registry-l1-1-1.dll	RegSetKeyValueW
api-ms-win-core-winrt-l1-1-0.dll	RoGetActivationFactory, RoActivateInstance
api-ms-win-security-base-l1-1-0.dll	DuplicateToken, GetTokenInformation, CreateWellKnownSid, CheckTokenMembership
api-ms-win-core-processenvironment-l1-1-0.dll	ExpandEnvironmentStringsW
api-ms-win-core-memory-l1-1-0.dll	VirtualFree, VirtualAlloc
api-ms-win-core-util-l1-1-0.dll	EncodePointer, DecodePointer
api-ms-win-core-processthreads-l1-1-1.dll	FlushInstructionCache
api-ms-win-core-interlocked-l1-1-0.dll	InterlockedPopEntrySList, InterlockedPushEntrySList
api-ms-win-core-rtlsupport-l1-1-0.dll	RtlLookupFunctionEntry, RtlVirtualUnwind, RtlCaptureContext
api-ms-win-core-threadpool-legacy-l1-1-0.dll	QueueUserWorkItem
api-ms-win-security-provider-l1-1-0.dll	SetNamedSecurityInfoW, GetNamedSecurityInfoW, SetEntriesInAclW
api-ms-win-core-kernel32-legacy-l1-1-0.dll	MulDiv
api-ms-win-core-string-obsolete-l1-1-0.dll	lstrcmpiW, lstrlenW, lstrcmpW
api-ms-win-core-shlwapi-obsolete-l1-1-0.dll	QISearch
api-ms-win-core-localization-obsolete-l1-2-0.dll	GetUserDefaultUILanguage
api-ms-win-core-sidebyside-l1-1-0.dll	ActivateActCtx, QueryActCtxW, CreateActCtxW, FindActCtxSectionStringW, DeactivateActCtx
api-ms-win-service-private-l1-1-0.dll	UnsubscribeServiceChangeNotifications, SubscribeServiceChangeNotifications
ntdll.dll	RtlUnsubscribeWnfStateChangeNotification, NtQueryInformationToken, WinSqmEndSession, WinSqmSetDWORD, WinSqmStartSession, WinSqmAddToStreamEx, NtQueryWnfStateData, RtlSubscribeWnfStateChangeNotification, WinSqmAddToStream, WinSqmIncrementDWORD, RtlUnsubscribeWnfNotificationWaitForCompletion
GDI32.dll	SetStretchBltMode, DeleteObject, CreateFontIndirectW, ExcludeClipRect, GetObjectW, SetBkMode, SetTextColor, DeleteDC, GetDeviceCaps, StretchBlt, GdiAlphaBlend, CreateCompatibleDC, CreateDIBSection, GetCurrentObject, CreateSolidBrush, BitBlt, SelectObject
USER32.dll	UpdateWindow, DestroyWindow, PostQuitMessage, LoadCursorW, DefWindowProcW, GetClassInfoExW, SetWindowLongPtrW, DestroyMenu, SetTimer, GetDpiForWindow, KillTimer, AreDpiAwarenessContextsEqual, RegisterPowerSettingNotification, UnregisterPowerSettingNotification, MonitorFromPoint, GetMonitorInfoW, GetMenuItemCount, GetMenuItemInfoW, DeleteMenu, LoadMenuW, GetSubMenu, SendNotifyMessageW, SetForegroundWindow, TrackPopupMenu, ShowWindow, CallWindowProcW, IsWindow, DrawTextExW, FindWindowW, GetWindowDpiAwarenessContext, RegisterWindowMessageW, GetDpiForSystem, PostMessageW, GetMessageExtraInfo, SetMessageExtraInfo, GetPropW, GetCurrentInputMessageSource, RemovePropW, SetMenuItemInfoW, DestroyIcon, SetMenuInfo, SetPropW, GetMenuInfo, GetIconInfoExW, UnregisterClassA, GetParent, SendInput, GetSystemMetricsForDpi, LoadImageW, ReleaseDC, SystemParametersInfoW, CreateWindowExW, DrawIconEx, GetWindowLongPtrW, RegisterClassExW, GetWindowLongW, DrawTextW, SetWindowLongW, GetClassNameW, WindowFromPoint, MonitorFromWindow, GetDC
SHELL32.dll	SHGetStockIconInfo, ShellExecuteExW, Shell_NotifyIconW
MobileNetworking.dll	GetPersistentRegPath
SHCORE.dll	IUnknown_QueryService
api-ms-win-core-file-l1-1-0.dll	CompareFileTime
api-ms-win-core-delayload-l1-1-1.dll	ResolveDelayLoadedAPI
api-ms-win-core-delayload-l1-1-0.dll	DelayLoadFailureHook
UxTheme.dll	GetThemeColor, CloseThemeData, DrawThemeTextEx, GetThemeFont, OpenThemeData, DrawThemeBackground

Exports

Name	Ordinal	Address
DllCanUnloadNow	1	0x180001270
DllGetClassObject	2	0x1800031f0
DllRegisterServer	3	0x18001d1d0
DllUnregisterServer	4	0x18001d240

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 07:56:31.551817894 CET	53	56443	162.159.36.2	192.168.2.4
Oct 27, 2024 07:56:32.406415939 CET	65210	53	192.168.2.4	1.1.1.1
Oct 27, 2024 07:56:32.414680004 CET	53	65210	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 27, 2024 07:56:32.406415939 CET	192.168.2.4	1.1.1.1	0x478c	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 27, 2024 07:56:32.414680004 CET	1.1.1.1	192.168.2.4	0x478c	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	02:56:00
Start date:	27/10/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\AyCnklzHb7.dll"
Imagebase:	0x7ff6112c0000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:56:00
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:56:00
Start date:	27/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AyCnklzHb7.dll",#1
Imagebase:	0x7ff63f0e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:56:00
Start date:	27/10/2024
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\AyCnklzHb7.dll
Imagebase:	0x7ff611320000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:56:00
Start date:	27/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\AyCnklzHb7.dll",#1
Imagebase:	0x7ff6f1ab0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:56:00
Start date:	27/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\AyCnklzHb7.dll,DllCanUnloadNow
Imagebase:	0x7ff6f1ab0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:56:03
Start date:	27/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\AyCnklzHb7.dll,DllGetClassObject
Imagebase:	0x7ff6f1ab0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:56:04
Start date:	27/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7448 -s 420
Imagebase:	0x7ff6692c0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:56:06
Start date:	27/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\AyCnklzHb7.dll,DllRegisterServer
Imagebase:	0x7ff6f1ab0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	13
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFDFB7231F0 Relevance: 2.6, APIs: 2, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB723263
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB723297

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 30359a2fbf865d7357c24ce6ae96d5d75003d90b4bfe6daeb817649b1c14a4ba
Instruction ID: ee081b0a470a90e73525f1918b60dc23bbc585bea9e6aa392b4200a05fce9811
Opcode Fuzzy Hash: 30359a2fbf865d7357c24ce6ae96d5d75003d90b4bfe6daeb817649b1c14a4ba
Instruction Fuzzy Hash: 64311C62B0AB438AEB158B66D860A7973E5FB45BC4F2A4432CE6D476BCDF38D5418700

Non-executed Functions

Function 00007FFDFB7218F0 Relevance: 66.9, APIs: 30, Strings: 8, Instructions: 395
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB721972
LoadCursorW.USER32 ref: 00007FFDFB721A04
ShowWindow.USER32 ref: 00007FFDFB721A93
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FFDFB721AEC
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FFDFB721B02
LoadLibraryExA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB721B35
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB721B57
EncodePointer.API-MS-WIN-CORE-UTIL-L1-1-0 ref: 00007FFDFB721B6F
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB721B8C
EncodePointer.API-MS-WIN-CORE-UTIL-L1-1-0 ref: 00007FFDFB721BA4
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB721BC1
EncodePointer.API-MS-WIN-CORE-UTIL-L1-1-0 ref: 00007FFDFB721BD9
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB721BF6
EncodePointer.API-MS-WIN-CORE-UTIL-L1-1-0 ref: 00007FFDFB721C0E
DecodePointer.API-MS-WIN-CORE-UTIL-L1-1-0 ref: 00007FFDFB721C33
DecodePointer.API-MS-WIN-CORE-UTIL-L1-1-0 ref: 00007FFDFB721C93
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFDFB721CD6
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB721CEC
ShowWindow.USER32 ref: 00007FFDFB721DA0
UpdateWindow.USER32 ref: 00007FFDFB721DB0
FindWindowW.USER32 ref: 00007FFDFB721DE2
SendNotifyMessageW.USER32 ref: 00007FFDFB721E04
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB721E47
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB721D11

Part of subcall function 00007FFDFB727FB0: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB727FC6

Part of subcall function 00007FFDFB721E90: ActivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0 ref: 00007FFDFB721F06
Part of subcall function 00007FFDFB721E90: CreateWindowExW.USER32 ref: 00007FFDFB721F83
Part of subcall function 00007FFDFB721E90: DeactivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0 ref: 00007FFDFB721FBD

Strings

P, xrefs: 00007FFDFB7219C2
atlthunk.dll, xrefs: 00007FFDFB721B2E, 00007FFDFB731229
AtlThunk_AllocateData, xrefs: 00007FFDFB721B4D, 00007FFDFB73124F
AtlThunk_InitData, xrefs: 00007FFDFB721B82, 00007FFDFB731269
AtlThunk_DataToCode, xrefs: 00007FFDFB721BB7, 00007FFDFB731283
Shell_TrayWnd, xrefs: 00007FFDFB721DDB
Network Flyout, xrefs: 00007FFDFB721D76
AtlThunk_FreeData, xrefs: 00007FFDFB721BEC, 00007FFDFB73129D

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Pointer$Window$AddressCriticalEncodeProcSection$DecodeEnterHeapLeaveLoadMessageShow$ActivateAllocCreateCurrentCursorDeactivateFindLibraryNotifyProcessSendThreadTraceUpdate
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$Network Flyout$P$Shell_TrayWnd$atlthunk.dll
API String ID: 2554326411-3218521056
Opcode ID: dfa3455f24e70595d0381f225aa8bea9d95dd61a256da8951bb2dcd42a57dc93
Instruction ID: 723ee6214a2d13ce6c3211a0a6e679b7ee305566e5b3ca7150a4552f5d824fdc
Opcode Fuzzy Hash: dfa3455f24e70595d0381f225aa8bea9d95dd61a256da8951bb2dcd42a57dc93
Instruction Fuzzy Hash: 6C123E35B0AB8786E7548B11E860AB9B7A1FB89B44F548135CA6D43BF8DF3CE445CB00

Function 00007FFDFB724240 Relevance: 48.0, APIs: 26, Strings: 1, Instructions: 708serviceCOMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72433A
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB724351
ConvertInterfaceGuidToLuid.IPHLPAPI ref: 00007FFDFB724467
GetIfEntry2Ex.IPHLPAPI ref: 00007FFDFB72447E
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB724503
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72453B

Part of subcall function 00007FFDFB727FB0: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB727FC6

OpenSCManagerW.API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0 ref: 00007FFDFB7245FC
OpenServiceW.API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0 ref: 00007FFDFB72461F
CloseServiceHandle.API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0 ref: 00007FFDFB72463E
QueryServiceStatus.API-MS-WIN-SERVICE-WINSVC-L1-1-0 ref: 00007FFDFB72467B
SubscribeServiceChangeNotifications.API-MS-WIN-SERVICE-PRIVATE-L1-1-0 ref: 00007FFDFB7246C0

Strings

ServicesActive, xrefs: 00007FFDFB7245F3

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CriticalSectionService$EnterLeaveOpen$ChangeCloseConvertEntry2GuidHandleInterfaceLuidManagerMessageNotificationsQueryStatusSubscribeTrace
String ID: ServicesActive
API String ID: 3969580514-3071072050
Opcode ID: c28ac43b69d4244a31fe12d4c2367a80fbc799a753e6cf485316f07d6be99a22
Instruction ID: 44132fcc69aa89d0965eea2848d9b0b15b866d81f87ff6e4a2cd16f0184b8c45
Opcode Fuzzy Hash: c28ac43b69d4244a31fe12d4c2367a80fbc799a753e6cf485316f07d6be99a22
Instruction Fuzzy Hash: 37722B32B0A78386EB509B26E460AB977A1FB85B44F544036DE6D476F8DF7CE445CB00

Function 00007FFDFB762DD8 Relevance: 46.2, APIs: 21, Strings: 5, Instructions: 659
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFDFB7646A8: _cwprintf_s_l.LIBCMT ref: 00007FFDFB7646D6
Part of subcall function 00007FFDFB7646A8: GetPropW.USER32 ref: 00007FFDFB7646E7

MonitorFromWindow.USER32 ref: 00007FFDFB762E36
OpenThemeData.UXTHEME ref: 00007FFDFB762E8F
DrawThemeBackground.UXTHEME ref: 00007FFDFB762F81

Part of subcall function 00007FFDFB7627D0: CreateDIBSection.GDI32 ref: 00007FFDFB7628AA
Part of subcall function 00007FFDFB7627D0: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB762CD4

memset.MSVCRT ref: 00007FFDFB763297
SHGetStockIconInfo.SHELL32 ref: 00007FFDFB7632BC
DrawIconEx.USER32 ref: 00007FFDFB7632FB
GetObjectW.GDI32 ref: 00007FFDFB76335C
MulDiv.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0 ref: 00007FFDFB7633E5
MulDiv.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0 ref: 00007FFDFB7633FE
GetThemeColor.UXTHEME ref: 00007FFDFB763491
SelectObject.GDI32 ref: 00007FFDFB7634AE
GetObjectW.GDI32 ref: 00007FFDFB7634CE
GdiAlphaBlend.GDI32 ref: 00007FFDFB76353D
SetStretchBltMode.GDI32 ref: 00007FFDFB763563
StretchBlt.GDI32 ref: 00007FFDFB7635AA
BitBlt.GDI32 ref: 00007FFDFB7635DF
SelectObject.GDI32 ref: 00007FFDFB763608
floorf.MSVCRT ref: 00007FFDFB76376F
DrawThemeBackground.UXTHEME ref: 00007FFDFB7637A6
ExcludeClipRect.GDI32 ref: 00007FFDFB7637D3
CloseThemeData.UXTHEME ref: 00007FFDFB7637E2

Strings

LightMode_ImmersiveStart::Menu, xrefs: 00007FFDFB762E82
ImmersiveStart::Menu, xrefs: 00007FFDFB762E7B
DarkMode_ImmersiveStart::Menu, xrefs: 00007FFDFB762E6E
, xrefs: 00007FFDFB763580
, xrefs: 00007FFDFB7635BF

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Theme$Object$Draw$BackgroundDataIconSelectStretch$AlphaBlendClipCloseColorCreateErrorExcludeFromInfoLastModeMonitorOpenPropRectSectionStockWindow_cwprintf_s_lfloorfmemset
String ID: $ $DarkMode_ImmersiveStart::Menu$ImmersiveStart::Menu$LightMode_ImmersiveStart::Menu
API String ID: 311497863-1355332715
Opcode ID: bd85be98e764268484eae91222140ba6597c2ebdafd77c3775143cfce6fa20c5
Instruction ID: d6f8474b6879088bd7d98c2e790d40df587f83a8ea220d150f0284d3a769a34b
Opcode Fuzzy Hash: bd85be98e764268484eae91222140ba6597c2ebdafd77c3775143cfce6fa20c5
Instruction Fuzzy Hash: 4E628F32B057828FE760CF29D494EAD7BA6FB48744F124135DE5997BA8DB38E941CB00

Function 00007FFDFB7289E0 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 233
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFDFB728A78
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FFDFB728A8B
LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB728AC0
memset.MSVCRT ref: 00007FFDFB728AF9
wcstombs.MSVCRT ref: 00007FFDFB728B13
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB728B2E
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FFDFB728B63
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB728B92

Strings

h, xrefs: 00007FFDFB7349EC
%s %s, xrefs: 00007FFDFB734A5E
Shutdown, xrefs: 00007FFDFB7289E7
, xrefs: 00007FFDFB734AC7

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CountLibraryTick$AddressCurrentFreeLoadProcThreadmemsetwcstombs
String ID: $%s %s$Shutdown$h
API String ID: 1596487305-3695048113
Opcode ID: cddab9cfd2f6982635d7e2dc380e06036a46acf3d830ec6df45b0b64d0823aaa
Instruction ID: c5e261c7fb764473ec288a96342571f2eca98ae909839658264b04308d915f3f
Opcode Fuzzy Hash: cddab9cfd2f6982635d7e2dc380e06036a46acf3d830ec6df45b0b64d0823aaa
Instruction Fuzzy Hash: B6B18032A0AB83CAEB248F65D4607B9B7A0FB49B54F184135CE5E577B8DF38D4858B10

Function 00007FFDFB7257D0 Relevance: 33.7, APIs: 14, Strings: 5, Instructions: 418
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72587C
RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB725944
memset.MSVCRT ref: 00007FFDFB725A29
memset.MSVCRT ref: 00007FFDFB725AC7
GetIconInfoExW.USER32 ref: 00007FFDFB725AD4
DeleteObject.GDI32 ref: 00007FFDFB725AF6
DeleteObject.GDI32 ref: 00007FFDFB725B0C
Shell_NotifyIconW.SHELL32 ref: 00007FFDFB725B20
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB725BD8

Part of subcall function 00007FFDFB727FB0: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB727FC6

Part of subcall function 00007FFDFB723A90: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB723ABE

Strings

Software\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Network, xrefs: 00007FFDFB725936
Unknown, xrefs: 00007FFDFB73357F
PNITooltip, xrefs: 00007FFDFB733233
WiredInternet, xrefs: 00007FFDFB725B91
AlwaysConnectedSysTrayExperience, xrefs: 00007FFDFB72592F

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CriticalDeleteIconMessageObjectSectionTracememset$EnterInfoLeaveNotifyShell_Value
String ID: AlwaysConnectedSysTrayExperience$PNITooltip$Software\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Network$Unknown$WiredInternet
API String ID: 3642999708-152031034
Opcode ID: 97d760b099fc2e40497d2b4bdb385100085f900e05abea501b7e3064e67c9de0
Instruction ID: 841d9e5cc3d41aad668777d5ac10732866edb31762b42d61858dd38b3914b90f
Opcode Fuzzy Hash: 97d760b099fc2e40497d2b4bdb385100085f900e05abea501b7e3064e67c9de0
Instruction Fuzzy Hash: 2E129C21B0A78786EB608B11E460BB977A1FB85B48F644036DE2E476F8DF7CE545CB40

Function 00007FFDFB728BF0 Relevance: 28.4, APIs: 12, Strings: 4, Instructions: 358
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf_s.MSVCRT ref: 00007FFDFB728CC5
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB728CFC
RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB728D43
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB728D75
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB728DAB
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB728DD6
memcpy_s.MSVCRT ref: 00007FFDFB728EE4
free.MSVCRT ref: 00007FFDFB728F5B
free.MSVCRT ref: 00007FFDFB728FD8
free.MSVCRT ref: 00007FFDFB728FF9
free.MSVCRT ref: 00007FFDFB729009
free.MSVCRT ref: 00007FFDFB734D3E

Strings

%s\%s, xrefs: 00007FFDFB728CB1
SYSTEM\CurrentControlSet\Control\Network\LightweightCallHandlers, xrefs: 00007FFDFB728CAA
Shutdown, xrefs: 00007FFDFB728BF8
(, xrefs: 00007FFDFB728D13

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: free$CloseOpen$Enummemcpy_sswprintf_s
String ID: %s\%s$($SYSTEM\CurrentControlSet\Control\Network\LightweightCallHandlers$Shutdown
API String ID: 3091033584-2580956259
Opcode ID: 1821c573a3ce5f64da93654990f9858465f1dcc108f3a47cf7a1210f3d71e64f
Instruction ID: 62ea5170a973a9d1341529a3c2464d5af35fc411dbdd54904dc3df6c5af74567
Opcode Fuzzy Hash: 1821c573a3ce5f64da93654990f9858465f1dcc108f3a47cf7a1210f3d71e64f
Instruction Fuzzy Hash: 5EF1813270AB8285EB648B16E460BAAB761FB84B94F544135DEAD43BF8DF7CD444CB00

Function 00007FFDFB729B20 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 325
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB729C11
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB729D11
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FFDFB729D8E
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FFDFB729DA2
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FFDFB729DBA
memcpy_s.MSVCRT ref: 00007FFDFB729DFC
memcpy_s.MSVCRT ref: 00007FFDFB729E56
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB729E71
GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB73534E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FFDFB735450
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FFDFB735464

Strings

RtlQueryFeatureConfiguration, xrefs: 00007FFDFB729C07
ntdll.dll, xrefs: 00007FFDFB735347

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Heap$Process$ExclusiveLockmemcpy_s$AcquireAddressAllocFreeHandleModuleProcRelease
String ID: RtlQueryFeatureConfiguration$ntdll.dll
API String ID: 2568385249-4111156962
Opcode ID: 9eadd721f4a1d6e8bbc2233d7c4336f87c2fabc0a7d0cce8f37da03d273523d6
Instruction ID: 38dcfccd0b7aff9170f4754a90bb9d9ac751439abcdf793a31a609aac366f31d
Opcode Fuzzy Hash: 9eadd721f4a1d6e8bbc2233d7c4336f87c2fabc0a7d0cce8f37da03d273523d6
Instruction Fuzzy Hash: 1AE19136B1AB438AE7548B25E460A7977A1FB49B84F684135CE6E437F8DF7CE4408B40

Function 00007FFDFB72C020 Relevance: 21.2, APIs: 14, Instructions: 190timenativeCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFDFB72C088
ProcessIdToSessionId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFDFB72C09A
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72C0BA
memset.MSVCRT ref: 00007FFDFB72C0E3
NtQueryWnfStateData.NTDLL ref: 00007FFDFB72C111
RtlSubscribeWnfStateChangeNotification.NTDLL ref: 00007FFDFB72C183
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72C1A2
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB73612C
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB736158
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB736185
CompareFileTime.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFB7361DD
CompareFileTime.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFB73620B
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB736249
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB73626B

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$CompareEnterFileProcessStateTime$ChangeCurrentDataErrorLastNotificationQuerySessionSubscribememset
String ID:
API String ID: 3793839815-0
Opcode ID: 54aba9d84cf8b700c9a0912d01b800fdcdf0dd5c1b5fa80f9c78c7c2414ea6d8
Instruction ID: da2c08823564538e73fadef3e619ec09f173aa1a022e2d309c569090e8f66c9b
Opcode Fuzzy Hash: 54aba9d84cf8b700c9a0912d01b800fdcdf0dd5c1b5fa80f9c78c7c2414ea6d8
Instruction Fuzzy Hash: 2E815E32B0DB8286E7108F25E86097AB7A4FB49B90F594135DEAD437B8DF38E491C700

Function 00007FFDFB7627D0 Relevance: 19.8, APIs: 13, Instructions: 334COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFB761FA8: CreateCompatibleDC.GDI32(?,?,00000001,00007FFDFB762832), ref: 00007FFDFB761FC3

CreateDIBSection.GDI32 ref: 00007FFDFB7628AA
SelectObject.GDI32 ref: 00007FFDFB7628D4
memset.MSVCRT ref: 00007FFDFB762919
SystemParametersInfoW.USER32 ref: 00007FFDFB762937
memset.MSVCRT ref: 00007FFDFB762967
GetThemeFont.UXTHEME ref: 00007FFDFB76298E
CreateFontIndirectW.GDI32 ref: 00007FFDFB762A4E
SelectObject.GDI32 ref: 00007FFDFB762AC7
GdiAlphaBlend.GDI32 ref: 00007FFDFB762C59
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB762CD4

Part of subcall function 00007FFDFB747650: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB747654

SelectObject.GDI32 ref: 00007FFDFB762C7D
DeleteObject.GDI32 ref: 00007FFDFB762C8C
SelectObject.GDI32 ref: 00007FFDFB762CA7

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Object$Select$Create$ErrorFontLastmemset$AlphaBlendCompatibleDeleteIndirectInfoParametersSectionSystemTheme
String ID:
API String ID: 4123986876-0
Opcode ID: d6b4fa5c4776e3af7d46fb049869b00cc0677fa2d8b3738f13a4da4d77841f00
Instruction ID: 848571a577ba263310cabfce216647e858d8456e5c78cefa947aa8d9cd6ebad4
Opcode Fuzzy Hash: d6b4fa5c4776e3af7d46fb049869b00cc0677fa2d8b3738f13a4da4d77841f00
Instruction Fuzzy Hash: 18F17A32A05B828EE760DF65E8506ED7BB1FB88788F104125EE5D57BA8EF38D545CB00

Function 00007FFDFB764134 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 261windowCOMMON

Download Yara Rule

APIs

GetCurrentInputMessageSource.USER32 ref: 00007FFDFB76419F
GetMessageExtraInfo.USER32 ref: 00007FFDFB7641B6
SystemParametersInfoW.USER32 ref: 00007FFDFB764207

Part of subcall function 00007FFDFB7644FC: memset.MSVCRT ref: 00007FFDFB764523
Part of subcall function 00007FFDFB7644FC: GetMenuItemInfoW.USER32 ref: 00007FFDFB764548

memset.MSVCRT ref: 00007FFDFB764227
memset.MSVCRT ref: 00007FFDFB764248
GetMenuItemInfoW.USER32 ref: 00007FFDFB76426C
memset.MSVCRT ref: 00007FFDFB76438C
SetMenuItemInfoW.USER32 ref: 00007FFDFB7643F9

Part of subcall function 00007FFDFB764134: std::exception_ptr::_Current_exception.LIBCONCRT ref: 00007FFDFB764460

Strings

P, xrefs: 00007FFDFB76422E

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Info$memset$ItemMenu$Message$CurrentCurrent_exceptionExtraInputParametersSourceSystemstd::exception_ptr::_
String ID: P
API String ID: 590821465-3110715001
Opcode ID: f8da3831e86d89e548f43d196414c204323a877b5fb10db37e27bea6c462af61
Instruction ID: e19f01c1e2b469d26c332aed6e28f9b830d095877728521b8d959b945db3a917
Opcode Fuzzy Hash: f8da3831e86d89e548f43d196414c204323a877b5fb10db37e27bea6c462af61
Instruction Fuzzy Hash: 2EB1BF32B097838EF7118B66E461BAA7BA2FB45788F104135DE5957AF8DF3CE4458B00

Function 00007FFDFB72A3F0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 220memorylibraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFDFB72A426
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,00000000,?,00000000,?,?,00007FFDFB74E516), ref: 00007FFDFB7356DB
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00000000,?,?,00007FFDFB74E516), ref: 00007FFDFB735733
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00000000,?,?,00007FFDFB74E516), ref: 00007FFDFB735747
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00000000,?,?,00007FFDFB74E516), ref: 00007FFDFB735753
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00000000,?,?,00007FFDFB74E516), ref: 00007FFDFB735767
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00000000,?,?,00007FFDFB74E516), ref: 00007FFDFB7357C0
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00000000,?,?,00007FFDFB74E516), ref: 00007FFDFB7357D4

Strings

NtQueryWnfStateData, xrefs: 00007FFDFB7356D4

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Heap$Process$Free$AddressAllocProcmemset
String ID: NtQueryWnfStateData
API String ID: 2515388404-3685890079
Opcode ID: eb924088731ec31bdfab8afe444fd1265f1e1db68a0cf88f63bbfff1f2c27592
Instruction ID: e8252850e761201e56c99bb53042e4136e3be08753f73fcab3f61c631c818639
Opcode Fuzzy Hash: eb924088731ec31bdfab8afe444fd1265f1e1db68a0cf88f63bbfff1f2c27592
Instruction Fuzzy Hash: 60916F32B0AB92CAEB148F16E414979B7A1FB89B44F584135DA5D477B8EF3CE494CB00

Function 00007FFDFB7217E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

ActivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0 ref: 00007FFDFB72184B
GetClassInfoExW.USER32 ref: 00007FFDFB72186D
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB721894
DeactivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0 ref: 00007FFDFB7218A9
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB7218BB
OutputDebugStringA.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FFDFB73110B
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB731129

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 00007FFDFB731104

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: ErrorLast$ActivateClassDeactivateDebugInfoOutputString
String ID: IsolationAware function called after IsolationAwareCleanup
API String ID: 2706167345-2690750368
Opcode ID: 47e8a5f8e73670736668a9d19069b748d7b85cc41c4f92acc9e04f231f677fa1
Instruction ID: e6275241a6816113aa7465f288ff25510f630a71b675a860a3d43484fe695067
Opcode Fuzzy Hash: 47e8a5f8e73670736668a9d19069b748d7b85cc41c4f92acc9e04f231f677fa1
Instruction Fuzzy Hash: 3B411D31F0A74386E7604B15E9A0979BBA1FB49751F694135DD2D93BF8CF7CE4808A00

Function 00007FFDFB74C690 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 164comCOMMON

Download Yara Rule

APIs

CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB74C6E6

Strings

Windows.Internal.ShellExperience.NetworkFlyout, xrefs: 00007FFDFB74C784
net\config\shell\pnidui\maindlg.cpp, xrefs: 00007FFDFB74C6FF, 00007FFDFB74C756, 00007FFDFB74C7C3, 00007FFDFB74C8CC
Mini flyout, xrefs: 00007FFDFB74C693

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CreateInstance
String ID: Mini flyout$Windows.Internal.ShellExperience.NetworkFlyout$net\config\shell\pnidui\maindlg.cpp
API String ID: 542301482-1764596035
Opcode ID: 1b33cd7405e2b11ba94190f76a4cd7e79f3009f344b0c478b26fafbbd8c23073
Instruction ID: 722f52ab031183050cf4d3644608d0d972438ca015f8a1f08ff42275022ce2cf
Opcode Fuzzy Hash: 1b33cd7405e2b11ba94190f76a4cd7e79f3009f344b0c478b26fafbbd8c23073
Instruction Fuzzy Hash: CD813722B1AB47DAE7109B71C460AEC3361EB98798F505132DA1DA7AF9DF38E6458340

Function 00007FFDFB75EA88 Relevance: 6.1, APIs: 4, Instructions: 101nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFB75F8D8: memcmp.MSVCRT ref: 00007FFDFB75F93E

NtQueryWnfStateData.NTDLL ref: 00007FFDFB75EB15
free.MSVCRT ref: 00007FFDFB75EB33
RtlSubscribeWnfStateChangeNotification.NTDLL ref: 00007FFDFB75EBB7
free.MSVCRT ref: 00007FFDFB75EBF6

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Statefree$ChangeDataNotificationQuerySubscribememcmp
String ID:
API String ID: 2518213733-0
Opcode ID: 6c584bae5547c31eaee2981ffa29603ac82593797c92365baf2ecb6045d0d418
Instruction ID: 12d831a2543544461f569eaebc2a7e70909e65a487c17142a1165a7a7314ae53
Opcode Fuzzy Hash: 6c584bae5547c31eaee2981ffa29603ac82593797c92365baf2ecb6045d0d418
Instruction Fuzzy Hash: D7411E3270D75286E7208F15E5A0A6EB7B0FB89790F540135EAAD87AB8DF3DD446CB00

Function 00007FFDFB7496BC Relevance: 6.1, APIs: 4, Instructions: 77nativememoryCOMMON

Download Yara Rule

APIs

NtQueryWnfStateData.NTDLL ref: 00007FFDFB7496F0
CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB749768
NtQueryWnfStateData.NTDLL ref: 00007FFDFB74979C
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB7497F7

Part of subcall function 00007FFDFB723A90: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB723ABE

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: DataQueryStateTask$AllocFreeMessageTrace
String ID:
API String ID: 2005818475-0
Opcode ID: ede1aeb6b9f955d287ea206b41c2cc623a879cb36881d0e24e93f7e53bbcc61f
Instruction ID: 9017115ae0d0b6952ca850d6d2288367620c32fa12ba1bd01c96b1e3a6e339e2
Opcode Fuzzy Hash: ede1aeb6b9f955d287ea206b41c2cc623a879cb36881d0e24e93f7e53bbcc61f
Instruction Fuzzy Hash: F8314736B0AB42CAEB10CB59E464AB977A1FB88790F954132DA2E027F8DF7CD545C700

Function 00007FFDFB75E76C Relevance: 3.0, APIs: 2, Instructions: 42nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationToken.NTDLL ref: 00007FFDFB75E7A8
NtQueryInformationToken.NTDLL ref: 00007FFDFB75E7E5

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: InformationQueryToken
String ID:
API String ID: 4239771691-0
Opcode ID: faae0401d9443d0c76534477f59804ba8cb4911881e75e9365e53b36610346e3
Instruction ID: ed1cfc68844ca233746f48f431a1b1bc87b4d9b55ff8825da507968d04a4e0b9
Opcode Fuzzy Hash: faae0401d9443d0c76534477f59804ba8cb4911881e75e9365e53b36610346e3
Instruction Fuzzy Hash: 2E115EB2718781CBE7118F01E5047EABBA5FB85795F444131DB5802AB8DBBDE58ACB00

Function 00007FFDFB761A94 Relevance: 1.6, APIs: 1, Instructions: 69comCOMMON

Download Yara Rule

APIs

CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB761B14

Part of subcall function 00007FFDFB727FB0: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB727FC6

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CreateInstanceMessageTrace
String ID:
API String ID: 365332588-0
Opcode ID: 542587e3073d0c31f9aaa796474cbfe02f54dcdd9c170d5d3d73bd1c2d639fcb
Instruction ID: 0daaa00dbefb2c6e4303c043086d7a31a5565de8e094f79a093317e91abf4165
Opcode Fuzzy Hash: 542587e3073d0c31f9aaa796474cbfe02f54dcdd9c170d5d3d73bd1c2d639fcb
Instruction Fuzzy Hash: 94317C31B0AB4B89EB048B05E4689753362FB84B48F245032DA6D53BF9DF7CE552C740

Function 00007FFDFB75335C Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92b41f523dc380b077e2db15d3befdeac64ee7f7aec847d33dda1614c678935f
Instruction ID: 1405b9b32ad2c6c5dcc8e832f9a6391486902541ec7fdeadde7ddc33ab3d3671
Opcode Fuzzy Hash: 92b41f523dc380b077e2db15d3befdeac64ee7f7aec847d33dda1614c678935f
Instruction Fuzzy Hash: D5E1A122B2AB4381EFA18A258468A7933A1FB50B94F524535DA6F877F8DF3CD457C300

Function 00007FFDFB72A370 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c69e859d44743b681e04d816f4578077f26d6f494cfe6cc2904fee74d4fe367
Instruction ID: 9d15104078423b8e52ca7324d0d36faab812f7973d963f754a175bc0f4778856
Opcode Fuzzy Hash: 3c69e859d44743b681e04d816f4578077f26d6f494cfe6cc2904fee74d4fe367
Instruction Fuzzy Hash: 0E51C373B1974286E7608F18E010A2D77A5FB59758F284235DA6D47AF8DB3DE881CB00

Function 00007FFDFB726973 Relevance: 47.6, APIs: 21, Strings: 6, Instructions: 395
registrywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertInterfaceGuidToLuid.IPHLPAPI ref: 00007FFDFB726A78
GetIfEntry2Ex.IPHLPAPI ref: 00007FFDFB726A92
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB726B17
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB726B3F
PostMessageW.USER32 ref: 00007FFDFB726B67
RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB726BB9

Strings

CURRENT_USER\Software\Microsoft\WcmSvc\Tethering\Roaming, xrefs: 00007FFDFB733F8A, 00007FFDFB734175
net\config\shell\pnidui\maindlg.cpp, xrefs: 00007FFDFB733FF0, 00007FFDFB734052
PermissionsSet, xrefs: 00007FFDFB726BA4, 00007FFDFB7341D9
S-1-5-80-4155767994-3874329934-3800885181-2130851812-726865888, xrefs: 00007FFDFB733FD2
S-1-15-2-1, xrefs: 00007FFDFB734034
Software\Microsoft\WcmSvc\Tethering\Roaming, xrefs: 00007FFDFB726BAB, 00007FFDFB7341E0

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CriticalLeaveSection$ConvertEntry2GuidInterfaceLuidMessagePostValue
String ID: CURRENT_USER\Software\Microsoft\WcmSvc\Tethering\Roaming$PermissionsSet$S-1-15-2-1$S-1-5-80-4155767994-3874329934-3800885181-2130851812-726865888$Software\Microsoft\WcmSvc\Tethering\Roaming$net\config\shell\pnidui\maindlg.cpp
API String ID: 3710969772-2926663214
Opcode ID: d11be66b471c78f685c9be8827b8848e9e1325b36996bfcb5013c487c65cfe1b
Instruction ID: 17253e89d84e977da2eb4239e4f45475fd655fde6ba063bbd2457389953e5966
Opcode Fuzzy Hash: d11be66b471c78f685c9be8827b8848e9e1325b36996bfcb5013c487c65cfe1b
Instruction Fuzzy Hash: C4122A32B0AB438AEB148F55E8606B97BA1FB85B44F544136DA6D47AF8DF3CE444CB40

Function 00007FFDFB763824 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFDFB7646A8: _cwprintf_s_l.LIBCMT ref: 00007FFDFB7646D6
Part of subcall function 00007FFDFB7646A8: GetPropW.USER32 ref: 00007FFDFB7646E7

OpenThemeData.UXTHEME ref: 00007FFDFB7638A5
MonitorFromWindow.USER32 ref: 00007FFDFB7638CE
FindWindowW.USER32 ref: 00007FFDFB763925
GetWindowLongW.USER32 ref: 00007FFDFB763945
SetWindowLongW.USER32 ref: 00007FFDFB76396E
memset.MSVCRT ref: 00007FFDFB7639A5
SystemParametersInfoW.USER32 ref: 00007FFDFB7639BD
GetThemeFont.UXTHEME ref: 00007FFDFB7639F9
CreateFontIndirectW.GDI32 ref: 00007FFDFB763A75
SelectObject.GDI32 ref: 00007FFDFB763A9D
SelectObject.GDI32 ref: 00007FFDFB763B12
DeleteObject.GDI32 ref: 00007FFDFB763B21
CloseThemeData.UXTHEME ref: 00007FFDFB763C19

Strings

LightMode_ImmersiveStart::Menu, xrefs: 00007FFDFB763891
ImmersiveStart::Menu, xrefs: 00007FFDFB763898
DarkMode_ImmersiveStart::Menu, xrefs: 00007FFDFB763884
#32768, xrefs: 00007FFDFB76391E
$, xrefs: 00007FFDFB763ADB

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Window$ObjectTheme$DataFontLongSelect$CloseCreateDeleteFindFromIndirectInfoMonitorOpenParametersPropSystem_cwprintf_s_lmemset
String ID: #32768$$$DarkMode_ImmersiveStart::Menu$ImmersiveStart::Menu$LightMode_ImmersiveStart::Menu
API String ID: 320213981-2515996717
Opcode ID: b6d46d4ac7be8e67b2bc46c7c377a0d7ba41b60ba344a62f05c333e7a58d3083
Instruction ID: 7b64938ccb39a4b21893c6e62ca8bc9983d88df36c40e0a08ae5e68d9d8d1e1e
Opcode Fuzzy Hash: b6d46d4ac7be8e67b2bc46c7c377a0d7ba41b60ba344a62f05c333e7a58d3083
Instruction Fuzzy Hash: E7C19C32B0A7828EE711CB29E864AA97BA2FB49748F055135DE1D577F9DF38E444C700

Function 00007FFDFB725530 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 328
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0 ref: 00007FFDFB7255A4
memcpy_s.MSVCRT ref: 00007FFDFB7255FF
lstrlenW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0 ref: 00007FFDFB725623
lstrlenW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0 ref: 00007FFDFB72563D
wcsstr.MSVCRT ref: 00007FFDFB72566A
lstrlenW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0 ref: 00007FFDFB725682
Shell_NotifyIconW.SHELL32 ref: 00007FFDFB725737
free.MSVCRT ref: 00007FFDFB7257AF

Part of subcall function 00007FFDFB723640: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB723691

Strings

&&&, xrefs: 00007FFDFB725636, 00007FFDFB733168

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: lstrlen$IconMessageNotifyShell_Tracefreememcpy_swcsstr
String ID: &&&
API String ID: 3522305210-3528648089
Opcode ID: e28112e3770b45316117607a19b499ec42ff4acab39bbf377f431a194fd86084
Instruction ID: 1315d692b03d793f35c33e2c62233ed4e4454d707cda7644a0efa196984b158e
Opcode Fuzzy Hash: e28112e3770b45316117607a19b499ec42ff4acab39bbf377f431a194fd86084
Instruction Fuzzy Hash: FFE17B22B0A74386EB208B24A464A7977A1FB49B94F694131DE6E477F8DF3CE545C700

Function 00007FFDFB7624AC Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongW.USER32 ref: 00007FFDFB762559
memset.MSVCRT ref: 00007FFDFB762595
CreateFontIndirectW.GDI32 ref: 00007FFDFB7625EF
SystemParametersInfoW.USER32 ref: 00007FFDFB762626
SetBkMode.GDI32 ref: 00007FFDFB76265F
GetThemeColor.UXTHEME ref: 00007FFDFB76268E
GetThemeColor.UXTHEME ref: 00007FFDFB7626EF
SetTextColor.GDI32 ref: 00007FFDFB762704
SelectObject.GDI32 ref: 00007FFDFB762719
DrawTextW.USER32 ref: 00007FFDFB762740
SetTextColor.GDI32 ref: 00007FFDFB76275D
SetBkMode.GDI32 ref: 00007FFDFB762770
SelectObject.GDI32 ref: 00007FFDFB762782
DeleteObject.GDI32 ref: 00007FFDFB762791

Part of subcall function 00007FFDFB747650: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB747654

Strings

k, xrefs: 00007FFDFB76251F
Segoe MDL2 Assets, xrefs: 00007FFDFB7625BA
l, xrefs: 00007FFDFB762517

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Color$ObjectText$ModeSelectTheme$CreateDeleteDrawErrorFontIndirectInfoLastLongParametersSystemWindowmemset
String ID: Segoe MDL2 Assets$k$l
API String ID: 3686259064-988316403
Opcode ID: d0cc71d07375e060ba33981ab051d97f689cbad0fdc3bd99a37c6bcd6f6e735f
Instruction ID: 0eacf98d180b38c60ee96896b80ab84933579a2f310c5705cd83073a991febb7
Opcode Fuzzy Hash: d0cc71d07375e060ba33981ab051d97f689cbad0fdc3bd99a37c6bcd6f6e735f
Instruction Fuzzy Hash: 84818432719B428FE7509F21E820AADBBA1FB99B54F444535DE1A47BA8DF3CD405CB00

Function 00007FFDFB722C90 Relevance: 28.3, APIs: 9, Strings: 7, Instructions: 254
registrywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FFDFB722D97
memset.MSVCRT ref: 00007FFDFB722DD4
RegisterWindowMessageW.USER32 ref: 00007FFDFB722E0A

Part of subcall function 00007FFDFB723190: InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,00007FFDFB722ADF,?,?,?,00007FFDFB7210E9), ref: 00007FFDFB723194

memset.MSVCRT ref: 00007FFDFB7230A8
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FFDFB7230FD
RegisterWindowMessageW.USER32 ref: 00007FFDFB723116
RegisterWindowMessageW.USER32 ref: 00007FFDFB72312F
RegisterWindowMessageW.USER32 ref: 00007FFDFB723148
RegisterWindowMessageW.USER32 ref: 00007FFDFB723161

Strings

TaskbarCreated, xrefs: 00007FFDFB72315A
NetworkStatusChange, xrefs: 00007FFDFB723077
PNITooltip, xrefs: 00007FFDFB72310F
Microsoft.Windows.PNI, xrefs: 00007FFDFB723128
PNILaunchNetworkUI, xrefs: 00007FFDFB722D66
Microsoft.Windows.PNI.TrayIcon, xrefs: 00007FFDFB722E03, 00007FFDFB723141
netprofm, xrefs: 00007FFDFB722E9D

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: MessageRegisterWindow$memset$CountCriticalInitializeSectionTick
String ID: Microsoft.Windows.PNI$Microsoft.Windows.PNI.TrayIcon$NetworkStatusChange$PNILaunchNetworkUI$PNITooltip$TaskbarCreated$netprofm
API String ID: 1048345926-1792452816
Opcode ID: a40afbd40b4bf7e7660a32de9517d33a472829e8677338b72493795c139ac11e
Instruction ID: f4293d4c8fc25e6821d9486b6594885aa920ae2323f49a6f6e9f59eeca84f8f2
Opcode Fuzzy Hash: a40afbd40b4bf7e7660a32de9517d33a472829e8677338b72493795c139ac11e
Instruction Fuzzy Hash: 41E10932605B82CAE3558F24E45039AB7E4F744B04F988229CBED437A5EF79E1A5C744

Function 00007FFDFB72AB60 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 186
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB72ABB3
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB72ABD0
GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB72AC4A
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB72AC67
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB72ACAC
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB72ACC4
GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB72ACFC
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB72AD19
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB72ADA3
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB72ADE8
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB72AE00
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB72AE34

Strings

RtlSubscribeWnfStateChangeNotification, xrefs: 00007FFDFB72AD0F, 00007FFDFB72AE2D
ntdll.dll, xrefs: 00007FFDFB72ABAC, 00007FFDFB72AC43, 00007FFDFB72ACF5
NtQueryWnfStateData, xrefs: 00007FFDFB72AC5D, 00007FFDFB72AD9C
RtlRegisterFeatureConfigurationChangeNotification, xrefs: 00007FFDFB72ABC6

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: AddressProc$ErrorLast$HandleModule
String ID: NtQueryWnfStateData$RtlRegisterFeatureConfigurationChangeNotification$RtlSubscribeWnfStateChangeNotification$ntdll.dll
API String ID: 730103829-2606944309
Opcode ID: 2d8d63823dc5acd78a16314bb47783a5e97c9f7645e1f35e60f3b5d7ec233c0b
Instruction ID: 17765d706f6253834a045b3bda67e716455dcebdc1e3001e157174df795e2520
Opcode Fuzzy Hash: 2d8d63823dc5acd78a16314bb47783a5e97c9f7645e1f35e60f3b5d7ec233c0b
Instruction Fuzzy Hash: D3910335B1AB478AEB109F11E860969B7A1FB88B40F544536DE6E127B8DF7CE4458B00

Function 00007FFDFB765FDC Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 220
sleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB766026
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FFDFB766059
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FFDFB766074
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FFDFB7660A4
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FFDFB7660BE
toupper.MSVCRT ref: 00007FFDFB766175
EventRegister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FFDFB7661C1
EventProviderEnabled.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FFDFB7661D3
EventUnregister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FFDFB7661E9
EventUnregister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FFDFB766203
EventUnregister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FFDFB766315
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FFDFB76632F
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB766346

Strings

<unknown>, xrefs: 00007FFDFB766251
Settings, xrefs: 00007FFDFB765FEB, 00007FFDFB765FF0

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Event$CountTickUnregister$ExclusiveLock$AcquireAllocEnabledLocalProviderRegisterReleaseSleeptoupper
String ID: <unknown>$Settings
API String ID: 758907732-4053243128
Opcode ID: 14b1d0c9fbeb32671ae2427f5b40aadb25e31ba102198fb53decf427497fde32
Instruction ID: 60ea049406485db46213cbfefb90922cce8af7adc17554f90105f543af19b6d4
Opcode Fuzzy Hash: 14b1d0c9fbeb32671ae2427f5b40aadb25e31ba102198fb53decf427497fde32
Instruction Fuzzy Hash: 89B15E36B0AB428AE7048F25E860AA97BA5FB44B48F944135CE5D177B8DF38E545CB40

Function 00007FFDFB723810 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 201
registrycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsWindow.USER32 ref: 00007FFDFB723861
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB7238A4
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB7238C0
CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB723900
CoSetProxyBlanket.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB72394A
CoSetProxyBlanket.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB7239AB

Part of subcall function 00007FFDFB727FB0: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB727FC6

Strings

System\CurrentControlSet\Control\Network\NewNetworkWindowOff, xrefs: 00007FFDFB723896
, xrefs: 00007FFDFB72397D
Microsoft.Windows.PNI, xrefs: 00007FFDFB73186B

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: BlanketProxy$CloseCreateInstanceMessageOpenTraceWindow
String ID: $Microsoft.Windows.PNI$System\CurrentControlSet\Control\Network\NewNetworkWindowOff
API String ID: 2406210883-1576512596
Opcode ID: 6d9b4a5cbacce884a8fa6f9e097dc8c7c9a7078d0da5415f27ea3c680cbd6bba
Instruction ID: 02a427fd9b7c8e5ded3056258b6c89cc4d2c85c79f03f6dc6d5b897163a4eb15
Opcode Fuzzy Hash: 6d9b4a5cbacce884a8fa6f9e097dc8c7c9a7078d0da5415f27ea3c680cbd6bba
Instruction Fuzzy Hash: 5B913E22719B838AE7608B15E860AB977A1FB89B94F544231DE6D477F8DF3CD445CB00

Function 00007FFDFB74A78C Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 169COMMON

Download Yara Rule

APIs

WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFDFB74A892
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFDFB74A8E7
WindowsConcatString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFDFB74A8FF
WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFDFB74A917
WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFDFB74A948
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(00000000), ref: 00007FFDFB74A979
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFDFB74A993

Part of subcall function 00007FFDFB727FB0: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB727FC6

Strings

Software\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Network, xrefs: 00007FFDFB74A867
Software\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Network\DataMarketplace\PerSimSettings\, xrefs: 00007FFDFB74A8C8
PaidCell, xrefs: 00007FFDFB74A860
true, xrefs: 00007FFDFB74A815
DataMarketplaceRoamingUIEnabled, xrefs: 00007FFDFB74A958
false, xrefs: 00007FFDFB74A81C
SupportDataMarketplace, xrefs: 00007FFDFB74A927

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: StringWindows$Delete$Buffer$ConcatMessageTrace
String ID: DataMarketplaceRoamingUIEnabled$PaidCell$Software\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Network$Software\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Network\DataMarketplace\PerSimSettings\$SupportDataMarketplace$false$true
API String ID: 2440537485-1080471717
Opcode ID: 64b24da4fad30fc72fb76822c070deb7f757c2ebd8593ec75438a8781f801b36
Instruction ID: e3536ecb365cd9fe4482851bfb9f86a8d1917f72b90734961effdba962add14a
Opcode Fuzzy Hash: 64b24da4fad30fc72fb76822c070deb7f757c2ebd8593ec75438a8781f801b36
Instruction Fuzzy Hash: 7C813722B06B47C9FB008B65D860BAC3BA1BB48B49F554136DE2D576F8DF79D54AC300

Function 00007FFDFB72C220 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 191threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72C246
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFDFB72C25E
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72C294
DecodePointer.API-MS-WIN-CORE-UTIL-L1-1-0 ref: 00007FFDFB72C2FD
DecodePointer.API-MS-WIN-CORE-UTIL-L1-1-0 ref: 00007FFDFB72C357
SetWindowLongPtrW.USER32 ref: 00007FFDFB72C380

Strings

atlthunk.dll, xrefs: 00007FFDFB7362DC, 00007FFDFB73638C
AtlThunk_AllocateData, xrefs: 00007FFDFB73630B, 00007FFDFB7363BB
AtlThunk_InitData, xrefs: 00007FFDFB736329, 00007FFDFB7363D9
AtlThunk_DataToCode, xrefs: 00007FFDFB736347, 00007FFDFB7363F7
AtlThunk_FreeData, xrefs: 00007FFDFB736365, 00007FFDFB736415

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CriticalDecodePointerSection$CurrentEnterLeaveLongThreadWindow
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1214495839-1745123996
Opcode ID: c4c8c9ff23b15c1708d22aa408f8b0edcf83b9c25e543b03462ad14f1d2d0a50
Instruction ID: 3f9b3374a903c9000140ba9b77932fe075cab76ee78029721ee323102b5d8472
Opcode Fuzzy Hash: c4c8c9ff23b15c1708d22aa408f8b0edcf83b9c25e543b03462ad14f1d2d0a50
Instruction Fuzzy Hash: CC812525B0EB4386EB408B21E830AB976A1AF99B80F584436CD2D07BF9DF7CE545C641

Function 00007FFDFB754948 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 123COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FFDFB7549C5
SysFreeString.OLEAUT32 ref: 00007FFDFB7549D7
SysFreeString.OLEAUT32 ref: 00007FFDFB7549E9

Part of subcall function 00007FFDFB723A90: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB723ABE

SysStringLen.OLEAUT32 ref: 00007FFDFB754A4B
SysStringLen.OLEAUT32 ref: 00007FFDFB754A8A
SysStringLen.OLEAUT32 ref: 00007FFDFB754AC9
SysFreeString.OLEAUT32 ref: 00007FFDFB754B0E
SysFreeString.OLEAUT32 ref: 00007FFDFB754B20
SysFreeString.OLEAUT32 ref: 00007FFDFB754B32
SysFreeString.OLEAUT32 ref: 00007FFDFB754B42

Strings

DevId=, xrefs: 00007FFDFB754A65
IccId=, xrefs: 00007FFDFB754AA4
SubId=, xrefs: 00007FFDFB754AE3

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: String$Free$MessageTrace
String ID: DevId=$IccId=$SubId=
API String ID: 918860529-897509198
Opcode ID: 5b9ad9ea21663978923be6c7e4706af67a6b4ad0bd109c7922417113485646bf
Instruction ID: 85e85b96b7bb8bba585ad35c1789f8d57e64c2561c11a6fc2fb13c8e69570b0f
Opcode Fuzzy Hash: 5b9ad9ea21663978923be6c7e4706af67a6b4ad0bd109c7922417113485646bf
Instruction Fuzzy Hash: 24513B32719B8786EB009B12E464AB9BB62FB85B44F445132DA6E472FDDF3CE546C700

Function 00007FFDFB72B9A0 Relevance: 22.7, APIs: 15, Instructions: 200memorythreadtimeCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72BA31
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FFDFB72BA97
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FFDFB72BAAB
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FFDFB72BAC4
memcpy_s.MSVCRT ref: 00007FFDFB72BB0B
memcpy_s.MSVCRT ref: 00007FFDFB72BB6A
CreateThreadpoolTimer.API-MS-WIN-CORE-THREADPOOL-L1-2-0 ref: 00007FFDFB72BBA4
SetThreadpoolTimer.API-MS-WIN-CORE-THREADPOOL-L1-2-0 ref: 00007FFDFB72BBEF
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72BC09
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72BC47
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72BC9A
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FFDFB735F96
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FFDFB735FAA

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Heap$ExclusiveLock$Process$AcquireReleaseThreadpoolTimermemcpy_s$AllocCreateFree
String ID:
API String ID: 3213073285-0
Opcode ID: 0631b123a1a35fc98b8224a42f54526f0016696506916ad42b83974ff08c6314
Instruction ID: 8db6061bb15ba202a3ee6643ebfdfe36f5abbdc8e85c48446309f0391e85c093
Opcode Fuzzy Hash: 0631b123a1a35fc98b8224a42f54526f0016696506916ad42b83974ff08c6314
Instruction Fuzzy Hash: E0A11B39B1AB478AEB108B15F424A78B7A1FF49B91F585135CA6D027F9DFBCA4448700

Function 00007FFDFB7252A2 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 314COMMON

Download Yara Rule

APIs

IIDFromString.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB725345
ConvertInterfaceGuidToLuid.IPHLPAPI ref: 00007FFDFB72536B
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB725398
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB7253B1
VariantClear.OLEAUT32 ref: 00007FFDFB725422
VariantClear.OLEAUT32 ref: 00007FFDFB725437
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72548E
memcmp.MSVCRT ref: 00007FFDFB732B9D
memcmp.MSVCRT ref: 00007FFDFB732BF5
StringFromGUID2.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB732C31

Strings

false, xrefs: 00007FFDFB7253D8
true, xrefs: 00007FFDFB732CA5

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: ClearFreeFromStringTaskVariantmemcmp$ConvertCriticalGuidInterfaceLeaveLuidSection
String ID: false$true
API String ID: 2354851987-2658103896
Opcode ID: 9dc3950a3993dce3fbb31cc03398bbf46d7f08feef031adc7fb5412d506a5d78
Instruction ID: 626c08251960b680ef8554c46809edc0dddf21bce6ae3b5ae6b635c67cd6eef3
Opcode Fuzzy Hash: 9dc3950a3993dce3fbb31cc03398bbf46d7f08feef031adc7fb5412d506a5d78
Instruction Fuzzy Hash: 41F15E22B0AB8785EB209B15E460BB9B761FB85B84F544032DE6E436F9DF7CE545CB00

Function 00007FFDFB7520F4 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 177COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFB7423A0: WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,00007FFDFB75213D), ref: 00007FFDFB7423BF

RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFDFB752158
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFDFB7521FA
CreateEventExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB752282
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB752297
new.LIBCMT ref: 00007FFDFB7522CE

Part of subcall function 00007FFDFB75243C: WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,00000000,00007FFDFB752185), ref: 00007FFDFB752457

CoWaitForMultipleHandles.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB752334
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FFDFB75234E
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFDFB752387

Strings

Windows.System.Launcher, xrefs: 00007FFDFB7521C5
Settings, xrefs: 00007FFDFB7520FE
ms-settings:network, xrefs: 00007FFDFB752175
Windows.Foundation.Uri, xrefs: 00007FFDFB75211E

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: StringWindows$ActivationCreateDeleteFactory$CloseErrorEventHandleHandlesLastMultipleReferenceWait
String ID: Settings$Windows.Foundation.Uri$Windows.System.Launcher$ms-settings:network
API String ID: 3412455853-787880240
Opcode ID: 36fb662b4b1bf84e8ad04ce9255d277bcff71425fff95c99945188113f36a6eb
Instruction ID: 6970f48ce3d6be0a40774f09e1bf44452b416766e5e08104fe5c262e4d06a670
Opcode Fuzzy Hash: 36fb662b4b1bf84e8ad04ce9255d277bcff71425fff95c99945188113f36a6eb
Instruction Fuzzy Hash: B991F636B16B479AEB009F61D860BEC7761EB88B88F854036DA1D57BB8DF39D605C340

Function 00007FFDFB760F04 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 130registryCOMMON

Download Yara Rule

APIs

GetPersistentRegPath.MOBILENETWORKING ref: 00007FFDFB760F5E
swprintf_s.MSVCRT ref: 00007FFDFB761088
swprintf_s.MSVCRT ref: 00007FFDFB7610B8
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB7610DE

Strings

%s%s\%s, xrefs: 00007FFDFB760FCF
\CellUX, xrefs: 00007FFDFB761098
%s%s, xrefs: 00007FFDFB761079, 00007FFDFB7610AC
\IMSISpecific\Default, xrefs: 00007FFDFB760FA7
\ICCIDSpecific, xrefs: 00007FFDFB760FBE
\DeviceSpecific, xrefs: 00007FFDFB761068
\IMSISpecific, xrefs: 00007FFDFB761039

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: swprintf_s$OpenPathPersistent
String ID: %s%s$%s%s\%s$\CellUX$\DeviceSpecific$\ICCIDSpecific$\IMSISpecific$\IMSISpecific\Default
API String ID: 3700984595-1352065061
Opcode ID: cdca07b66b72d20378de648f12a1f3515123c009a8dccd6a035e210b6845c8a1
Instruction ID: 7b38d1eb2f005e792bfdd0f2feea3564995d5fc9be5cb4240267628cb74a5013
Opcode Fuzzy Hash: cdca07b66b72d20378de648f12a1f3515123c009a8dccd6a035e210b6845c8a1
Instruction Fuzzy Hash: 13516F32B0AB8389EB108B11E8659B973A6FB48744F545132EA6D07BF8DF3DE545C740

Function 00007FFDFB7220E0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 106libraryCOMMON

Download Yara Rule

APIs

QueryActCtxW.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0 ref: 00007FFDFB722162
GetModuleHandleExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB72218F
GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB7221B6
CreateActCtxW.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0 ref: 00007FFDFB722210
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB722227
ActivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0 ref: 00007FFDFB722259
FindActCtxSectionStringW.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0 ref: 00007FFDFB72228E
LoadLibraryW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1 ref: 00007FFDFB7222A5
DeactivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0 ref: 00007FFDFB7222B9

Strings

Comctl32.dll, xrefs: 00007FFDFB72227F, 00007FFDFB72229E
p, xrefs: 00007FFDFB72226D

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Module$ActivateCreateDeactivateErrorFileFindHandleLastLibraryLoadNameQuerySectionString
String ID: Comctl32.dll$p
API String ID: 1565696348-195350848
Opcode ID: ba36897773c87fc2fce708b76ce7c34f5e1c37495266b4a8ab97895ec4626c2e
Instruction ID: f0fecb29b77a8cf7374f03b216a011149bf3d964f644b666b7ecb6b4853e68f1
Opcode Fuzzy Hash: ba36897773c87fc2fce708b76ce7c34f5e1c37495266b4a8ab97895ec4626c2e
Instruction Fuzzy Hash: 7751183270AB8786E7109B10E864B79B7A1FB89755F545235DAAE427F8DF7CE048CB00

Function 00007FFDFB739D58 Relevance: 16.7, APIs: 11, Instructions: 214threadtimeCOMMON

Download Yara Rule

APIs

DeleteCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB739D72
SetThreadpoolTimer.API-MS-WIN-CORE-THREADPOOL-L1-2-0 ref: 00007FFDFB741098
WaitForThreadpoolTimerCallbacks.API-MS-WIN-CORE-THREADPOOL-L1-2-0 ref: 00007FFDFB7410B1
CloseThreadpoolTimer.API-MS-WIN-CORE-THREADPOOL-L1-2-0 ref: 00007FFDFB7410C5
DeleteCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB7411B4
free.MSVCRT ref: 00007FFDFB7411CD
free.MSVCRT ref: 00007FFDFB741285
SetThreadpoolTimer.API-MS-WIN-CORE-THREADPOOL-L1-2-0 ref: 00007FFDFB7412C0
WaitForThreadpoolTimerCallbacks.API-MS-WIN-CORE-THREADPOOL-L1-2-0 ref: 00007FFDFB7412D9
CloseThreadpoolTimer.API-MS-WIN-CORE-THREADPOOL-L1-2-0 ref: 00007FFDFB7412ED
DeleteCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB741309

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: ThreadpoolTimer$CriticalDeleteSection$CallbacksCloseWaitfree
String ID:
API String ID: 2113641861-0
Opcode ID: d1ed68181b4573e8d6168605bdf05adb06bf5be316c2a7f384e496a5e8dba9a9
Instruction ID: 563003d497994012058a63e9af53a9d5526e3eede4e2dab2ecfeef9be95b2885
Opcode Fuzzy Hash: d1ed68181b4573e8d6168605bdf05adb06bf5be316c2a7f384e496a5e8dba9a9
Instruction Fuzzy Hash: 4AA13932716B47DAEB089B65D460BB9B761FB86B91F445132CA2E437B8CF38E555C300

Function 00007FFDFB75FCD0 Relevance: 16.2, APIs: 7, Strings: 2, Instructions: 459COMMON

Download Yara Rule

APIs

StringFromIID.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB75FD64
SysFreeString.OLEAUT32 ref: 00007FFDFB75FE17
swprintf_s.MSVCRT ref: 00007FFDFB75FFC4
SysFreeString.OLEAUT32 ref: 00007FFDFB760125
SysFreeString.OLEAUT32 ref: 00007FFDFB7602FE

Part of subcall function 00007FFDFB727FB0: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB727FC6

CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB76041B
SysFreeString.OLEAUT32 ref: 00007FFDFB760431

Part of subcall function 00007FFDFB723A90: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB723ABE

Strings

FALSE, xrefs: 00007FFDFB7600A2
TRUE, xrefs: 00007FFDFB7600A9

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: FreeString$MessageTrace$FromTaskswprintf_s
String ID: FALSE$TRUE
API String ID: 770768536-1412513891
Opcode ID: c265ae50c10dbd0dcda428474d33681d1b2f3dd7e9f92087f235dff5e458fc09
Instruction ID: 0ba2c011bb889340324662349fd0b4d8557e1d5e542828a315b40980b27092de
Opcode Fuzzy Hash: c265ae50c10dbd0dcda428474d33681d1b2f3dd7e9f92087f235dff5e458fc09
Instruction Fuzzy Hash: 89229F31B1A7478AEB158B15E8B4AB97762FB80B48F140032DA2D076F9DFBCE546C740

Function 00007FFDFB72B4C0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 228COMMON

Download Yara Rule

APIs

InitOnceBeginInitialize.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FFDFB72B51F
EventRegister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FFDFB72B5B7
EventSetInformation.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FFDFB72B5D7
InitOnceComplete.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FFDFB72B613
memcpy_s.MSVCRT ref: 00007FFDFB72B690
EventWriteTransfer.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FFDFB72B87D

Strings

Other, xrefs: 00007FFDFB72B681
t, xrefs: 00007FFDFB72B82F

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Event$InitOnce$BeginCompleteInformationInitializeRegisterTransferWritememcpy_s
String ID: Other$t
API String ID: 1639103230-3956491833
Opcode ID: f8346db3e6e4f1cfad18338b6f0ab385301688041af79323cdd83b17bc048ac2
Instruction ID: 56f5c53b19fe03c284ece1de0c051474deddc46062f00d5d49dcce906428831b
Opcode Fuzzy Hash: f8346db3e6e4f1cfad18338b6f0ab385301688041af79323cdd83b17bc048ac2
Instruction Fuzzy Hash: D0C15E36A0AB82C6E7208B10F464BAAB7A5FB85744F545136DAAD43BF8DF7CD154CB00

Function 00007FFDFB729990 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 146registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB7299F0
RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB73514E
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB735189
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB735232
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB7352BA

Strings

Conditions, xrefs: 00007FFDFB7299E6
(, xrefs: 00007FFDFB73510D

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CloseOpen$Enum
String ID: ($Conditions
API String ID: 2405484398-186447155
Opcode ID: c2930f3d94a8139c0361de20dd76b585dbb557336e0739b5846d67a88e38bcfc
Instruction ID: 49f8d03d8f1e236de6a6321f7eb2bd965fcbf974e919882930caba7e846afc99
Opcode Fuzzy Hash: c2930f3d94a8139c0361de20dd76b585dbb557336e0739b5846d67a88e38bcfc
Instruction Fuzzy Hash: D5615F3270AB8286E7648F51F46076AB7A0FB88B94F144135DAAD57BF9DF3CD4458B00

Function 00007FFDFB74FB88 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 120windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32 ref: 00007FFDFB74FC1D

Part of subcall function 00007FFDFB727FB0: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB727FC6

Strings

CellularInternet, xrefs: 00007FFDFB74FCB2
Disconnected, xrefs: 00007FFDFB74FCDD
CellularRoamingInternet, xrefs: 00007FFDFB74FCF8
CellularSharedInternet, xrefs: 00007FFDFB74FCEF
Unknown, xrefs: 00007FFDFB74FCE6
WiredInternet, xrefs: 00007FFDFB74FCA9
AirplaneMode, xrefs: 00007FFDFB74FCD4
WiFiInternet, xrefs: 00007FFDFB74FCA0

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: IconMessageNotifyShell_Trace
String ID: AirplaneMode$CellularInternet$CellularRoamingInternet$CellularSharedInternet$Disconnected$Unknown$WiFiInternet$WiredInternet
API String ID: 2287991058-2713722250
Opcode ID: 9cc7f9d317cae937cc7a7eece96ee2cce7a592dc9a91efc6f3fe3462ed4f6c98
Instruction ID: f1fd3c44463c552fa1291ee0df2c32436d6ccc390ba8ca18c50eaa93009a7d10
Opcode Fuzzy Hash: 9cc7f9d317cae937cc7a7eece96ee2cce7a592dc9a91efc6f3fe3462ed4f6c98
Instruction Fuzzy Hash: 2E516B21B1E783C6FB648B04E4B0A7A72A1BB84785F605032DD2D4AAF9DF6DE645C700

Function 00007FFDFB72A990 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FFDFB72A874), ref: 00007FFDFB72A9A2
ReleaseSemaphore.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FFDFB72A874), ref: 00007FFDFB72A9DB
ReleaseSemaphore.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72A9FD
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB72AA11

Strings

wil, xrefs: 00007FFDFB735AAF, 00007FFDFB735AD2, 00007FFDFB735AF5, 00007FFDFB735B18, 00007FFDFB735B39

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: ReleaseSemaphore$ErrorLastObjectSingleWait
String ID: wil
API String ID: 3433052774-1589926490
Opcode ID: 4e00157d9e6f1a707b1938aef4ab5b8cc29706705db3c26b164a65e2c90b34cf
Instruction ID: 462e4e45de55f5772720b782fba60f1eeb77e63c834c7efbcbff6163b4043095
Opcode Fuzzy Hash: 4e00157d9e6f1a707b1938aef4ab5b8cc29706705db3c26b164a65e2c90b34cf
Instruction Fuzzy Hash: 93415431B0E74386F7608B11E460ABAB671EF85740F689132D96E866FDDF3CD5858B01

Function 00007FFDFB74AAF4 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON

Download Yara Rule

APIs

WinSqmEndSession.NTDLL ref: 00007FFDFB74AB3A
LoadMenuW.USER32 ref: 00007FFDFB74AB80
GetSubMenu.USER32 ref: 00007FFDFB74ABEA
DestroyMenu.USER32 ref: 00007FFDFB74AD77

Part of subcall function 00007FFDFB74C320: memset.MSVCRT ref: 00007FFDFB74C345
Part of subcall function 00007FFDFB74C320: GetMenuItemCount.USER32 ref: 00007FFDFB74C35C
Part of subcall function 00007FFDFB74C320: GetMenuItemInfoW.USER32 ref: 00007FFDFB74C387
Part of subcall function 00007FFDFB74C320: DeleteMenu.USER32 ref: 00007FFDFB74C3B1
Part of subcall function 00007FFDFB74C320: GetMenuItemCount.USER32 ref: 00007FFDFB74C3E0
Part of subcall function 00007FFDFB74C320: DeleteMenu.USER32 ref: 00007FFDFB74C3FB

SetForegroundWindow.USER32 ref: 00007FFDFB74AC0B
GetSubMenu.USER32 ref: 00007FFDFB74AC1C
TrackPopupMenu.USER32 ref: 00007FFDFB74ACBF
WinSqmEndSession.NTDLL ref: 00007FFDFB74ACE2
std::exception_ptr::_Current_exception.LIBCONCRT ref: 00007FFDFB74AD1F

Part of subcall function 00007FFDFB74BB20: WinSqmEndSession.NTDLL ref: 00007FFDFB74BB40
Part of subcall function 00007FFDFB74BB20: QueueUserWorkItem.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0 ref: 00007FFDFB74BB84
Part of subcall function 00007FFDFB74BB20: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB74BBAD

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB74ABB5

Part of subcall function 00007FFDFB74EC20: EventWriteTransfer.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FFDFB74EC66

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Menu$Item$Session$CountDeleteErrorLast$Current_exceptionDestroyEventForegroundInfoLoadPopupQueueTrackTransferUserWindowWorkWritememsetstd::exception_ptr::_
String ID:
API String ID: 1589568937-0
Opcode ID: 00b3b37297cace69da4217301fdc5df649a6e40a5e4ad6f8bcdd5e931e0e3ac3
Instruction ID: 7951c2e13442682d0f8e47ccc95b90d9b369ed63b4415e19442c7d834a50a87e
Opcode Fuzzy Hash: 00b3b37297cace69da4217301fdc5df649a6e40a5e4ad6f8bcdd5e931e0e3ac3
Instruction Fuzzy Hash: 55813821B0AB43C9EB148B25E864BB97BA1FB89B85F544535C96E027F9DF3CE605C700

Function 00007FFDFB721E90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

ActivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0 ref: 00007FFDFB721F06
CreateWindowExW.USER32 ref: 00007FFDFB721F83
DeactivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0 ref: 00007FFDFB721FBD
OutputDebugStringA.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FFDFB731373
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB731391

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 00007FFDFB73136C

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: ActivateCreateDeactivateDebugErrorLastOutputStringWindow
String ID: IsolationAware function called after IsolationAwareCleanup
API String ID: 237755043-2690750368
Opcode ID: 3eaf42f3b8dffa805c6e2c2ed62d7ed1a89fdbcc483a9452e87a93345d178e00
Instruction ID: 48fc0137cb15292885f645069611095a688a13fde1d53a1f19762111b216f89c
Opcode Fuzzy Hash: 3eaf42f3b8dffa805c6e2c2ed62d7ed1a89fdbcc483a9452e87a93345d178e00
Instruction Fuzzy Hash: CD510D31B0A7838AE7608B15E860A7977A5FB58791F245135DD6D83FB8DF7CE8818B00

Function 00007FFDFB722000 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

ActivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(?,?,?,?,?,00007FFDFB7216FA), ref: 00007FFDFB72205F
RegisterClassExW.USER32 ref: 00007FFDFB72207B
DeactivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(?,?,?,?,?,00007FFDFB7216FA), ref: 00007FFDFB7220B2
OutputDebugStringA.API-MS-WIN-CORE-DEBUG-L1-1-0(?,?,?,?,?,00007FFDFB7216FA), ref: 00007FFDFB73140B
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00007FFDFB7216FA), ref: 00007FFDFB731428

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 00007FFDFB731404

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: ActivateClassDeactivateDebugErrorLastOutputRegisterString
String ID: IsolationAware function called after IsolationAwareCleanup
API String ID: 4001279259-2690750368
Opcode ID: 97d429d92a168d73ce5815e05533f6846979be99e95e355641da412381cbd5d1
Instruction ID: 1f9e49b2bfcea4ae61f59987c343ea7b027d2f42c1373888a8dcd3946a5a30c5
Opcode Fuzzy Hash: 97d429d92a168d73ce5815e05533f6846979be99e95e355641da412381cbd5d1
Instruction Fuzzy Hash: 28413731B0E74386F7645F10A460A39B7A1EF99B41F688135DD2E466FCDE7CE8818A00

Function 00007FFDFB72A560 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 163synchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFDFB72A5AC

Part of subcall function 00007FFDFB72AAD0: _vsnwprintf.MSVCRT ref: 00007FFDFB72AB0E

CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72A5EE
WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72A616

Part of subcall function 00007FFDFB72D3AC: ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72D3B0

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72A6B7
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72A6DB

Strings

wil, xrefs: 00007FFDFB735921, 00007FFDFB73593D, 00007FFDFB735959, 00007FFDFB7359A6
Local\SM0:%d:%d:%hs, xrefs: 00007FFDFB72A5BD

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: ExclusiveLockMutexRelease$AcquireCreateCurrentObjectProcessSingleWait_vsnwprintf
String ID: Local\SM0:%d:%d:%hs$wil
API String ID: 824798051-2303653343
Opcode ID: d3d08922e8546558d5d0967c799a4a7245c54e4f65bb916909a01b674b505986
Instruction ID: f91f98ff02096572e97483c0d42d838cbd3c60c679ae89d733cfb95516777bcd
Opcode Fuzzy Hash: d3d08922e8546558d5d0967c799a4a7245c54e4f65bb916909a01b674b505986
Instruction Fuzzy Hash: 74617D25B0AB8385EB509B21E160AB977A1FB84B94F541132DD6E43BFDDF3CE4428B40

Function 00007FFDFB7215D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB721613
LoadCursorW.USER32 ref: 00007FFDFB72164B
swprintf_s.MSVCRT ref: 00007FFDFB72168C
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB721787
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB731094

Strings

P, xrefs: 00007FFDFB731063
ATL:%p, xrefs: 00007FFDFB721680

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$CursorEnterLoadswprintf_s
String ID: ATL:%p$P
API String ID: 1089554133-2635742592
Opcode ID: 9c970a8f284bb42224f97400bb3f4bd93f0491cbdc31753eaaeff703433b7704
Instruction ID: 21ca26c9e45f0cdd5cfe9f059edd611f281662dcae5af03c02b091de57c210de
Opcode Fuzzy Hash: 9c970a8f284bb42224f97400bb3f4bd93f0491cbdc31753eaaeff703433b7704
Instruction Fuzzy Hash: 19714036A09B8382E7118F24E420AB973A1FF98B88F149135CE5D477B9DF38E585CB00

Function 00007FFDFB74C488 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 118timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32 ref: 00007FFDFB74C632

Part of subcall function 00007FFDFB727FB0: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB727FC6

Part of subcall function 00007FFDFB7520F4: RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFDFB752158
Part of subcall function 00007FFDFB7520F4: RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFDFB7521FA
Part of subcall function 00007FFDFB7520F4: CreateEventExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB752282

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Network, xrefs: 00007FFDFB74C54D
VAN, xrefs: 00007FFDFB74C59E
Settings, xrefs: 00007FFDFB74C5D9
VANFromPCSettings, xrefs: 00007FFDFB74C538
Mini flyout, xrefs: 00007FFDFB74C5CB
ReplaceVan, xrefs: 00007FFDFB74C546

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: ActivationFactory$CreateEventMessageTimerTrace
String ID: Mini flyout$ReplaceVan$SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Network$Settings$VAN$VANFromPCSettings
API String ID: 4204754865-3100409106
Opcode ID: 02dff65031c2eb9ea17d3138017a4dce361186ee6b41a2e04fecf94989fb6f37
Instruction ID: 213fd8691c44b4d6bf8fdcd4ecad7a9f3a22aad6e7da9c5cb725c781dd6dca04
Opcode Fuzzy Hash: 02dff65031c2eb9ea17d3138017a4dce361186ee6b41a2e04fecf94989fb6f37
Instruction Fuzzy Hash: 12518C22B0AB87C9E750DB24E460AB97BA1FB84748F544032D96E42AFDDF7CE645C710

Function 00007FFDFB75EFD0 Relevance: 12.1, APIs: 8, Instructions: 73COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDFB741CFF), ref: 00007FFDFB75F008
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDFB741CFF), ref: 00007FFDFB75F0D0

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 0783afafc30a88d4f4c835b59bd0510c0e9e41fef92d9b60cceca4b9b8ec0528
Instruction ID: 5d917347da759352ec45ee007f6059fb664c32cd89a271b66bc62f1eaefb3b64
Opcode Fuzzy Hash: 0783afafc30a88d4f4c835b59bd0510c0e9e41fef92d9b60cceca4b9b8ec0528
Instruction Fuzzy Hash: 44311B36649B828AD7209F15B4204BABB61FB8AB51B484235CAAE077B4CF3CE0418750

Function 00007FFDFB75E814 Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00000000,00000001,00007FFDFB75E6C6,00000000,?,00000000,?,?,00007FFDFB74945F), ref: 00007FFDFB75E825
OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00000000,00000001,00007FFDFB75E6C6,00000000,?,00000000,?,?,00007FFDFB74945F), ref: 00007FFDFB75E83D
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FFDFB75E8B1
GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FFDFB75E88D

Part of subcall function 00007FFDFB75E5D0: DuplicateToken.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FFDFB75E5F8
Part of subcall function 00007FFDFB75E5D0: CreateWellKnownSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FFDFB75E61F
Part of subcall function 00007FFDFB75E5D0: CheckTokenMembership.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FFDFB75E637
Part of subcall function 00007FFDFB75E5D0: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FFDFB75E641

CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,00000000,00000001,00007FFDFB75E6C6,00000000,?,00000000,?,?,00007FFDFB74945F), ref: 00007FFDFB75E8CA
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00000000,00000001,00007FFDFB75E6C6,00000000,?,00000000,?,?,00007FFDFB74945F), ref: 00007FFDFB75E8D8
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00000000,00000001,00007FFDFB75E6C6,00000000,?,00000000,?,?,00007FFDFB74945F), ref: 00007FFDFB75E8E8

Part of subcall function 00007FFDFB75E76C: NtQueryInformationToken.NTDLL ref: 00007FFDFB75E7A8
Part of subcall function 00007FFDFB75E76C: NtQueryInformationToken.NTDLL ref: 00007FFDFB75E7E5

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00000000,00000001,00007FFDFB75E6C6,00000000,?,00000000,?,?,00007FFDFB74945F), ref: 00007FFDFB75E8F8

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Token$CloseErrorHandleInformationLast$ProcessQuery$CheckCreateCurrentDuplicateKnownMembershipOpenWell
String ID:
API String ID: 802450623-0
Opcode ID: f01f614649a3ca8937e445d34cf436255a8a61d074effba9fbab5fda97014279
Instruction ID: d7620e8c63b7492a3d86bd27b71621818553dde5167c78beed6212457c63fabc
Opcode Fuzzy Hash: f01f614649a3ca8937e445d34cf436255a8a61d074effba9fbab5fda97014279
Instruction Fuzzy Hash: CC313A32B06B83CFE7505F60D920AB8BBA1FB49B59F459131DA1E466B8DF38E4468740

Function 00007FFDFB760608 Relevance: 10.8, APIs: 7, Instructions: 278memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FFDFB7606B5
SysStringLen.OLEAUT32 ref: 00007FFDFB76083B
SysAllocString.OLEAUT32 ref: 00007FFDFB76084F
SysFreeString.OLEAUT32 ref: 00007FFDFB760862
SysFreeString.OLEAUT32 ref: 00007FFDFB760872
SysFreeString.OLEAUT32 ref: 00007FFDFB760963
SysStringLen.OLEAUT32 ref: 00007FFDFB76091C

Part of subcall function 00007FFDFB727FB0: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB727FC6

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: String$Free$AllocMessageTrace
String ID:
API String ID: 3845034887-0
Opcode ID: a546f892ca784f6930762a52ea3dce751a38565891ce681be53418e88c06c06a
Instruction ID: c8adcc0c9ce1f3d6a3079ee56eabc76f61207eb60442f4b7b363d3774ef41fb9
Opcode Fuzzy Hash: a546f892ca784f6930762a52ea3dce751a38565891ce681be53418e88c06c06a
Instruction Fuzzy Hash: 12D12E26B1AB0789FB048B65D4A4A793762FB84B58F244032CE2E577F9CF7CE8558740

Function 00007FFDFB74B6E4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 185comCOMMON

Download Yara Rule

APIs

CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB74B75F
StringFromIID.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB74B784
new.LIBCMT ref: 00007FFDFB74B7CA
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB74B918

Part of subcall function 00007FFDFB727FB0: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB727FC6

Strings

false, xrefs: 00007FFDFB74B84C
true, xrefs: 00007FFDFB74B845

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CreateFreeFromInstanceMessageStringTaskTrace
String ID: false$true
API String ID: 3902204450-2658103896
Opcode ID: c4ab3e09b0aa2fe0e525a163f9028a69491d2c89a82a1a73193614c9848ba4af
Instruction ID: 5a92d62f5c8a4436cc987a0db6b66ca04c21b7c60c5a45b718ee24128085fcb6
Opcode Fuzzy Hash: c4ab3e09b0aa2fe0e525a163f9028a69491d2c89a82a1a73193614c9848ba4af
Instruction Fuzzy Hash: 39813625B0AB47C5EB449B26D860BB936A1BB48B88F144031DE2E577F9DF3CE946C340

Function 00007FFDFB72A1B0 Relevance: 10.6, APIs: 7, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FFDFB72A232
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FFDFB72A246
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FFDFB72A25E
memcpy_s.MSVCRT ref: 00007FFDFB72A2A4
memcpy_s.MSVCRT ref: 00007FFDFB72A2FF

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Heap$Processmemcpy_s$Alloc
String ID:
API String ID: 1246213345-0
Opcode ID: 41d972ee57f84275b01db586cefed64bdb125001a10459de69419efa13cff0b7
Instruction ID: 3fb26448910e256d3cdbe48e9595ce1e0db2d62499ace18a8aa9c133ab51882c
Opcode Fuzzy Hash: 41d972ee57f84275b01db586cefed64bdb125001a10459de69419efa13cff0b7
Instruction Fuzzy Hash: 0F518932719B868BDB108F56F414569B7A5FB49B90B088235CEAE03BB8DF3CE144C700

Function 00007FFDFB72AEB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32 ref: 00007FFDFB72AF5C
GetWindowLongPtrW.USER32 ref: 00007FFDFB735B6F
CallWindowProcW.USER32 ref: 00007FFDFB735B94
GetWindowLongPtrW.USER32 ref: 00007FFDFB735BBE
SetWindowLongPtrW.USER32 ref: 00007FFDFB735BDC

Strings

8, xrefs: 00007FFDFB72AED3

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: 8
API String ID: 513923721-4194326291
Opcode ID: 3b34e0573ef0aa2c992f965ff573e0c3f8babd2eeb09b1203b405283773aa905
Instruction ID: 35d5deb061d62a740f86bfd8e09984308976b56376367479fed6728a96ffe801
Opcode Fuzzy Hash: 3b34e0573ef0aa2c992f965ff573e0c3f8babd2eeb09b1203b405283773aa905
Instruction Fuzzy Hash: 4B414732709B418AD7508F26E45466D77A5F789F94F198235DEAD437B8CF39C881C740

Function 00007FFDFB7236B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

IIDFromString.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB723736
ConvertInterfaceGuidToLuid.IPHLPAPI ref: 00007FFDFB723759
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB723786
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB72379F

Strings

false, xrefs: 00007FFDFB7237C9
true, xrefs: 00007FFDFB7237FF

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: FreeTask$ConvertFromGuidInterfaceLuidString
String ID: false$true
API String ID: 542903992-2658103896
Opcode ID: 8eaf8cb2c82e1acf46f987def9619f45da385c79af0f27c2fd8d629973044522
Instruction ID: bba4d329417650eaa8a302115433b2c68d5c5b4d439a9ff315a3b1fe91f2c47c
Opcode Fuzzy Hash: 8eaf8cb2c82e1acf46f987def9619f45da385c79af0f27c2fd8d629973044522
Instruction Fuzzy Hash: 27414F62B09B478AEB508B15E4A0AB97771FB84B95F515032EE6E427F8DF3CE445CB00

Function 00007FFDFB74BD38 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FFDFB74BD88
VariantInit.OLEAUT32 ref: 00007FFDFB74BDC2
VariantInit.OLEAUT32 ref: 00007FFDFB74BE01

Strings

NA_CategorySetByPolicy, xrefs: 00007FFDFB74BDD9
NA_DomainAuthenticationFailed, xrefs: 00007FFDFB74BD9F
NA_CategoryReadOnly, xrefs: 00007FFDFB74BE18

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: InitVariant
String ID: NA_CategoryReadOnly$NA_CategorySetByPolicy$NA_DomainAuthenticationFailed
API String ID: 1927566239-2229626304
Opcode ID: 0b67cf7f1b37044d2d6de5ae881c26726e6249c0c7b7a80069f20b5273bb5b6b
Instruction ID: 2336a5fffb64541b6f5fe84579c1f52e4b21a46d524ec2c5fa37522317069374
Opcode Fuzzy Hash: 0b67cf7f1b37044d2d6de5ae881c26726e6249c0c7b7a80069f20b5273bb5b6b
Instruction Fuzzy Hash: 32310A36B05B47CAEB108F26E8609A87771FB98B89F404432CA2D537B8DF78D945C340

Function 00007FFDFB764BB8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFB765248: memset.MSVCRT ref: 00007FFDFB765280
Part of subcall function 00007FFDFB765248: GetMenuItemInfoW.USER32 ref: 00007FFDFB76529F
Part of subcall function 00007FFDFB765248: memset.MSVCRT ref: 00007FFDFB7652CB
Part of subcall function 00007FFDFB765248: SetMenuItemInfoW.USER32 ref: 00007FFDFB765341

GetMenuInfo.USER32 ref: 00007FFDFB764BFA
DeleteObject.GDI32 ref: 00007FFDFB764C13
SetMenuInfo.USER32 ref: 00007FFDFB764C2B
_cwprintf_s_l.LIBCMT ref: 00007FFDFB764C55
RemovePropW.USER32 ref: 00007FFDFB764C65

Strings

ImmersiveContextMenuArray_%lu, xrefs: 00007FFDFB764C3C

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: InfoMenu$Itemmemset$DeleteObjectPropRemove_cwprintf_s_l
String ID: ImmersiveContextMenuArray_%lu
API String ID: 3140472605-919551790
Opcode ID: b44de8083e2febeb610fc45a5d00fd84892758f30fd04d6fcc1de4356da3e0b2
Instruction ID: b3ce532db3ec6cc46d1438d61c46f2e670e7f9114356cee1abd2954d72ec101d
Opcode Fuzzy Hash: b44de8083e2febeb610fc45a5d00fd84892758f30fd04d6fcc1de4356da3e0b2
Instruction Fuzzy Hash: 26219A32F11B42CAF700CB61D8517BC7B71FB89B88F685225DE1956AA9DF38D144C740

Function 00007FFDFB750FC4 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 47libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,00007FFDFB75137D), ref: 00007FFDFB750FFA

Strings

atlthunk.dll, xrefs: 00007FFDFB750FED
AtlThunk_AllocateData, xrefs: 00007FFDFB751018
AtlThunk_InitData, xrefs: 00007FFDFB751032
AtlThunk_DataToCode, xrefs: 00007FFDFB75104C
AtlThunk_FreeData, xrefs: 00007FFDFB751066

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1029625771-1745123996
Opcode ID: a8a93f02d1c6dc782b1c7d9841afbf4e5819059e68b5bb117c4d741fc25dd54f
Instruction ID: 1500e3294cbb12d9917003168f75789a989f43b112623f1d062158bc54abc7bb
Opcode Fuzzy Hash: a8a93f02d1c6dc782b1c7d9841afbf4e5819059e68b5bb117c4d741fc25dd54f
Instruction Fuzzy Hash: D4111964B0E78395FB559B24E871EF433A1EF89781F480036C82D167FDDE6CA58AC660

Function 00007FFDFB750EF0 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 47libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,00000000,00007FFDFB7512EF,?,?,?,00007FFDFB7362B4), ref: 00007FFDFB750F26

Strings

atlthunk.dll, xrefs: 00007FFDFB750F19
AtlThunk_AllocateData, xrefs: 00007FFDFB750F44
AtlThunk_InitData, xrefs: 00007FFDFB750F5E
AtlThunk_DataToCode, xrefs: 00007FFDFB750F78
AtlThunk_FreeData, xrefs: 00007FFDFB750F92

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1029625771-1745123996
Opcode ID: 53f2d91eea63721ee29455f35d7873539e5cd10809de166bf15be53965277277
Instruction ID: a3b8e769ab67e228f3563b7b9bc9ccd5ac232c6117ccc8b9939256e8831be8ed
Opcode Fuzzy Hash: 53f2d91eea63721ee29455f35d7873539e5cd10809de166bf15be53965277277
Instruction Fuzzy Hash: 7A110764B0A74785FB559B64E871EF473A1AF89741F540036C82D063FDDE6CB98ACA40

Function 00007FFDFB7647C8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

OpenThemeData.UXTHEME ref: 00007FFDFB76480C
GetParent.USER32 ref: 00007FFDFB764827
OpenThemeData.UXTHEME ref: 00007FFDFB764839

Strings

LightMode_ImmersiveStart::Menu, xrefs: 00007FFDFB7647ED
ImmersiveStart::Menu, xrefs: 00007FFDFB7647E3
DarkMode_ImmersiveStart::Menu, xrefs: 00007FFDFB7647F4

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: DataOpenTheme$Parent
String ID: DarkMode_ImmersiveStart::Menu$ImmersiveStart::Menu$LightMode_ImmersiveStart::Menu
API String ID: 3273629984-1060545678
Opcode ID: 26217d3996aec12530f7d4caad1fa9f8689139d8517793d06c188339b0768d2f
Instruction ID: b931d3f4753d17d58da91aae736bc48910ad053d3364c5bbcfb1f983d0833da6
Opcode Fuzzy Hash: 26217d3996aec12530f7d4caad1fa9f8689139d8517793d06c188339b0768d2f
Instruction Fuzzy Hash: B8015E21B0AB878AEB408B01B550679BB62FB49BD4B989031DA5E0777DDF3CD045C700

Function 00007FFDFB7537F8 Relevance: 10.0, APIs: 8, Instructions: 43COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FFDFB753827
free.MSVCRT ref: 00007FFDFB753830
free.MSVCRT ref: 00007FFDFB753841
free.MSVCRT ref: 00007FFDFB753857
free.MSVCRT ref: 00007FFDFB753863
free.MSVCRT ref: 00007FFDFB75386F
free.MSVCRT ref: 00007FFDFB75387B
free.MSVCRT ref: 00007FFDFB753887

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 5a02711997de77c2568891e0e70322f4371beb877e408482481c23fb00cbe0cf
Instruction ID: 37b087fbbc1c65c7d37ee852c1d79152b6ed51f6c7b35cacb5b654bf35790d9b
Opcode Fuzzy Hash: 5a02711997de77c2568891e0e70322f4371beb877e408482481c23fb00cbe0cf
Instruction Fuzzy Hash: EE213A23B19BC286E740AE21E0747AD7360FB84B88F144131DE5D1A2BEDF38E4418720

Function 00007FFDFB754118 Relevance: 9.2, APIs: 6, Instructions: 187COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00007FFDFB7541A5
wcschr.MSVCRT ref: 00007FFDFB7541BC
SysFreeString.OLEAUT32 ref: 00007FFDFB754240
SysFreeString.OLEAUT32 ref: 00007FFDFB7543BA
SysFreeString.OLEAUT32 ref: 00007FFDFB7543CA

Part of subcall function 00007FFDFB723640: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB723691

SysFreeString.OLEAUT32 ref: 00007FFDFB7543E8

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: FreeString$wcschr$MessageTrace
String ID:
API String ID: 3085190638-0
Opcode ID: b7ec97e6742f8905b18743098584eb55535c671f7ddc38c2bb9d2adec48f468e
Instruction ID: c01c0212f3718d5430b720d6a2dfbbc5280960adc44d154e9d9c688ad33534ad
Opcode Fuzzy Hash: b7ec97e6742f8905b18743098584eb55535c671f7ddc38c2bb9d2adec48f468e
Instruction Fuzzy Hash: 8C818A31B0A74781EB109B06E464ABA77A1FB84B94F640132DA2E172FDDE3CE587C740

Function 00007FFDFB7240D0 Relevance: 9.2, APIs: 6, Instructions: 172COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB724199
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB724205

Part of subcall function 00007FFDFB727FB0: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB727FC6

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeaveMessageTrace
String ID:
API String ID: 2067524592-0
Opcode ID: ddcd3475e6082288d2d65618228b710db9f1532863d06d0aebe0e8d38b4ea4a3
Instruction ID: 4b407b13ac6cbc51d4035e45bc67d9655b07766a5da7fd8fad47c287b2833b49
Opcode Fuzzy Hash: ddcd3475e6082288d2d65618228b710db9f1532863d06d0aebe0e8d38b4ea4a3
Instruction Fuzzy Hash: 74812E21B0A7878AEB508B26E470AB837A1FB45B44F544032DE6D477F9DE3DE546CB40

Function 00007FFDFB72DC2C Relevance: 9.1, APIs: 6, Instructions: 139sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,00007FFDFB72E07C), ref: 00007FFDFB72DC87
_amsg_exit.MSVCRT(?,?,?,00007FFDFB72E07C), ref: 00007FFDFB72DCB2
free.MSVCRT ref: 00007FFDFB72DD18
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,00007FFDFB72E07C), ref: 00007FFDFB72DD6B
_amsg_exit.MSVCRT(?,?,?,00007FFDFB72E07C), ref: 00007FFDFB72DD94
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FFDFB72DE18

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit$CurrentImageNonwritablefree
String ID:
API String ID: 1386524500-0
Opcode ID: 82451929dc042798650e81a981a699dc30068bce45fc73eea81288e1501549db
Instruction ID: 16e6881c335936e991ac71a9350e2d5a4b94f5d212ee3b3eb994f2ff07b617bb
Opcode Fuzzy Hash: 82451929dc042798650e81a981a699dc30068bce45fc73eea81288e1501549db
Instruction Fuzzy Hash: 4F51F624B0EB1789FB60AB15E874A7572A1EF54B80F544436DD2E867FCDEBCA8418B10

Function 00007FFDFB74C320 Relevance: 9.1, APIs: 6, Instructions: 76windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFDFB74C345
GetMenuItemCount.USER32 ref: 00007FFDFB74C35C
GetMenuItemInfoW.USER32 ref: 00007FFDFB74C387
DeleteMenu.USER32 ref: 00007FFDFB74C3B1
GetMenuItemCount.USER32 ref: 00007FFDFB74C3E0
DeleteMenu.USER32 ref: 00007FFDFB74C3FB

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Menu$Item$CountDelete$Infomemset
String ID:
API String ID: 453130535-0
Opcode ID: 3ec2c1b1d0e6b205989c9a8fabfcc61fea11af6ab804a5bc1aea8a82f05182a1
Instruction ID: c6f16f735237b642cd1e11429133d4438aed8055c684fc3863bf795259460252
Opcode Fuzzy Hash: 3ec2c1b1d0e6b205989c9a8fabfcc61fea11af6ab804a5bc1aea8a82f05182a1
Instruction Fuzzy Hash: 0D317532B09703CAE7105F259024A79BA91FB89B85F558036CE6E837B9DF3DE6458740

Function 00007FFDFB753F48 Relevance: 9.1, APIs: 6, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00007FFDFB753F8B
SysAllocStringLen.OLEAUT32 ref: 00007FFDFB753FA9
SysStringLen.OLEAUT32 ref: 00007FFDFB753FC4
memcpy_s.MSVCRT ref: 00007FFDFB753FE6
memcpy_s.MSVCRT ref: 00007FFDFB754009
SysFreeString.OLEAUT32 ref: 00007FFDFB754027

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: String$memcpy_s$AllocFree
String ID:
API String ID: 3865269606-0
Opcode ID: a778cd19d889262c72299c7bfbf1e26be05d1cc18587996bba803b2a9692fb92
Instruction ID: 1efc8cbc553a4a2a8d57f0914bb0816f5ae5c9d3836c556846f0d05e24e855ab
Opcode Fuzzy Hash: a778cd19d889262c72299c7bfbf1e26be05d1cc18587996bba803b2a9692fb92
Instruction Fuzzy Hash: 0D216F32706B428ADB148B62E42497DBAA1FF89FC1B198536CE5E477B8DF3CD4458300

Function 00007FFDFB72E8F4 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FFDFB72E924
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFDFB72E932
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFDFB72E93E
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FFDFB72E94A
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FFDFB72E95A
QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0 ref: 00007FFDFB72E975

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: ca60ca20652e5b512e5bdda7c1a0a2ce4356c8090f7c3ee2038baed05bdc6859
Instruction ID: ad822690c15786897dd18d4d0356dd6379cf5724a1a7f7a9a46e6d1dc0daf2cb
Opcode Fuzzy Hash: ca60ca20652e5b512e5bdda7c1a0a2ce4356c8090f7c3ee2038baed05bdc6859
Instruction Fuzzy Hash: 4D111F36706B428AEB00DF71E86556833A4FB49758F400A36EAAD477B8DF7CD5A58340

Function 00007FFDFB72A730 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72A847

Part of subcall function 00007FFDFB72A990: WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FFDFB72A874), ref: 00007FFDFB72A9A2
Part of subcall function 00007FFDFB72A990: ReleaseSemaphore.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FFDFB72A874), ref: 00007FFDFB72A9DB
Part of subcall function 00007FFDFB72A990: ReleaseSemaphore.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72A9FD
Part of subcall function 00007FFDFB72A990: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB72AA11

OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72A8EE
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB735A00

Strings

wil, xrefs: 00007FFDFB735A1D, 00007FFDFB735A3D, 00007FFDFB735A69, 00007FFDFB735A86
_p0, xrefs: 00007FFDFB72A7EC

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Semaphore$ErrorLastOpenRelease$ObjectSingleWait
String ID: _p0$wil
API String ID: 708575728-1814513734
Opcode ID: b3bd5fa20e281f3322f12856fe23a30e9c4c88bd7c312ab4641c718e2038985d
Instruction ID: 1607561980ece37b6e4194515abfef73fada8cc40dfa91d53368e09e44a7274a
Opcode Fuzzy Hash: b3bd5fa20e281f3322f12856fe23a30e9c4c88bd7c312ab4641c718e2038985d
Instruction Fuzzy Hash: 1B718D61B1E78386EB618B619034AB973A1FF84B40F544132DE6E17BF9EE3CE5458B00

Function 00007FFDFB745344 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON

Download Yara Rule

Strings

Mouse, xrefs: 00007FFDFB745537
Keyboard, xrefs: 00007FFDFB7454A1

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID:
String ID: Keyboard$Mouse
API String ID: 0-3006158303
Opcode ID: d4e1811c8edbab2b6fb35fb20db9463ced812283e08e50415f522fa51c8cd959
Instruction ID: b8b50772b710d915baaff209213926c611c68dff227f8e74e66f35bf93431924
Opcode Fuzzy Hash: d4e1811c8edbab2b6fb35fb20db9463ced812283e08e50415f522fa51c8cd959
Instruction Fuzzy Hash: 10516B21B0E787C5EB148B18D060AB87792FB85B4AF544432DA6E476FCDE7CE606C750

Function 00007FFDFB764864 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFDFB76489F
GetMenuItemInfoW.USER32 ref: 00007FFDFB7648C4
SetMessageExtraInfo.USER32 ref: 00007FFDFB764982
SetMessageExtraInfo.USER32 ref: 00007FFDFB7649D6

Strings

P, xrefs: 00007FFDFB7648A9

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Info$ExtraMessage$ItemMenumemset
String ID: P
API String ID: 842442315-3110715001
Opcode ID: 4d0e004271c1fb0424095dfd3d5481a7442c97678e057b6429daa1344b809c28
Instruction ID: 3c5940ee10a994e7241b498345be1caa78f262e9bc7ad859ec89c78ea5ad73fb
Opcode Fuzzy Hash: 4d0e004271c1fb0424095dfd3d5481a7442c97678e057b6429daa1344b809c28
Instruction Fuzzy Hash: 2441A122B1A7438AFB658A1394A4B7A76A2FF84B84F545035DE6D037F8DF3DE8058700

Function 00007FFDFB749824 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

RtlUnsubscribeWnfNotificationWaitForCompletion.NTDLL ref: 00007FFDFB7498BD
RtlUnsubscribeWnfNotificationWaitForCompletion.NTDLL ref: 00007FFDFB7498DD
UnregisterPowerSettingNotification.USER32 ref: 00007FFDFB749916
UnregisterPowerSettingNotification.USER32 ref: 00007FFDFB749936

Strings

Shutdown, xrefs: 00007FFDFB749842

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Notification$CompletionPowerSettingUnregisterUnsubscribeWait
String ID: Shutdown
API String ID: 2257264734-1825881236
Opcode ID: 8dcaf777d5d265dcd42d25c70f5cc6ad0115e4986f8c2e6d28e5be055e4d3fa6
Instruction ID: 84bcafc64cf624618a2b1b4d17a24aea43d48b6fe53c5e2728e0d470b09fa2e5
Opcode Fuzzy Hash: 8dcaf777d5d265dcd42d25c70f5cc6ad0115e4986f8c2e6d28e5be055e4d3fa6
Instruction Fuzzy Hash: EB31D726B1BB83C9EB05AB61D475BB87760FF85B46F484131C92E0A6FACF7CA1448350

Function 00007FFDFB764A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFB7647C8: OpenThemeData.UXTHEME ref: 00007FFDFB76480C
Part of subcall function 00007FFDFB7647C8: GetParent.USER32 ref: 00007FFDFB764827
Part of subcall function 00007FFDFB7647C8: OpenThemeData.UXTHEME ref: 00007FFDFB764839

GetThemeColor.UXTHEME ref: 00007FFDFB764A78
CreateSolidBrush.GDI32 ref: 00007FFDFB764A91
SetMenuInfo.USER32 ref: 00007FFDFB764AAA
CloseThemeData.UXTHEME ref: 00007FFDFB764AC8

Strings

(, xrefs: 00007FFDFB764A1E

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Theme$Data$Open$BrushCloseColorCreateInfoMenuParentSolid
String ID: (
API String ID: 3676491578-3887548279
Opcode ID: e3a320bc293bac858c88161a4d8aec057999e43c75a525eacff6fcc29c3c3861
Instruction ID: 01358d1d7297a86ddbde5ce767014c2c54531170f178568bdfd7c1f6f1397072
Opcode Fuzzy Hash: e3a320bc293bac858c88161a4d8aec057999e43c75a525eacff6fcc29c3c3861
Instruction Fuzzy Hash: 4D118432B19B82CBE7508B26F450579B6A1FB89B80F549235EA9D43BA9DF3CD444CB00

Function 00007FFDFB72E5CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

RtlCaptureContext.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFDFB72E5F8
RtlLookupFunctionEntry.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFDFB72E611
RtlVirtualUnwind.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFDFB72E64D
OutputDebugStringA.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FFDFB72E67C

Strings

Invalid parameter passed to C runtime function., xrefs: 00007FFDFB72E675

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CaptureContextDebugEntryFunctionLookupOutputStringUnwindVirtual
String ID: Invalid parameter passed to C runtime function.
API String ID: 711593133-455672764
Opcode ID: d59fb3a93b54dab40693933dc69d58620f2bd570f80b63e1f00d85e236449d9c
Instruction ID: a259f7c4592b72c03e4c921019033c488aa8f941936a409449de86df96050d39
Opcode Fuzzy Hash: d59fb3a93b54dab40693933dc69d58620f2bd570f80b63e1f00d85e236449d9c
Instruction Fuzzy Hash: CC11EF3661DF8282DB608B11F8647AAB361FB84745F501136DA9E42BB8DF3CD144CF00

Function 00007FFDFB753C6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB753CA6
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB753CEB
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB753CFC

Strings

Software\Microsoft\Windows NT\CurrentVersion\Network\NwCategoryWizard, xrefs: 00007FFDFB753C98
Show, xrefs: 00007FFDFB753CC5

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Show$Software\Microsoft\Windows NT\CurrentVersion\Network\NwCategoryWizard
API String ID: 3677997916-4226369804
Opcode ID: 8735f647035f740ca9db86f7e6c157f387f26cafb1810ef5ec44c4c9d585c620
Instruction ID: 379a3918fba6677a6ee5bf9292861bc3ecdc4565cd3414f1043346b3c815f65d
Opcode Fuzzy Hash: 8735f647035f740ca9db86f7e6c157f387f26cafb1810ef5ec44c4c9d585c620
Instruction Fuzzy Hash: 18111572619B828BD7108F14E45066ABFB0FB89B94F815222EA9D43B78DF78C144CB00

Function 00007FFDFB75E5D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

DuplicateToken.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FFDFB75E5F8
CreateWellKnownSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FFDFB75E61F
CheckTokenMembership.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FFDFB75E637
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FFDFB75E641

Strings

D, xrefs: 00007FFDFB75E60A

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Token$CheckCloseCreateDuplicateHandleKnownMembershipWell
String ID: D
API String ID: 2196538793-2746444292
Opcode ID: c4961c8796fb0fdad35307dae4d677b6e3cb150817bf92d265f5e95a61c4c9c2
Instruction ID: 84828a8af313d55e7e54dec3bfde8eb2d524600ed46b5d2c136bbf669adeea78
Opcode Fuzzy Hash: c4961c8796fb0fdad35307dae4d677b6e3cb150817bf92d265f5e95a61c4c9c2
Instruction Fuzzy Hash: 3E014072A19A87C6E7609F11E4207AAB7A0FB88748F845135EA9D436B9DF3CD109CF00

Function 00007FFDFB754EA8 Relevance: 7.8, APIs: 5, Instructions: 313comCOMMON

Download Yara Rule

APIs

StringFromIID.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FFDFB754F98
CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FFDFB755086
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FFDFB755298

Part of subcall function 00007FFDFB723A90: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB723ABE

CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FFDFB7552AD

Part of subcall function 00007FFDFB727FB0: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB727FC6

CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FFDFB75534E

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: FreeTask$MessageTrace$CreateFromInstanceString
String ID:
API String ID: 1813387934-0
Opcode ID: a4502f406a865198352991347b33f1b8131a150b80cee14ea91a79b97b8a73a8
Instruction ID: 6fe448198c95a75cf71f6196260a61b67cf028f6af568fb98558687f7c649d3a
Opcode Fuzzy Hash: a4502f406a865198352991347b33f1b8131a150b80cee14ea91a79b97b8a73a8
Instruction Fuzzy Hash: 2BE12C66B1AB4B89EB048B25D864BB93761FB84B48F100532DA2D477F8DF7CE546C340

Function 00007FFDFB723DE0 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 273COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFDFB723E2F
memset.MSVCRT ref: 00007FFDFB723E43
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB723E85
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB723F6E

Part of subcall function 00007FFDFB727FB0: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB727FC6

Strings

0, xrefs: 00007FFDFB723F1B

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CriticalSectionmemset$EnterLeaveMessageTrace
String ID: 0
API String ID: 174006268-4108050209
Opcode ID: a1bda7b31c7588a22669211c7f2c56df780d3a12355d975637ec7539e14091b9
Instruction ID: 9ef6ffcdd5593387ddae6f10bb994bc778d023b2ac218da38d1aa8eb376894c2
Opcode Fuzzy Hash: a1bda7b31c7588a22669211c7f2c56df780d3a12355d975637ec7539e14091b9
Instruction Fuzzy Hash: B9C1A122B1A78386EB108B24D420AB937A4FF44B88F584132DE6D47AF8DF7DE945C740

Function 00007FFDFB74DD68 Relevance: 7.7, APIs: 6, Instructions: 193COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00007FFDFB74DDDA
memcmp.MSVCRT ref: 00007FFDFB74DE18
memcmp.MSVCRT ref: 00007FFDFB74DE57
memcmp.MSVCRT ref: 00007FFDFB74DEDB
memcmp.MSVCRT ref: 00007FFDFB74DF19
memcmp.MSVCRT ref: 00007FFDFB74DFA8

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 7a707ca650516ee599edca4087ef219ea392534da90d56b45aed6f2dec0eefb3
Instruction ID: 6f4f2195999dac6e1d83e13da23813abce99bc2ad7449a10644a2be71ebe78a0
Opcode Fuzzy Hash: 7a707ca650516ee599edca4087ef219ea392534da90d56b45aed6f2dec0eefb3
Instruction Fuzzy Hash: F6817262F1DBA6C5F7208B65C9108BC3360F759B88B045532EEAD57BA9DF38E691C340

Function 00007FFDFB75FA8C Relevance: 7.7, APIs: 6, Instructions: 170COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00007FFDFB75FAE6
memcmp.MSVCRT ref: 00007FFDFB75FB11
memcmp.MSVCRT ref: 00007FFDFB75FB41
memcmp.MSVCRT ref: 00007FFDFB75FBB5
memcmp.MSVCRT ref: 00007FFDFB75FBE0
memcmp.MSVCRT ref: 00007FFDFB75FC61

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: d2f9cd20405cd0af263e2382b0d4828e5ae88956ed197899e8bf4e5086ee2c98
Instruction ID: 29d3e0ebeae69fe7d7620db2fffa3af79c34a794c0efdf11f460dec3bf6f7349
Opcode Fuzzy Hash: d2f9cd20405cd0af263e2382b0d4828e5ae88956ed197899e8bf4e5086ee2c98
Instruction Fuzzy Hash: 97618D62B0E7C392EB608B26952097976A1FB55BC4F584431DEAD4BBF8DF38E4528700

Function 00007FFDFB746DF4 Relevance: 7.6, APIs: 5, Instructions: 149COMMON

Download Yara Rule

APIs

memmove_s.MSVCRT ref: 00007FFDFB746E35
RoOriginateError.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0 ref: 00007FFDFB746EDF
memmove_s.MSVCRT ref: 00007FFDFB746F2E
RoOriginateError.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0 ref: 00007FFDFB746F47

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: ErrorOriginatememmove_s
String ID:
API String ID: 3822173579-0
Opcode ID: 4c3743f01e13ef354bf6457d2d2dbcad23d9c5b7b9a67cd3bd1b1cc1c5a2a0d9
Instruction ID: dad0edd2fca70545e83c772c00c64ecde8effce3265cdf474284b102c1010666
Opcode Fuzzy Hash: 4c3743f01e13ef354bf6457d2d2dbcad23d9c5b7b9a67cd3bd1b1cc1c5a2a0d9
Instruction Fuzzy Hash: CF51D273B09653CAEB148B24D460ABDB7A2EB85B55B598031DA2D033B8DE39EA45C740

Function 00007FFDFB753AE4 Relevance: 7.6, APIs: 5, Instructions: 103registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB753B40
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB753B99
memset.MSVCRT ref: 00007FFDFB753BF0
ExpandEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FFDFB753C05
free.MSVCRT ref: 00007FFDFB753C34

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: QueryValue$EnvironmentExpandStringsfreememset
String ID:
API String ID: 4236772811-0
Opcode ID: cf91f01168601abc0213f5d5c3ba13d7898d2f695e57c059df432bd558f60a94
Instruction ID: c68ae2448acee8f4244d49bd0f9cb074d4d1e00d37d359766c6626503e443780
Opcode Fuzzy Hash: cf91f01168601abc0213f5d5c3ba13d7898d2f695e57c059df432bd558f60a94
Instruction Fuzzy Hash: E741923272AB4386E7208B15E4A0AAA73A0FB89754F415535EFAE477F8DF3CD4158B00

Function 00007FFDFB74FFEC Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 95COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFDFB75002E

Part of subcall function 00007FFDFB727FB0: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB727FC6

Strings

", xrefs: 00007FFDFB75008F
0, xrefs: 00007FFDFB750094
!, xrefs: 00007FFDFB75008A
, xrefs: 00007FFDFB750085

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: MessageTracememset
String ID: $!$"$0
API String ID: 1506953324-4058373275
Opcode ID: e536c67553402da7ecab4f4798e7c6b9686be1955da8f0808ed8c093f3441e94
Instruction ID: ea5af5fb25b691240cc8bc34d0cac2ea503e18b6e904abc0df49fb21f16b312c
Opcode Fuzzy Hash: e536c67553402da7ecab4f4798e7c6b9686be1955da8f0808ed8c093f3441e94
Instruction Fuzzy Hash: 6E416D21B1A78781FB648611A4B4FB9B290FB84784F644032D96D47AF9CF3EE9438751

Function 00007FFDFB72CA10 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

GetSystemMetricsForDpi.USER32 ref: 00007FFDFB72CA3A
GetSystemMetricsForDpi.USER32 ref: 00007FFDFB72CA54
LoadImageW.USER32 ref: 00007FFDFB72CA7D
LoadImageW.USER32 ref: 00007FFDFB736B30
LoadImageW.USER32 ref: 00007FFDFB736B63

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: ImageLoad$MetricsSystem
String ID:
API String ID: 1504610575-0
Opcode ID: 64876c564a22756fe17c2110cc1e00fb356039a489f06a402dfe862d8247ebba
Instruction ID: 9082c3639a9ac84148a653fef2bcf8d66fca1fdd6c2a3daed20c9434bc162096
Opcode Fuzzy Hash: 64876c564a22756fe17c2110cc1e00fb356039a489f06a402dfe862d8247ebba
Instruction Fuzzy Hash: DF315272B097818BE7108F15E824A6ABBA1F789B84F644135DE8A03BB9DF7DD545CF00

Function 00007FFDFB72A040 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72A0A0
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72A105
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72A0D0

Part of subcall function 00007FFDFB72A1B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FFDFB72A232
Part of subcall function 00007FFDFB72A1B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FFDFB72A246
Part of subcall function 00007FFDFB72A1B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FFDFB72A25E
Part of subcall function 00007FFDFB72A1B0: memcpy_s.MSVCRT ref: 00007FFDFB72A2A4
Part of subcall function 00007FFDFB72A1B0: memcpy_s.MSVCRT ref: 00007FFDFB72A2FF

ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72A13C
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72A16F

Part of subcall function 00007FFDFB72A560: GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFDFB72A5AC
Part of subcall function 00007FFDFB72A560: CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72A5EE
Part of subcall function 00007FFDFB72A560: WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72A616
Part of subcall function 00007FFDFB72A560: AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72A6B7
Part of subcall function 00007FFDFB72A560: ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB72A6DB

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$Acquire$HeapProcessRelease$memcpy_s$AllocCreateCurrentMutexObjectSingleWait
String ID:
API String ID: 1277259480-0
Opcode ID: c38842d774aef9658f10d8ec4bb2b1aefe100bc1343fdc6ce5b55d1b86e6860c
Instruction ID: 0b26ffb53f6bc9533db1dbbeb70bc87c1a77caeec7944abfb8e5aae0a850e77b
Opcode Fuzzy Hash: c38842d774aef9658f10d8ec4bb2b1aefe100bc1343fdc6ce5b55d1b86e6860c
Instruction Fuzzy Hash: 60310235B0AB8B8AEB409B11B9309B5B761EF45BA4F544235DE2D037F9DF7CA4068700

Function 00007FFDFB730AA0 Relevance: 7.6, APIs: 6, Instructions: 80COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FFDFB730AB1
_CxxThrowException.MSVCRT ref: 00007FFDFB730ABA
free.MSVCRT ref: 00007FFDFB730AE1
_CxxThrowException.MSVCRT ref: 00007FFDFB730AEA
free.MSVCRT ref: 00007FFDFB730B11
_CxxThrowException.MSVCRT ref: 00007FFDFB730B1A

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: ExceptionThrowfree
String ID:
API String ID: 2053033275-0
Opcode ID: f929982556b87a0f42150aeb154d83ce3a47bb6e1ccf65c18678d7e9be3beb7d
Instruction ID: 4568b01bd9ffe75f1d779dd7198eb0cc48d2423b354c60fffac35c8f5f66be37
Opcode Fuzzy Hash: f929982556b87a0f42150aeb154d83ce3a47bb6e1ccf65c18678d7e9be3beb7d
Instruction Fuzzy Hash: 2EF09C55B19742C6D31CFA3298324BA2221FFC4340F149435FD6E4B5FEDE24D4214640

Function 00007FFDFB72FDA0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FFDFB72FDB1
_CxxThrowException.MSVCRT ref: 00007FFDFB72FDBA
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB72FDF9
DeactivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0 ref: 00007FFDFB72FE11
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB72FE23

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: ErrorLast$DeactivateExceptionThrowfree
String ID:
API String ID: 564149058-0
Opcode ID: 45c65efb2dab07c626524989aeb257e2fa50df9931fa76c318657804a8360d53
Instruction ID: b586b67ddc718c6a2912fed0f3dce013c04a278eb04475e2b6bddb39799092e2
Opcode Fuzzy Hash: 45c65efb2dab07c626524989aeb257e2fa50df9931fa76c318657804a8360d53
Instruction Fuzzy Hash: A001D232F0A783CFE7185F71A86457976A1EF48B45F089039DE2E092F9CF3C94858A00

Function 00007FFDFB73E01C Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFB73D650: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB73D663

LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB73E046
SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB73E06A
WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB73E083
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FFDFB73E09B
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FFDFB73E0BB

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CloseCriticalHandleSection$EnterEventLeaveObjectSingleWait
String ID:
API String ID: 3326452711-0
Opcode ID: d064b086edd4d9094e167867d2d2ed983e5a6ee41f4ff45ee88c60ef46620f53
Instruction ID: 58165b0d8ca3fd221baa0dcade06749de2b1fa781a20e09ddb1aaf2747383be2
Opcode Fuzzy Hash: d064b086edd4d9094e167867d2d2ed983e5a6ee41f4ff45ee88c60ef46620f53
Instruction Fuzzy Hash: AF311C3270AB8785EB559B20D8647B977A1EB89B09F6C4131C96E0A6F9CF3DD4C5C320

Function 00007FFDFB751138 Relevance: 7.6, APIs: 5, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

InterlockedPopEntrySList.API-MS-WIN-CORE-INTERLOCKED-L1-1-0 ref: 00007FFDFB75115E

Part of subcall function 00007FFDFB751220: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FFDFB751153), ref: 00007FFDFB75123C
Part of subcall function 00007FFDFB751220: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FFDFB751153), ref: 00007FFDFB751254
Part of subcall function 00007FFDFB751220: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FFDFB751153), ref: 00007FFDFB751272
Part of subcall function 00007FFDFB751220: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FFDFB751153), ref: 00007FFDFB751286

VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FFDFB751191
InterlockedPopEntrySList.API-MS-WIN-CORE-INTERLOCKED-L1-1-0 ref: 00007FFDFB7511B2
VirtualFree.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FFDFB7511D1
InterlockedPushEntrySList.API-MS-WIN-CORE-INTERLOCKED-L1-1-0 ref: 00007FFDFB7511F3

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Heap$EntryInterlockedList$AllocFreeProcessVirtual$Push
String ID:
API String ID: 2531268086-0
Opcode ID: 54db70fdfbac7a9d299e1b19915eef870a9c16ef599500f8cde180d72218007a
Instruction ID: b08ac704f062615523ef8bcafb053015941189fe2c6043810d08bf1160b23b2b
Opcode Fuzzy Hash: 54db70fdfbac7a9d299e1b19915eef870a9c16ef599500f8cde180d72218007a
Instruction Fuzzy Hash: F3214421B1AB4786EB154B55E470978BA91FF8DB81F449135C92E477BCDE3CE1418740

Function 00007FFDFB74D524 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 238COMMON

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMT ref: 00007FFDFB74D585
_CxxThrowException.MSVCRT ref: 00007FFDFB74D596
free.MSVCRT ref: 00007FFDFB74D823

Strings

invalid map/set<T> iterator, xrefs: 00007FFDFB74D566

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: ExceptionThrowfreestd::bad_exception::bad_exception
String ID: invalid map/set<T> iterator
API String ID: 2209577848-152884079
Opcode ID: 2d97fd9525572e8972efce6cb702154dc0c66a2f5bc78b491f5a62f3037f7174
Instruction ID: 88767acf21342fafb08abb95d2c9396a9c1b910add3367bd743e70abd0f3709d
Opcode Fuzzy Hash: 2d97fd9525572e8972efce6cb702154dc0c66a2f5bc78b491f5a62f3037f7174
Instruction Fuzzy Hash: 28B184A3B0E786C5EB618B26D06097C3BA4E755B85B588536CBAE073F9CF38D950C701

Function 00007FFDFB737454 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169COMMON

Download Yara Rule

APIs

CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB737558
CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB737642

Strings

wil, xrefs: 00007FFDFB73758C, 00007FFDFB737677
_p0, xrefs: 00007FFDFB7374F5

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CreateSemaphore
String ID: _p0$wil
API String ID: 1078844751-1814513734
Opcode ID: 20aa24c0ab1dbb927326c30937100d7dac634ed9cf95e5f2bb83b11db6424e04
Instruction ID: 17453d111e73d04310d70fe58f8401a0ebad6454974eb7071b65ee0645e32d6a
Opcode Fuzzy Hash: 20aa24c0ab1dbb927326c30937100d7dac634ed9cf95e5f2bb83b11db6424e04
Instruction Fuzzy Hash: 1E51D561B1B74386EF658F289074EB97291AF84B80F684435DA6E077F9DF3CE4848300

Function 00007FFDFB74471C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFB73D650: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB73D663

LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB744841
PostMessageW.USER32 ref: 00007FFDFB744867
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB744889

Part of subcall function 00007FFDFB723A90: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB723ABE

Strings

", xrefs: 00007FFDFB74481D

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CriticalMessageSection$EnterErrorLastLeavePostTrace
String ID: "
API String ID: 4217609029-123907689
Opcode ID: 9776b688d99e38d592ac32283b61dc4e699151bb67a9d59fb77dae3c274c1eee
Instruction ID: 90ace0a13e311c1f78a9b8b6fae3d7caa255075db67658af729c2e81f4f250dc
Opcode Fuzzy Hash: 9776b688d99e38d592ac32283b61dc4e699151bb67a9d59fb77dae3c274c1eee
Instruction Fuzzy Hash: 11514B32B0A783C6EB109B26E460AB937A4FB84B85F144132DA2D572F9DF39D942C740

Function 00007FFDFB760468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFB760F04: GetPersistentRegPath.MOBILENETWORKING ref: 00007FFDFB760F5E

RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB7604FB
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB760538
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB760567

Strings

UseBrandingNameOnRoaming, xrefs: 00007FFDFB7604F4, 00007FFDFB76059D

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Close$PathPersistentQueryValue
String ID: UseBrandingNameOnRoaming
API String ID: 2205690383-1302254536
Opcode ID: f34513b6d1cfb98aa38c679ad5dcb148d6712fee7d6360d823516bea625462b7
Instruction ID: 7be742e93cd0f22a7c89426579a8435d3f0fcd701afecd26d063250b63923fc1
Opcode Fuzzy Hash: f34513b6d1cfb98aa38c679ad5dcb148d6712fee7d6360d823516bea625462b7
Instruction Fuzzy Hash: EB41A072B0A7838AFB208F14E4A4EB9B691FB84754F544135DA6D466F9DF3CE445CB00

Function 00007FFDFB761130 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFB760F04: GetPersistentRegPath.MOBILENETWORKING ref: 00007FFDFB760F5E

RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB7611C4
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB761201
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB761230

Strings

BrandingName, xrefs: 00007FFDFB7611BD, 00007FFDFB76129B

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Close$PathPersistentQueryValue
String ID: BrandingName
API String ID: 2205690383-661740910
Opcode ID: 96faf96021dfc57cead4bed4e63d731d5d1d1582b28077ae35916a7560beac2e
Instruction ID: 291a73c188d421a8e0994513a7434dbf1916dfd38a0e2b5c815840375672ed48
Opcode Fuzzy Hash: 96faf96021dfc57cead4bed4e63d731d5d1d1582b28077ae35916a7560beac2e
Instruction Fuzzy Hash: D4418322B0A7838EFB24CB55A4A4BB576A2FB84748F145135DE6D46AF8CF3CD545CB00

Function 00007FFDFB723AE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFDFB723B43
CreateWellKnownSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FFDFB723B5F
CheckTokenMembership.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FFDFB723B87

Part of subcall function 00007FFDFB727FB0: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB727FC6

Strings

D, xrefs: 00007FFDFB723B4A

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CheckCreateKnownMembershipMessageTokenTraceWellmemset
String ID: D
API String ID: 370548498-2746444292
Opcode ID: 47dbab31edaa5bc712caadbb287e23633c77a51c5d5734c2a29828555efd04ca
Instruction ID: 501f2ed1c20c92885e53ec24551ad7814a26cbc77f595eff0443dec9400d66c6
Opcode Fuzzy Hash: 47dbab31edaa5bc712caadbb287e23633c77a51c5d5734c2a29828555efd04ca
Instruction Fuzzy Hash: AD311821B0A78786EB54CB21E460BA973A1FB88B48F544076DA6D43AFDDF3CD506CB40

Function 00007FFDFB74C96C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

WinSqmEndSession.NTDLL ref: 00007FFDFB74C9CE

Part of subcall function 00007FFDFB74EC20: EventWriteTransfer.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FFDFB74EC66

_cwprintf_s_l.LIBCMT ref: 00007FFDFB74CA51

Strings

dot3mm.dll, xrefs: 00007FFDFB74CA3E
@%s,-%d, xrefs: 00007FFDFB74CA45

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: EventSessionTransferWrite_cwprintf_s_l
String ID: @%s,-%d$dot3mm.dll
API String ID: 2706308623-1210809606
Opcode ID: b8a6dcd9e8ceb728b61aeb3ed0a4a3a5c72cc1dab4ef17f666a14faf4fc04a17
Instruction ID: 5bbf937ec41224e0c488da625228d7cdab2bed7d1df58d07181ea1102bf65362
Opcode Fuzzy Hash: b8a6dcd9e8ceb728b61aeb3ed0a4a3a5c72cc1dab4ef17f666a14faf4fc04a17
Instruction Fuzzy Hash: 82314B22B1AB47C6EB008B24E460BBA7361FB89749F500536DA6D06AFDDF7CE509C700

Function 00007FFDFB72DB8C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMT ref: 00007FFDFB72DBCD
_CxxThrowException.MSVCRT ref: 00007FFDFB72DBDE
malloc.MSVCRT ref: 00007FFDFB72DBF9

Strings

invalid string position, xrefs: 00007FFDFB72DBAE

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: ExceptionThrowmallocstd::bad_exception::bad_exception
String ID: invalid string position
API String ID: 2575240680-1799206989
Opcode ID: e74a6710be736b20ce9bee850a77266f656f27d82d25afb781afd5f61ea51532
Instruction ID: 7a341e88e4e66feb00db60eb8bead8b43507e5a6480c05026d532f00f9d7b701
Opcode Fuzzy Hash: e74a6710be736b20ce9bee850a77266f656f27d82d25afb781afd5f61ea51532
Instruction Fuzzy Hash: 62011A31B1EB07C1EB209B24E8617A57360FB84324F901235D5BD467F8DEACE5558B00

Function 00007FFDFB762D34 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

WindowFromPoint.USER32 ref: 00007FFDFB762D59
GetClassNameW.USER32 ref: 00007FFDFB762D78
CompareStringOrdinal.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFDFB762DA2

Strings

#32768, xrefs: 00007FFDFB762D96

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: ClassCompareFromNameOrdinalPointStringWindow
String ID: #32768
API String ID: 517833829-207879865
Opcode ID: 293e7aa6a67ad7470b1d46c906cd305e1512a8dc1589c4757cac4da0622754ec
Instruction ID: f1b266b9d9f605da73de6628f5601f1eba0956c0a8b2498a6d0310fb30f9b03e
Opcode Fuzzy Hash: 293e7aa6a67ad7470b1d46c906cd305e1512a8dc1589c4757cac4da0622754ec
Instruction Fuzzy Hash: AB01887271AB828AEB109B20E8647B97B51FB99B45F445131C95E473F9DF3CD048C740

Function 00007FFDFB72C950 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB72C99E

Strings

RtlDisownModuleHeapAllocation, xrefs: 00007FFDFB72C994
ntdll.dll, xrefs: 00007FFDFB736A34

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: RtlDisownModuleHeapAllocation$ntdll.dll
API String ID: 190572456-704576883
Opcode ID: 0b5e80733dbb8ffab5c5b879942910f7fd40a7f10258ec86286d861d788ab677
Instruction ID: da127c779ad46fdfdf7906424b9cf451b5bbf68914f0159b27f023da1eb3cb9d
Opcode Fuzzy Hash: 0b5e80733dbb8ffab5c5b879942910f7fd40a7f10258ec86286d861d788ab677
Instruction Fuzzy Hash: A901E424B1BB4785EF048B25F974878B6A1EF59B80B689035CD6E027FCEF3CE4848600

Function 00007FFDFB72D1D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB72D1FE
GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FFDFB736CE9

Strings

ntdll.dll, xrefs: 00007FFDFB736CE2
RtlDllShutdownInProgress, xrefs: 00007FFDFB72D1F4

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlDllShutdownInProgress$ntdll.dll
API String ID: 1646373207-582119455
Opcode ID: cd20572c8f1bb05b0ca35a68f8dc3dd44d82c303cc387b520899c8841c0453ad
Instruction ID: 02230b8ba8f7fc1054a4170186c20fc640338758fd29b70daa212eb2c0b771ec
Opcode Fuzzy Hash: cd20572c8f1bb05b0ca35a68f8dc3dd44d82c303cc387b520899c8841c0453ad
Instruction Fuzzy Hash: BDF0ED28B1BB079AEB158B54A8748B476A1FF59701B586435CC2E023F8EE6CE4888620

Function 00007FFDFB725C50 Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 357COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB725CD1
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB725EAB

Part of subcall function 00007FFDFB727FB0: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB727FC6

Strings

yes, xrefs: 00007FFDFB725E77
@, xrefs: 00007FFDFB733998

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeaveMessageTrace
String ID: @$yes
API String ID: 2067524592-992443270
Opcode ID: ce57a078f34fe898b716455512bdc8fdcd3e4f6112672213544e9b30ee54c958
Instruction ID: e49e99c8fed1e6e90d83bde9d38ff08f4237f172426310da1076650c52896dc6
Opcode Fuzzy Hash: ce57a078f34fe898b716455512bdc8fdcd3e4f6112672213544e9b30ee54c958
Instruction Fuzzy Hash: FF024D61B0A74389F7608B25D460BB937A1FB84B48F284136CE6D566F8DF7CE586C740

Function 00007FFDFB72C3D0 Relevance: 6.3, APIs: 4, Instructions: 335COMMON

Download Yara Rule

APIs

InitOnceBeginInitialize.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FFDFB72C41D
EventRegister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FFDFB72C4B8
EventSetInformation.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FFDFB72C4D7
InitOnceComplete.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FFDFB72C511

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: EventInitOnce$BeginCompleteInformationInitializeRegister
String ID:
API String ID: 3136474517-0
Opcode ID: ec6d5c6911c0da270c98e73c9946d5773698dd33bfa72fba721bb97a81a57714
Instruction ID: b365136abd59ed876d3153b7ffad07350ff13cff242fe14aef3bd1610d711df9
Opcode Fuzzy Hash: ec6d5c6911c0da270c98e73c9946d5773698dd33bfa72fba721bb97a81a57714
Instruction Fuzzy Hash: 24023732B0AB42C9E7108F65E4505AD77B8FB48748B604236EEAD17BB8EF38D554CB40

Function 00007FFDFB74C024 Relevance: 6.2, APIs: 4, Instructions: 179comCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFB73D650: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB73D663

CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB74C098
CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB74C0D6
new.LIBCMT ref: 00007FFDFB74C134
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB74C2B5

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CreateCriticalInstanceSection$EnterLeave
String ID:
API String ID: 1614763547-0
Opcode ID: 6b84bb6e75c2817ef77435bb88f9a52920b82db3440772bd2a3a25f613545281
Instruction ID: ebbfb3e90fe1d5f735d6675e90433d318590f9004ac71a60d4f71666efd6f941
Opcode Fuzzy Hash: 6b84bb6e75c2817ef77435bb88f9a52920b82db3440772bd2a3a25f613545281
Instruction Fuzzy Hash: 30813D22B0AB47DAE7009B75D860BAC33A1FB84748F594132DA2D53BF9DE79E645C340

Function 00007FFDFB74509C Relevance: 6.2, APIs: 4, Instructions: 156COMMON

Download Yara Rule

APIs

CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB7450C1

Part of subcall function 00007FFDFB73D650: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB73D663

SysFreeString.OLEAUT32 ref: 00007FFDFB745252
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB7452C6
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB7452ED

Part of subcall function 00007FFDFB727FB0: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB727FC6

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Free$CriticalSectionTask$EnterLeaveMessageStringTrace
String ID:
API String ID: 4219247863-0
Opcode ID: 2947722bf185f20f8ec9bea274f1a54f85b9fdc5c5f99de839ca474f7c6f3160
Instruction ID: fb5dceb5b72e6429b2793f636730a2a854c86789234f3a13167c3a81001bcabe
Opcode Fuzzy Hash: 2947722bf185f20f8ec9bea274f1a54f85b9fdc5c5f99de839ca474f7c6f3160
Instruction Fuzzy Hash: F0714762B0AB47C9EB108B65D460BB937A1FB49B89F144132DE2D17AF9DF38E645C340

Function 00007FFDFB72D650 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

InitOnceBeginInitialize.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FFDFB72D6AC
EventRegister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FFDFB72D74B
EventSetInformation.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FFDFB72D76A
InitOnceComplete.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FFDFB72D7A4

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: EventInitOnce$BeginCompleteInformationInitializeRegister
String ID:
API String ID: 3136474517-0
Opcode ID: 34f1d94cc31a56f78b54de444b3a1f12349b53f456c44189566b2c83814873bf
Instruction ID: d84cd6643acbdfc2166b715455a6e7423de9a73f17a6696779686940edb0724e
Opcode Fuzzy Hash: 34f1d94cc31a56f78b54de444b3a1f12349b53f456c44189566b2c83814873bf
Instruction Fuzzy Hash: 3F512B76B0AB828AE7108F24F4506A9B7A4FB48B40F544136DAAC43BB8DF7CE155CB40

Function 00007FFDFB765248 Relevance: 6.1, APIs: 4, Instructions: 89windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFDFB765280
GetMenuItemInfoW.USER32 ref: 00007FFDFB76529F
memset.MSVCRT ref: 00007FFDFB7652CB
SetMenuItemInfoW.USER32 ref: 00007FFDFB765341

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: InfoItemMenumemset
String ID:
API String ID: 3858859670-0
Opcode ID: 637ad80f38c16335eb6a4a431d0b3b3a1cbf29cbe9b185d9ea8042b6af742b0b
Instruction ID: 31255f9a9dfb95102a65fb4e4ed70f89bd07c2a7f6dcd93a077664376cd21afd
Opcode Fuzzy Hash: 637ad80f38c16335eb6a4a431d0b3b3a1cbf29cbe9b185d9ea8042b6af742b0b
Instruction Fuzzy Hash: 0431AE36B16B028EF7148BA2C410BAD37B2FB49B88F458535CE1D177A8DF78D5058740

Function 00007FFDFB72E120 Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFDFB72E193
RtlLookupFunctionEntry.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFDFB72E1B2
RtlVirtualUnwind.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFDFB72E1FF
__raise_securityfailure.LIBCMT ref: 00007FFDFB72E2E4

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 868a6da404d5b864c666a88854808e08c179270f2f5571870445e3160d360b38
Instruction ID: 24271999e52a31259b6a61005a1cd68d3089b87b0de1e3d17bc1d9c6f30594f1
Opcode Fuzzy Hash: 868a6da404d5b864c666a88854808e08c179270f2f5571870445e3160d360b38
Instruction Fuzzy Hash: 0141B539B0AB0685EB508B19F874B6573A4FB88744F644536DAAD837B8EFBCE544C700

Function 00007FFDFB73D8DC Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FFDFB73D987
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB73D9A7
QueueUserWorkItem.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0 ref: 00007FFDFB73D9CF
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB73D9F2

Part of subcall function 00007FFDFB727FB0: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB727FC6

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CloseCreateCriticalEventHandleItemLeaveMessageQueueSectionTraceUserWork
String ID:
API String ID: 2150000617-0
Opcode ID: a71a2186ebd956a78149c84c9e2c850d289acddfadcb5418360354572d2b2af3
Instruction ID: 288a6062f7a5ef44eebd318efc97e9623b2e201df6f6e441715a605c12c9a803
Opcode Fuzzy Hash: a71a2186ebd956a78149c84c9e2c850d289acddfadcb5418360354572d2b2af3
Instruction Fuzzy Hash: AE313B3270EB8685EB508F50E464BB877A0EB89B54F684535CA6E0A7F8DF38D494C700

Function 00007FFDFB743180 Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FFDFB7431BB
calloc.MSVCRT ref: 00007FFDFB7431FC
memmove_s.MSVCRT ref: 00007FFDFB743222
free.MSVCRT ref: 00007FFDFB743238

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: calloc$freememmove_s
String ID:
API String ID: 3942310398-0
Opcode ID: 115d3ed95cdd97c390bcb0efdb685ed300a3ee6085e65316fbd4433646e034ec
Instruction ID: 7aea30d7bb264452bcf4b84ae4edfdf23e8018ceab64880c593e1b4ae182a2c6
Opcode Fuzzy Hash: 115d3ed95cdd97c390bcb0efdb685ed300a3ee6085e65316fbd4433646e034ec
Instruction Fuzzy Hash: BC21393270AB42C6EF548B15E660679B7A2EB59FC5F149032DA6E03BB8DE3CD5418200

Function 00007FFDFB74F41C Relevance: 6.1, APIs: 4, Instructions: 60windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFDFB74F466
GetIconInfoExW.USER32 ref: 00007FFDFB74F473
DeleteObject.GDI32 ref: 00007FFDFB74F496
DeleteObject.GDI32 ref: 00007FFDFB74F4AC

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: DeleteObject$IconInfomemset
String ID:
API String ID: 1908085422-0
Opcode ID: 84369dff8c71c924dc7650fdfaa2266940b8fb4b14ef30826ed31b8506cec568
Instruction ID: 1038093866632a764d33b81e4016bdda75bbd646344be73cefd4bfff1e8a20a6
Opcode Fuzzy Hash: 84369dff8c71c924dc7650fdfaa2266940b8fb4b14ef30826ed31b8506cec568
Instruction Fuzzy Hash: 2A21292670AB87C5EB608B15E460A7977A0FB89B84F544531DAAD47BB8DF2CD501CB00

Function 00007FFDFB7290D3 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

??0exception@@QEAA@AEBQEBD@Z.MSVCRT ref: 00007FFDFB734D8E
_CxxThrowException.MSVCRT ref: 00007FFDFB734DB2

Part of subcall function 00007FFDFB72DAD0: malloc.MSVCRT ref: 00007FFDFB72DAEA

memcpy_s.MSVCRT ref: 00007FFDFB734DF7
free.MSVCRT ref: 00007FFDFB734E0D

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: ??0exception@@ExceptionThrowfreemallocmemcpy_s
String ID:
API String ID: 570582955-0
Opcode ID: 42840411fef01bfb470fcbd911f6f63f136c3a25cef0f8cd133c5691d857cbdf
Instruction ID: a230afb56bc6109ad336aebb0f870388d7b4a851668584469a56528b3670c3f0
Opcode Fuzzy Hash: 42840411fef01bfb470fcbd911f6f63f136c3a25cef0f8cd133c5691d857cbdf
Instruction Fuzzy Hash: 9321B032719B8392EB248B11E4645AD7360FB457A0F545232DE7E03AF8DF38E1A5C740

Function 00007FFDFB728310 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFDFB728352
GetIconInfoExW.USER32 ref: 00007FFDFB72835F
DeleteObject.GDI32 ref: 00007FFDFB728382
DeleteObject.GDI32 ref: 00007FFDFB728398

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: DeleteObject$IconInfomemset
String ID:
API String ID: 1908085422-0
Opcode ID: 3567d7d5ffbcc4ffd23fdd426752053b560fce63d43e5693bd8cc5ac984b632c
Instruction ID: f2fe50ed301f074d7f7f770190ac78e551da5ab3d34eb644fe1c799f2a3d009c
Opcode Fuzzy Hash: 3567d7d5ffbcc4ffd23fdd426752053b560fce63d43e5693bd8cc5ac984b632c
Instruction Fuzzy Hash: F9212C71B0A78786EB548B51E860B79B661FF89784F549031DE6E467F9DF2CE4008B00

Function 00007FFDFB762288 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

MulDiv.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(00000000,?,?,00007FFDFB763636), ref: 00007FFDFB7622BB
MulDiv.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0 ref: 00007FFDFB7622D3
MulDiv.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0 ref: 00007FFDFB7622EB
MulDiv.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0 ref: 00007FFDFB762302

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d72d404aea7797768d8f124075b7dbbc94456b156591b29b66e2452a1865016
Instruction ID: bb8dd980b68109e71ff44334a3356d4b55f99b2e78f9c2e438f71c92a13fc375
Opcode Fuzzy Hash: 3d72d404aea7797768d8f124075b7dbbc94456b156591b29b66e2452a1865016
Instruction Fuzzy Hash: 9A110636720BA18BC7008F56E848829FBA5F78DFD0B56902ADE5953728DB38E841CB04

Function 00007FFDFB72E2F8 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

RtlCaptureContext.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFDFB72E303
RtlLookupFunctionEntry.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFDFB72E322
RtlVirtualUnwind.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFDFB72E36F
__raise_securityfailure.LIBCMT ref: 00007FFDFB72E3E5

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 91b3b45c9acead05d1413a745e915e80743e252c1f0a1dbb0be536276360cf9b
Instruction ID: fbb7855f7616a2a6f647d5c7d49d160ca91e98ac3f5a35f82aef8d8a2c95b5c5
Opcode Fuzzy Hash: 91b3b45c9acead05d1413a745e915e80743e252c1f0a1dbb0be536276360cf9b
Instruction Fuzzy Hash: 1D21B739A0AB4685E700CB05F864B6977A4FB89754F600036DA9D837B8EFBDE144CB00

Function 00007FFDFB748DD0 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FFDFB748E94,?,?,?,?,?,?,?,?,00007FFDFB72DA8D), ref: 00007FFDFB748DF1
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FFDFB748E94,?,?,?,?,?,?,?,?,00007FFDFB72DA8D), ref: 00007FFDFB748E00
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FFDFB748E94,?,?,?,?,?,?,?,?,00007FFDFB72DA8D), ref: 00007FFDFB748E37
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FFDFB748E94,?,?,?,?,?,?,?,?,00007FFDFB72DA8D), ref: 00007FFDFB748E4B

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CriticalExclusiveLockSection$AcquireEnterLeaveRelease
String ID:
API String ID: 1115728412-0
Opcode ID: 11e39349885d8ac39c58ec7fdb31d6663da80208b7b6b8b7831f35138cce8ca2
Instruction ID: 49034e3fc185c48de793f8b85c2b8051c038a22deee24bac3d78e67934773434
Opcode Fuzzy Hash: 11e39349885d8ac39c58ec7fdb31d6663da80208b7b6b8b7831f35138cce8ca2
Instruction Fuzzy Hash: 26018022B19B87C6DB148B11A664538F761FB89FC1B089231CE5E03778DF3CD1808300

Function 00007FFDFB75E920 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFDFB741D19), ref: 00007FFDFB75E944
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFDFB741D19), ref: 00007FFDFB75E954
DeleteCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFDFB741D19), ref: 00007FFDFB75E964
free.MSVCRT ref: 00007FFDFB75E98E

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CriticalSection$DeleteEnterLeavefree
String ID:
API String ID: 682159224-0
Opcode ID: 17d9cd2f789f37edc1da884b9dff5d1bd6031f2b449339cbe17bb3102176f36d
Instruction ID: a5075010b63d3ab45986433e7d2a02b49f9d576ddcfbca8e390f9640fdc0e69c
Opcode Fuzzy Hash: 17d9cd2f789f37edc1da884b9dff5d1bd6031f2b449339cbe17bb3102176f36d
Instruction Fuzzy Hash: 88015A32645B4297D7009B21E5247A9B720FB8BBA5F545731CB6E036F9CF38D065C700

Function 00007FFDFB76206C Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FFDFB762083
GetDeviceCaps.GDI32 ref: 00007FFDFB76209F
GetDeviceCaps.GDI32 ref: 00007FFDFB7620B5
ReleaseDC.USER32 ref: 00007FFDFB7620C8

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: d572a5c58beb939e634c482cf87b0d9157cdfddff7a2034a817eda6445df6460
Instruction ID: 1e2e3661ee237fe32fde4cf394be9e252548bf1a39f7bbc93fee43d9e7a6224c
Opcode Fuzzy Hash: d572a5c58beb939e634c482cf87b0d9157cdfddff7a2034a817eda6445df6460
Instruction Fuzzy Hash: 82011A32A0AB42CBDB444F25B41412ABAA2FB4DB81F49C034DA5E477A8DF3DD4908B00

Function 00007FFDFB74ADF4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMT ref: 00007FFDFB74AE61
_CxxThrowException.MSVCRT ref: 00007FFDFB74AE72

Strings

map/set<T> too long, xrefs: 00007FFDFB74AE45

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: ExceptionThrowstd::bad_exception::bad_exception
String ID: map/set<T> too long
API String ID: 1480402491-1285458680
Opcode ID: 2312452f07875b0fab671b09942885b3c2f4135b022df159eac2a4d2a3c7627c
Instruction ID: e44663722113571c6ff6053a3badd400826d04e14f0883d3395f7923eb6bd0d9
Opcode Fuzzy Hash: 2312452f07875b0fab671b09942885b3c2f4135b022df159eac2a4d2a3c7627c
Instruction Fuzzy Hash: 81516B6270AB86C1DB60CB2AD46066D7BA0E788F94F548136DEAD073B9CF78D991C700

Function 00007FFDFB74B56C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFB740594: memset.MSVCRT ref: 00007FFDFB740608

Part of subcall function 00007FFDFB747B54: EventActivityIdControl.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FFDFB747BBA
Part of subcall function 00007FFDFB747B54: ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB747BDE
Part of subcall function 00007FFDFB747B54: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFDFB747C19

Part of subcall function 00007FFDFB7516E0: memset.MSVCRT ref: 00007FFDFB751717
Part of subcall function 00007FFDFB7516E0: #162.SHCORE ref: 00007FFDFB7517E4

ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFB74B66B

Part of subcall function 00007FFDFB723A90: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB723ABE

Strings

PNILaunchBowser, xrefs: 00007FFDFB74B5AB
http://www.msftconnecttest.com/redirect, xrefs: 00007FFDFB74B5D5

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: ExclusiveLockReleasememset$#162ActivityControlCurrentEventMessageThreadTrace
String ID: PNILaunchBowser$http://www.msftconnecttest.com/redirect
API String ID: 3778070538-3197084993
Opcode ID: d2b51af5db7bf57eb47152bd8c7732ae004fb8cf0f2cf44e7b7f1b437c1a5ab0
Instruction ID: 9123eabc183b1cc5fd89a98fd306c6f8aefb1fcf160f8d8a8b44d9db8fbaf52f
Opcode Fuzzy Hash: d2b51af5db7bf57eb47152bd8c7732ae004fb8cf0f2cf44e7b7f1b437c1a5ab0
Instruction Fuzzy Hash: 0831913671AB82C5E710DB25E860AA9B3A0FB85754F401232EAAD437F9DF7CD605CB40

Function 00007FFDFB753D18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB753D97
CoSetProxyBlanket.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB753DFE

Part of subcall function 00007FFDFB727FB0: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB727FC6

Strings

, xrefs: 00007FFDFB753DD6

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: BlanketProxy$MessageTrace
String ID:
API String ID: 381658971-3916222277
Opcode ID: 1398ed6ea06c746321b4c39894eb689f785f72b7d7efbbbaa6a1a957d0d11635
Instruction ID: 731d5872143a8e0bb50558f2534195b9942ccb6b156092d336cf175984b47770
Opcode Fuzzy Hash: 1398ed6ea06c746321b4c39894eb689f785f72b7d7efbbbaa6a1a957d0d11635
Instruction Fuzzy Hash: 39414F36729B4786EB108B19E46466977A1FB84BA4F100326EA7E437F8CF7CD446CB40

Function 00007FFDFB749C38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0(ImmersiveContextMenuArray_%lu-%lu,?,?,00007FFDFB740230,?,?,00000001,00007FFDFB743470,?,?,?,?,00007FFDFB7646DB), ref: 00007FFDFB749CA9
CoTaskMemRealloc.API-MS-WIN-CORE-COM-L1-1-0(ImmersiveContextMenuArray_%lu-%lu,?,?,00007FFDFB740230,?,?,00000001,00007FFDFB743470,?,?,?,?,00007FFDFB7646DB), ref: 00007FFDFB749D13

Strings

ImmersiveContextMenuArray_%lu-%lu, xrefs: 00007FFDFB749C44

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Task$AllocRealloc
String ID: ImmersiveContextMenuArray_%lu-%lu
API String ID: 1769333971-1220520276
Opcode ID: 5aca1ed25ac4cfa2b56f67574789a59c355bf6013b00d442575131325a4c1176
Instruction ID: 2c497fbd7ef7f11d2faabda35139fc88c50f89177361b4350f11cc04c8ee6bfc
Opcode Fuzzy Hash: 5aca1ed25ac4cfa2b56f67574789a59c355bf6013b00d442575131325a4c1176
Instruction Fuzzy Hash: 5A31AF32B0AB43CAE7108F11E020AA976A0FB49B96F544631DB6D177F9CF3DE6528700

Function 00007FFDFB751CFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FFDFB751D7B
VariantClear.OLEAUT32 ref: 00007FFDFB751DE5

Part of subcall function 00007FFDFB727FB0: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB727FC6

Strings

NA_NetworkClass, xrefs: 00007FFDFB751D94

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Variant$ClearInitMessageTrace
String ID: NA_NetworkClass
API String ID: 1865639329-1795230796
Opcode ID: 7fab68b17ea7da11521a03c840233657de6a3aedfa1b0d800f89e99fb731b460
Instruction ID: 8644c2aefccf5cd585be1dec7b7b0ce87e462a06de1a09e2615b6970e031941a
Opcode Fuzzy Hash: 7fab68b17ea7da11521a03c840233657de6a3aedfa1b0d800f89e99fb731b460
Instruction Fuzzy Hash: 75313032B1AB4786EB009B15E464A697761FB88B84F544032DA6E43BFDDF3CE506CB40

Function 00007FFDFB7623B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68registrywindowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 00007FFDFB762433

Part of subcall function 00007FFDFB762D34: WindowFromPoint.USER32 ref: 00007FFDFB762D59
Part of subcall function 00007FFDFB762D34: GetClassNameW.USER32 ref: 00007FFDFB762D78
Part of subcall function 00007FFDFB762D34: CompareStringOrdinal.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFDFB762DA2

RegisterWindowMessageW.USER32 ref: 00007FFDFB762474

Strings

TileContextMenuWindowMessage, xrefs: 00007FFDFB76246D

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Window$ClassCompareFromLongMessageNameOrdinalPointRegisterString
String ID: TileContextMenuWindowMessage
API String ID: 149515259-1060233165
Opcode ID: 39544ab28377436d57dc2c924ec54b2e3117ebeaee9c8e6a5b0d14a8734c61aa
Instruction ID: 724f5fbc76f3c270878fb98db6ee038aacceb0a7e40b4720be80ff67c2cd5249
Opcode Fuzzy Hash: 39544ab28377436d57dc2c924ec54b2e3117ebeaee9c8e6a5b0d14a8734c61aa
Instruction Fuzzy Hash: F721F821B0E3834AE754AB2AA4609B97E92EB49BC0F154035E96DD36F9DE3CDC418350

Function 00007FFDFB74F098 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB74F0C8
CoSetProxyBlanket.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFB74F125

Strings

, xrefs: 00007FFDFB74F104

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-3916222277
Opcode ID: 6505b2a2af68afdae4203463d0cdbe94dbc2ae80536dff4c2a698d80f194e834
Instruction ID: 8e882879fee28566d3edc050db7b6eaf37c29a32eff3aecc197cb5f96ae8b25d
Opcode Fuzzy Hash: 6505b2a2af68afdae4203463d0cdbe94dbc2ae80536dff4c2a698d80f194e834
Instruction Fuzzy Hash: FB212B36719B4786E7008B25E46876977A1FB89BA5F104322DA3D077F8DFBCD5058B00

Function 00007FFDFB764D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55registryCOMMON

Download Yara Rule

APIs

RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FFDFB764DBB

Strings

SystemUsesLightTheme, xrefs: 00007FFDFB764D88
SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize, xrefs: 00007FFDFB764D9F

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Value
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize$SystemUsesLightTheme
API String ID: 3702945584-3753107525
Opcode ID: ce6bd17d80b471bb324bb06dcdc80a4564c576c0c9f16a804c7c76d14bb6746d
Instruction ID: 3811e4052ecffa7cdb2927795a7b550f43f4e765ff09f03d4a9aa2be394e4352
Opcode Fuzzy Hash: ce6bd17d80b471bb324bb06dcdc80a4564c576c0c9f16a804c7c76d14bb6746d
Instruction Fuzzy Hash: 0B21B072B097438EEB048B11D06466E77E6F744790FA1013AD6A9427F8DB39DA45CB40

Function 00007FFDFB7644FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFDFB764523
GetMenuItemInfoW.USER32 ref: 00007FFDFB764548

Strings

P, xrefs: 00007FFDFB76452D

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: InfoItemMenumemset
String ID: P
API String ID: 3858859670-3110715001
Opcode ID: 32930ff52c6aee03d752fe585073e727d4777b21ab89a3205d65ebf798fb46ce
Instruction ID: 6f7baf8f7d3bd1267c03830330e0bae9c1112d4e884c060c12fea1b37cd44be1
Opcode Fuzzy Hash: 32930ff52c6aee03d752fe585073e727d4777b21ab89a3205d65ebf798fb46ce
Instruction Fuzzy Hash: A81193327097438AE7208E12A01096A73A2FB88B84F584034EE6D437BACF3DE9418B00

Function 00007FFDFB765750 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFDFB765776
DrawThemeTextEx.UXTHEME ref: 00007FFDFB7657FA

Strings

H, xrefs: 00007FFDFB76578B

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: DrawTextThemememset
String ID: H
API String ID: 340441712-2852464175
Opcode ID: b92c910a3dec61bad9395927be7c3c611ce98f5fb4650a9d9e34526c230a28f2
Instruction ID: b46846ff2f3f2614abb8fe57a57764b9e1c667b6845ba6b6f33880979857caab
Opcode Fuzzy Hash: b92c910a3dec61bad9395927be7c3c611ce98f5fb4650a9d9e34526c230a28f2
Instruction Fuzzy Hash: 3A111332709BC58AD7A0CB05F48079AB7A4F388BD4F448026EA8D53B28DB79C549CB40

Function 00007FFDFB722330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FFDFB721129), ref: 00007FFDFB72238B
InitializeCriticalSectionEx.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FFDFB721129), ref: 00007FFDFB7223B9

Strings

WilStaging_02, xrefs: 00007FFDFB72234A

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: WilStaging_02
API String ID: 32694325-3875344107
Opcode ID: ef67f4bf8392adc9b36706c0273052467a2fab3657c3b28e5fb23dde4103985f
Instruction ID: ffbe9171d2d4a0466a483197fedf8d6ecf3cd69f14affbc8701addfa8ca62d22
Opcode Fuzzy Hash: ef67f4bf8392adc9b36706c0273052467a2fab3657c3b28e5fb23dde4103985f
Instruction Fuzzy Hash: 77119766E2AB8789E300C721AC75D717361EFEA340F745335D9A8103BAEFEC21849240

Function 00007FFDFB764E88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00007FFDFB764EBE
SetPropW.USER32 ref: 00007FFDFB764ED4

Strings

ImmersiveContextMenuArray_%lu-%lu, xrefs: 00007FFDFB764EB3

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Prop_cwprintf_s_l
String ID: ImmersiveContextMenuArray_%lu-%lu
API String ID: 2277916533-1220520276
Opcode ID: bcdb2acf7d50a9d4ee72ba723086c6edb9cf054159d6f6cd2ea55da9699e0231
Instruction ID: 3c99f13927a8093ae3a57c5ccd74136536edfdd10de6040c851b5ee6fc7973a8
Opcode Fuzzy Hash: bcdb2acf7d50a9d4ee72ba723086c6edb9cf054159d6f6cd2ea55da9699e0231
Instruction Fuzzy Hash: AB01AD66B14B9682EB008B16E8947ADBB60FB88FD4F504235DB1C477B9CF78DA45C700

Function 00007FFDFB7653FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00007FFDFB765430
SetPropW.USER32 ref: 00007FFDFB765446

Strings

ImmersiveContextMenuArray_%lu, xrefs: 00007FFDFB765419

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Prop_cwprintf_s_l
String ID: ImmersiveContextMenuArray_%lu
API String ID: 2277916533-919551790
Opcode ID: b7edfb71d049743d0b7c9dc4888a962e79c0a966ae24ad90624510ce85ce8e4b
Instruction ID: 0d31a7684a5ededefa27623c3364f91b753397421e6ff84fb9d8b076347b34e6
Opcode Fuzzy Hash: b7edfb71d049743d0b7c9dc4888a962e79c0a966ae24ad90624510ce85ce8e4b
Instruction Fuzzy Hash: 9F018B66714B9282E7008B15E4953ADB760F789BE4F544231DB2C477A9CF7CD649C700

Function 00007FFDFB761EBC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FFDFB761F50

Strings

NULL, xrefs: 00007FFDFB761EF7
BrandingName, xrefs: 00007FFDFB761F06

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: MessageTrace
String ID: BrandingName$NULL
API String ID: 471583391-1357520495
Opcode ID: 890ccf2b98fdb7baf1f4029b5461cb4353ea6bafeb1c3e0331ba9ad35d44f6e5
Instruction ID: 80b6b5decf548661fc89435dbf81e59b3feca141389ab8bad1bfe899d4620fb4
Opcode Fuzzy Hash: 890ccf2b98fdb7baf1f4029b5461cb4353ea6bafeb1c3e0331ba9ad35d44f6e5
Instruction Fuzzy Hash: 2F018471609B82C9E7248B10F454B5AB7B6FB95360F945325D6AD07BF8DF3DC1548700

Function 00007FFDFB75399C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMT ref: 00007FFDFB7539F1
_CxxThrowException.MSVCRT ref: 00007FFDFB753A02

Strings

list<T> too long, xrefs: 00007FFDFB7539D5

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: ExceptionThrowstd::bad_exception::bad_exception
String ID: list<T> too long
API String ID: 1480402491-4027344264
Opcode ID: 990c71be13667554f5047bbc5bcab6a659fefdf2e1dc959b18bea381f7467d61
Instruction ID: 8a5e4d0b16673775f322fbdb4bed6067c31d6458c41b6582df9cf1f83a116a0e
Opcode Fuzzy Hash: 990c71be13667554f5047bbc5bcab6a659fefdf2e1dc959b18bea381f7467d61
Instruction Fuzzy Hash: E9014F61719B4391DF209B14E8617A97321FB85774F901335D5BD467F9DE6CE206C700

Function 00007FFDFB7646A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00007FFDFB7646D6
GetPropW.USER32 ref: 00007FFDFB7646E7

Strings

ImmersiveContextMenuArray_%lu-%lu, xrefs: 00007FFDFB7646C7

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Prop_cwprintf_s_l
String ID: ImmersiveContextMenuArray_%lu-%lu
API String ID: 2277916533-1220520276
Opcode ID: 25537ed9547c4d0ddf0b95a2dcea5fcf1e8d18d6970cb8a3b3f4e2794ba2dd0e
Instruction ID: 5add60ff5b5ce204692bdf48dc7d123d8656f20473e2514f79adb8f9bd3f22ff
Opcode Fuzzy Hash: 25537ed9547c4d0ddf0b95a2dcea5fcf1e8d18d6970cb8a3b3f4e2794ba2dd0e
Instruction Fuzzy Hash: 27F06D26715B4282DB009B1AEA514BDB660BB88BC0B584031DF5D4337AEE38D5418700

Function 00007FFDFB765390 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00007FFDFB7653BC
GetPropW.USER32 ref: 00007FFDFB7653CD

Strings

ImmersiveContextMenuArray_%lu, xrefs: 00007FFDFB76539E

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Prop_cwprintf_s_l
String ID: ImmersiveContextMenuArray_%lu
API String ID: 2277916533-919551790
Opcode ID: 0e3b56e0b4e28b4dac1833065aeb1e509c87028adf1f560becddb33e0db3cd61
Instruction ID: 224332dfa57194695f1169e1a843c57fc972d7b944ba7339554f70bcf53644c6
Opcode Fuzzy Hash: 0e3b56e0b4e28b4dac1833065aeb1e509c87028adf1f560becddb33e0db3cd61
Instruction Fuzzy Hash: 89F09026715B46C2DB009F19E5600BDB3B0FB89BE0B544231DF6D433B9DE78D5458700

Function 00007FFDFB72DB30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMT ref: 00007FFDFB72DB6E
_CxxThrowException.MSVCRT ref: 00007FFDFB72DB7F

Strings

string too long, xrefs: 00007FFDFB72DB52

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: ExceptionThrowstd::bad_exception::bad_exception
String ID: string too long
API String ID: 1480402491-2556327735
Opcode ID: 0e49b01fbbc2285476d99624efe12cc0d24c857b6a7d3a36ae7371f6df7598ef
Instruction ID: b935f4adf7961cb1eaa8519a8349b43aa219dc135d4f88e8829b357f33bcff2f
Opcode Fuzzy Hash: 0e49b01fbbc2285476d99624efe12cc0d24c857b6a7d3a36ae7371f6df7598ef
Instruction Fuzzy Hash: 55E0AC2171AB47D1DB209B14E8616A97321FBC5368F901335E1BD46AFDDEACE609CB40

Function 00007FFDFB764B58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00007FFDFB764B83
RemovePropW.USER32 ref: 00007FFDFB764B94

Strings

ImmersiveContextMenuArray_%lu-%lu, xrefs: 00007FFDFB764B75

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: PropRemove_cwprintf_s_l
String ID: ImmersiveContextMenuArray_%lu-%lu
API String ID: 542518557-1220520276
Opcode ID: b8acbdf66bb2264c295643801edda4406b41c2c12fbe1bcd952d69b680a4c099
Instruction ID: a349a81f24d1e87016c09fdece3d9c8c9e7a8b1e34205441a57eb127dfee62f7
Opcode Fuzzy Hash: b8acbdf66bb2264c295643801edda4406b41c2c12fbe1bcd952d69b680a4c099
Instruction Fuzzy Hash: D5F082A6B26706C2EB009B12D4657B97630FB99B98F500131CB1D473B5DF3CD6498750

Function 00007FFDFB73EAEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFDFB73EB08
RaiseException.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFB73EB27

Strings

Windows.Networking.UX.UXManager, xrefs: 00007FFDFB73EB01

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: CreateExceptionRaiseReferenceStringWindows
String ID: Windows.Networking.UX.UXManager
API String ID: 289596593-1327396333
Opcode ID: 20751556a6f31273929ebdaeb119d44cd7250742e440dd954ca660baf16cb176
Instruction ID: daf86bce56ee967642a1cab4d82241690b43d552f7df5f5ea36663f67709c252
Opcode Fuzzy Hash: 20751556a6f31273929ebdaeb119d44cd7250742e440dd954ca660baf16cb176
Instruction Fuzzy Hash: 7FE0923171574287E7004B91E820EB57622EB9DB81F489031CD2D437B4DB3DA485C700

Function 00007FFDFB74D1F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMT ref: 00007FFDFB74D236
_CxxThrowException.MSVCRT ref: 00007FFDFB74D247

Strings

vector<T> too long, xrefs: 00007FFDFB74D21A

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: ExceptionThrowstd::bad_exception::bad_exception
String ID: vector<T> too long
API String ID: 1480402491-3788999226
Opcode ID: 4262a0f11455157c34321016469b219dd9adeec3968d0e6fde21532726b99c82
Instruction ID: ee1e1f921a31cf61b3172f52ccb6636d9887b4ff34ec1c21a9b32a63db374fbf
Opcode Fuzzy Hash: 4262a0f11455157c34321016469b219dd9adeec3968d0e6fde21532726b99c82
Instruction Fuzzy Hash: F4F0FE2171AB47D1EB209B14E865AA97320FBC4364F901331E1BD469FDDF6CE649C700

Function 00007FFDFB7373A4 Relevance: 5.0, APIs: 4, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FFDFB737097), ref: 00007FFDFB7373D9
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FFDFB737097), ref: 00007FFDFB7373ED
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FFDFB737097), ref: 00007FFDFB737411
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FFDFB737097), ref: 00007FFDFB737425

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 79acea38b854077905d6fbd763960d3110907110a8847787728385c86202c091
Instruction ID: 04c20033109862babb12238d366235a104111203fc90a4ba99b15f1e582d2746
Opcode Fuzzy Hash: 79acea38b854077905d6fbd763960d3110907110a8847787728385c86202c091
Instruction Fuzzy Hash: 8C114C32A05B52CAD7048F56F4400ACBBB1F749F80B5D8126DB5E03768DF38E492C744

Function 00007FFDFB7512B4 Relevance: 5.0, APIs: 4, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FFDFB7362B4), ref: 00007FFDFB7512BA
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FFDFB7362B4), ref: 00007FFDFB7512D2
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FFDFB7362B4), ref: 00007FFDFB751314
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FFDFB7362B4), ref: 00007FFDFB751328

Part of subcall function 00007FFDFB751138: InterlockedPopEntrySList.API-MS-WIN-CORE-INTERLOCKED-L1-1-0 ref: 00007FFDFB75115E

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocEntryFreeInterlockedList
String ID:
API String ID: 3120275070-0
Opcode ID: 9fb0dca6a41c190a57b94eb7892fd193b77b9b22abef408b87e5ee2a71f846a9
Instruction ID: d3f168d60a39d601bfdd87dcd67f4634abb95404adc63eeee4bcdc672649cd53
Opcode Fuzzy Hash: 9fb0dca6a41c190a57b94eb7892fd193b77b9b22abef408b87e5ee2a71f846a9
Instruction Fuzzy Hash: 1D012131B0BB07CAEB195BA29434578BAA1EF49B42F488135C92E01BFCEF3C6446C610

Function 00007FFDFB751220 Relevance: 5.0, APIs: 4, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FFDFB751153), ref: 00007FFDFB75123C
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FFDFB751153), ref: 00007FFDFB751254
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FFDFB751153), ref: 00007FFDFB751272
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FFDFB751153), ref: 00007FFDFB751286

Memory Dump Source

Source File: 00000006.00000002.1854185345.00007FFDFB721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB720000, based on PE: true

Associated: 00000006.00000002.1854166208.00007FFDFB720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854245937.00007FFDFB77B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB77D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB78F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB799000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB79D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB7EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB82A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB84F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB874000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB8FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB923000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1854261533.00007FFDFB92B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffdfb720000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 5eeaca8e623249c34f1dd72540b95062153ddbb1bc2a30ca12e92c3fd5e611c1
Instruction ID: 20a4d971c4c0b9f1b356b5fc8ac0482ec57198c56ea9e9fde70e099559887dd1
Opcode Fuzzy Hash: 5eeaca8e623249c34f1dd72540b95062153ddbb1bc2a30ca12e92c3fd5e611c1
Instruction Fuzzy Hash: A3012C31706B46CAEB148B56E414679BBA1FB4EB81F489135CE1D437B8EF39D4858700

Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFDFB75EA88 NtQueryWnfStateData,free,RtlSubscribeWnfStateChangeNotification,free,	6_2_00007FFDFB75EA88
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFDFB72C020 GetCurrentProcessId,ProcessIdToSessionId,EnterCriticalSection,memset,NtQueryWnfStateData,RtlSubscribeWnfStateChangeNotification,LeaveCriticalSection,GetLastError,LeaveCriticalSection,EnterCriticalSection,CompareFileTime,CompareFileTime,LeaveCriticalSection,LeaveCriticalSection,	6_2_00007FFDFB72C020
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFDFB75E76C NtQueryInformationToken,NtQueryInformationToken,	6_2_00007FFDFB75E76C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFDFB7496BC NtQueryWnfStateData,CoTaskMemAlloc,NtQueryWnfStateData,CoTaskMemFree,	6_2_00007FFDFB7496BC

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll	String found in binary or memory: http://%s/dupe.php?q=%d.%d.%d.%d.%d.%s.1.%d
Source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll	String found in binary or memory: http://%s/dupe.php?q=%d.%d.%d.%d.%d.%s.1.%d#
Source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll	String found in binary or memory: http://95.143.193.138/xxxx_3/
Source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll	String found in binary or memory: http://95.143.193.138/xxxx_3/6
Source: AyCnklzHb7.dll	String found in binary or memory: http://get.fc-gosh.biz/launch_reb.php?
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe	String found in binary or memory: http://www.msftconnecttest.com/redirect
Source: rundll32.exe, 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll	String found in binary or memory: http://www.msftconnecttest.com/redirectSYSTEM

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AyCnklzHb7.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_AyC_fb9b92f43c102562343d31e4f5178f3e88763e23_bd768f29_1443d499-630d-49fa-b14c-9e2eb45ef996\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER83D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER919.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER948.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
AyCnklzHb7.dll

Function 00007FFDFB7231F0 Relevance: 2.6, APIs: 2, Instructions: 77
COMMON

Function 00007FFDFB7218F0 Relevance: 66.9, APIs: 30, Strings: 8, Instructions: 395
libraryloadermemoryCOMMON

Function 00007FFDFB762DD8 Relevance: 46.2, APIs: 21, Strings: 5, Instructions: 659
windowCOMMON

Function 00007FFDFB7289E0 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 233
libraryloaderthreadCOMMON

Function 00007FFDFB7257D0 Relevance: 33.7, APIs: 14, Strings: 5, Instructions: 418
windowregistryCOMMON

Function 00007FFDFB728BF0 Relevance: 28.4, APIs: 12, Strings: 4, Instructions: 358
registryCOMMON

Function 00007FFDFB729B20 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 325
memorylibraryloaderCOMMON

Function 00007FFDFB726973 Relevance: 47.6, APIs: 21, Strings: 6, Instructions: 395
registrywindowCOMMON

Function 00007FFDFB763824 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 264
COMMON

Function 00007FFDFB725530 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 328
stringwindowCOMMON