Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dllhost.exe

Overview

General Information

Sample name:dllhost.exe
Analysis ID:1561842
MD5:7549250ca5b7f98a08707dea4ffb06fc
SHA1:5cc5fa87159c1f3d49fc262318e1d473deee1908
SHA256:d90bf2a4dda2e45cf2406dec9e3252487029347d239121a388675cd7580f2f53
Tags:exemineruser-Niki
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Detected VMProtect packer
Found strings related to Crypto-Mining
Hides threads from debuggers
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential time zone aware malware
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • dllhost.exe (PID: 5480 cmdline: "C:\Users\user\Desktop\dllhost.exe" MD5: 7549250CA5B7F98A08707DEA4FFB06FC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    Process Memory Space: dllhost.exe PID: 5480JoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: System File Execution Location Anomaly
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\Desktop\dllhost.exe", CommandLine: "C:\Users\user\Desktop\dllhost.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\dllhost.exe, NewProcessName: C:\Users\user\Desktop\dllhost.exe, OriginalFileName: C:\Users\user\Desktop\dllhost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\dllhost.exe", ProcessId: 5480, ProcessName: dllhost.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: dllhost.exeAvira: detected
      Multi AV Scanner detection for submitted file
      Source: dllhost.exeReversingLabs: Detection: 87%
      Machine Learning detection for sample
      Source: dllhost.exeJoe Sandbox ML: detected

      Bitcoin Miner

      barindex
      Yara detected Xmrig cryptocurrency miner
      Source: Yara matchFile source: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dllhost.exe PID: 5480, type: MEMORYSTR
      Found strings related to Crypto-Mining
      Source: dllhost.exeString found in binary or memory: new job from stratum+tcp://
      Source: dllhost.exeString found in binary or memory: new job from stratum+tcp://
      Source: dllhost.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: dllhost.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_00FDF85C FindFirstFileW,FindClose,0_2_00FDF85C
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_00FDF278 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_00FDF278
      Source: dllhost.exe, dllhost.exe, 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://online.drweb.com/result/
      Source: dllhost.exe, dllhost.exe, 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, dllhost.exe, 00000000.00000003.1682531825.0000000003530000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.indyproject.org/

      System Summary

      barindex
      Detected VMProtect packer
      Source: dllhost.exeStatic PE information: .vmp0 and .vmp1 section names
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_00FDD7F00_2_00FDD7F0
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_014AD87F0_2_014AD87F
      Source: C:\Users\user\Desktop\dllhost.exeCode function: String function: 014A9648 appears 35 times
      Source: dllhost.exeStatic PE information: Number of sections : 13 > 10
      Source: dllhost.exe, 00000000.00000002.1685545668.0000000001CB7000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename7za.exe, vs dllhost.exe
      Source: dllhost.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: classification engineClassification label: mal100.evad.mine.winEXE@1/0@0/0
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_00FFA10C GetDiskFreeSpaceW,0_2_00FFA10C
      Source: C:\Users\user\Desktop\dllhost.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: dllhost.exeReversingLabs: Detection: 87%
      Source: dllhost.exeString found in binary or memory: -Installation run additional miner, changed name exename
      Source: dllhost.exeString found in binary or memory: ISO_6937-2-add
      Source: dllhost.exeString found in binary or memory: -STOPPING:
      Source: dllhost.exeString found in binary or memory: -STARTING:
      Source: dllhost.exeString found in binary or memory: NATS-SEFI-ADD
      Source: dllhost.exeString found in binary or memory: NATS-DANO-ADD
      Source: dllhost.exeString found in binary or memory: -Installed today.
      Source: dllhost.exeString found in binary or memory: JIS_C6229-1984-b-add
      Source: dllhost.exeString found in binary or memory: jp-ocr-b-add
      Source: dllhost.exeString found in binary or memory: JIS_C6229-1984-hand-add
      Source: dllhost.exeString found in binary or memory: jp-ocr-hand-add
      Source: C:\Users\user\Desktop\dllhost.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeSection loaded: wsock32.dllJump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeSection loaded: security.dllJump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeSection loaded: sspicli.dllJump to behavior
      Source: dllhost.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: dllhost.exeStatic file information: File size 6231040 > 1048576
      Source: dllhost.exeStatic PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x5e2c00
      Source: dllhost.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_014B079B LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_014B079B
      Source: initial sampleStatic PE information: section where entry point is pointing to: .vmp1
      Source: dllhost.exeStatic PE information: section name: .didata
      Source: dllhost.exeStatic PE information: section name: .vmp0
      Source: dllhost.exeStatic PE information: section name: .vmp1
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_0100A000 push ecx; mov dword ptr [esp], eax0_2_0100A001
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_0100A030 push ecx; mov dword ptr [esp], eax0_2_0100A031
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_00FFC174 push ecx; mov dword ptr [esp], ecx0_2_00FFC175
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_0105436C push ecx; mov dword ptr [esp], eax0_2_0105436E
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_00FFC268 push ecx; mov dword ptr [esp], ecx0_2_00FFC269
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_0100E248 push ecx; mov dword ptr [esp], edx0_2_0100E24A
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_0100E28C push ecx; mov dword ptr [esp], edx0_2_0100E28E
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_00FFA36C push ecx; mov dword ptr [esp], ecx0_2_00FFA370
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_0100E2B4 push ecx; mov dword ptr [esp], eax0_2_0100E2B5
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_00FFA330 push ecx; mov dword ptr [esp], ecx0_2_00FFA333
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_0100E540 push ecx; mov dword ptr [esp], edx0_2_0100E541
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_01031540 push ecx; mov dword ptr [esp], edx0_2_01031541
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_0101A55C push ecx; mov dword ptr [esp], ecx0_2_0101A55F
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_0101643C push ecx; mov dword ptr [esp], eax0_2_0101643D
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_01016454 push ecx; mov dword ptr [esp], eax0_2_01016455
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_010324D8 push ecx; mov dword ptr [esp], eax0_2_010324DA
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_01013764 push ecx; mov dword ptr [esp], edx0_2_01013767
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_00FE0604 push ecx; mov dword ptr [esp], eax0_2_00FE0609
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_00FE18C0 push ecx; mov dword ptr [esp], edx0_2_00FE18C1
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_01016850 push ecx; mov dword ptr [esp], eax0_2_01016851
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_00FD7938 push ecx; mov dword ptr [esp], eax0_2_00FD7939
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_0100E8D0 push ecx; mov dword ptr [esp], edx0_2_0100E8D2
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_01023A34 push ecx; mov dword ptr [esp], edx0_2_01023A35
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_00FF8B74 push ecx; mov dword ptr [esp], ecx0_2_00FF8B78
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_01032D10 push ecx; mov dword ptr [esp], eax0_2_01032D11
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_01032D30 push ecx; mov dword ptr [esp], eax0_2_01032D31
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_0104FC70 push ecx; mov dword ptr [esp], ecx0_2_0104FC74
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_00FF9EDC push ecx; mov dword ptr [esp], eax0_2_00FF9EDF
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_00FDCE48 push ecx; mov dword ptr [esp], edx0_2_00FDCE49
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_01054FC8 push ecx; mov dword ptr [esp], edx0_2_01054FC9
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_00FFBFAC push ecx; mov dword ptr [esp], ecx0_2_00FFBFAF

      Hooking and other Techniques for Hiding and Protection

      barindex
      Overwrites code with unconditional jumps - possibly settings hooks in foreign process
      Source: C:\Users\user\Desktop\dllhost.exeMemory written: PID: 5480 base: 910007 value: E9 EB DF 62 76 Jump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeMemory written: PID: 5480 base: 76F3DFF0 value: E9 1E 20 9D 89 Jump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: dllhost.exe, dllhost.exe, 00000000.00000002.1684739707.0000000001493000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: SBIEDLL.DLL
      Tries to detect virtualization through RDTSC time measurements
      Source: C:\Users\user\Desktop\dllhost.exeRDTSC instruction interceptor: First address: 1C85E56 second address: 1C85E62 instructions: 0x00000000 rdtsc 0x00000002 pop esi 0x00000003 pop ecx 0x00000004 cwde 0x00000005 cmovb di, bx 0x00000009 xchg dh, bh 0x0000000b pop ebx 0x0000000c rdtsc
      Source: C:\Users\user\Desktop\dllhost.exeRDTSC instruction interceptor: First address: 14F9F7D second address: 14F9F89 instructions: 0x00000000 rdtsc 0x00000002 pop esi 0x00000003 pop ecx 0x00000004 cwde 0x00000005 cmovb di, bx 0x00000009 xchg dh, bh 0x0000000b pop ebx 0x0000000c rdtsc
      Tries to evade analysis by execution special instruction (VM detection)
      Source: C:\Users\user\Desktop\dllhost.exeSpecial instruction interceptor: First address: 1C88680 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
      Source: C:\Users\user\Desktop\dllhost.exeAPI coverage: 7.7 %
      Source: C:\Users\user\Desktop\dllhost.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_00FDF85C FindFirstFileW,FindClose,0_2_00FDF85C
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_00FDF278 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_00FDF278
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_0102FF9C GetSystemInfo,0_2_0102FF9C
      Source: dllhost.exe, 00000000.00000002.1683417497.0000000000A08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Users\user\Desktop\dllhost.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging

      barindex
      Hides threads from debuggers
      Source: C:\Users\user\Desktop\dllhost.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeProcess queried: DebugObjectHandleJump to behavior
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_014A9149 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_014A9149
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_014B079B LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_014B079B
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_00FD7238 GetProcessHeap,HeapFree,0_2_00FD7238
      Source: C:\Users\user\Desktop\dllhost.exeProcess token adjusted: DebugJump to behavior
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_014A9149 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_014A9149
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_014AE696 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_014AE696
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_014A7F58 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_014A7F58
      Source: C:\Users\user\Desktop\dllhost.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,0_2_00FDF9B4
      Source: C:\Users\user\Desktop\dllhost.exeCode function: EnumSystemLocalesW,0_2_010045EC
      Source: C:\Users\user\Desktop\dllhost.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00FDEE14
      Source: C:\Users\user\Desktop\dllhost.exeCode function: GetLocaleInfoW,0_2_00FFEF8C
      Source: C:\Users\user\Desktop\dllhost.exeCode function: GetLocaleInfoA,0_2_014AFA65
      Source: C:\Users\user\Desktop\dllhost.exeCode function: 0_2_00FFC7D4 GetLocalTime,0_2_00FFC7D4

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
      Command and Scripting Interpreter      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		11
      Virtualization/Sandbox Evasion      		1
      Credential API Hooking      		11
      System Time Discovery      		Remote Services1
      Credential API Hooking      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Native API      		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      Deobfuscate/Decode Files or Information      		LSASS Memory431
      Security Software Discovery      		Remote Desktop Protocol1
      Archive Collected Data      		Junk DataExfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
      Obfuscated Files or Information      		Security Account Manager11
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      DLL Side-Loading      		NTDS1
      Process Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials214
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      dllhost.exe88%ReversingLabsWin32.Trojan.HSMiner
      dllhost.exe100%AviraTR/AD.HSMinerDlder.absza
      dllhost.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://online.drweb.com/result/0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://online.drweb.com/result/dllhost.exe, dllhost.exe, 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.indyproject.org/dllhost.exe, dllhost.exe, 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, dllhost.exe, 00000000.00000003.1682531825.0000000003530000.00000004.00001000.00020000.00000000.sdmpfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1561842
        Start date and time:2024-11-24 13:10:09 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 2m 59s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:1
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:dllhost.exe
        Detection:MAL
        Classification:mal100.evad.mine.winEXE@1/0@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:Failed
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Stop behavior analysis, all processes terminated

        Warnings

        • VT rate limit hit for: dllhost.exe

        Simulations

        Behavior and APIs

        TimeTypeDescription
        07:11:02API Interceptor7x Sleep call for process: dllhost.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386, for MS Windows
        Entropy (8bit):7.937876748576129
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.83%
        • Windows Screen Saver (13104/52) 0.13%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:dllhost.exe
        File size:6'231'040 bytes
        MD5:7549250ca5b7f98a08707dea4ffb06fc
        SHA1:5cc5fa87159c1f3d49fc262318e1d473deee1908
        SHA256:d90bf2a4dda2e45cf2406dec9e3252487029347d239121a388675cd7580f2f53
        SHA512:be36308ca522eb41871ab1d0a311645ec356bf42357c597dbd81e908173bd2edd5a1f4ccf86ebad269555248dadc5e1fe482e294ab620c5bfc527ee3d922022f
        SSDEEP:98304:5A/ORTgPAB+/oPNv5Gmj0IFcyfzQRfFNQsxjLXUkZYSCnfIAYHsPNtG9+jqgo3ma:WGMsooPNsIFVE5QgCfPYMHC3vt
        TLSH:125623E25E713148D1E9C939BA337EFD34F30F2685122839A99BF9C724B5694A613C43
        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........PE..L...O..f.................rG..........F........G...@.................................h._...@......@.........................

        File Icon

        Icon Hash:6869cccccce8698e

        Static PE Info

        General

        Entrypoint:0xdc46d5
        Entrypoint Section:.vmp1
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Time Stamp:0x66B8CF4F [Sun Aug 11 14:48:47 2024 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:6
        OS Version Minor:0
        File Version Major:6
        File Version Minor:0
        Subsystem Version Major:6
        Subsystem Version Minor:0
        Import Hash:784385f4735288c948be503be851b8ef

        Entrypoint Preview

        Instruction
        push 0AC90666h
        call 00007F244CDA360Ah
        add ebp, ecx
        jmp ebp
        cmp ch, FFFFFFBBh
        sub esi, 00000002h
        cmc
        cmp ax, bp
        stc
        shl al, cl
        mov word ptr [esi+04h], ax
        cwde
        pushfd
        bsf ax, ax
        add ah, 0000007Bh
        pop dword ptr [esi]
        add ah, FFFFFF9Bh
        or ax, bx
        mov eax, dword ptr [ebp+00h]
        jmp 00007F244CD71A4Bh
        dec eax
        test bp, sp
        xor ebx, eax
        clc
        add edi, eax
        jmp 00007F244C8FEB9Ah
        dec edx
        jmp 00007F244CD4F0C7h
        lea esi, dword ptr [esi-00000001h]
        movzx ecx, byte ptr [esi]
        cwd
        movsx edx, sp
        xor cl, bl
        neg cl
        add cl, 00000032h
        movzx edx, bp
        btc eax, FFFFFF8Ch
        ror cl, 1
        xchg eax, edx
        mov dx, bp
        inc cl
        clc
        ror cl, 1
        test ax, bp
        add cl, FFFFFFB2h
        cwd
        bswap dx
        clc
        ror cl, 1
        bts edx, esi
        xor cl, FFFFFFFDh
        xor bl, cl
        bt eax, 4Dh
        jmp 00007F244CBE5F85h
        bswap edx
        jmp 00007F244CD98B65h
        je 00007F244CB2BE8Bh
        mov eax, dword ptr [ebp+ebx*4+00h]
        push eax
        cmp sp, ax
        stc
        sub ebx, 00000001h
        jne 00007F244CB2BE61h
        mov eax, dword ptr [ebp+00h]
        jmp 00007F244CD63447h
        inc ecx
        inc eax
        stc
        inc ecx
        neg eax

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0xa3d5bc0xc96.vmp1
        IMAGE_DIRECTORY_ENTRY_IMPORT0xa7a9080x1a4.vmp1
        IMAGE_DIRECTORY_ENTRY_RESOURCE0xcda0000xe2f44.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0xcd90000x584.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x9ca11c0x70.vmp1
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0xbd80000xbec.vmp1
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x9b67a40x1c0.vmp1
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x4738780x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .itext0x4750000x37a80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .data0x4790000x25b740x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .bss0x49f0000x1b2480x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .idata0x4bb0000x3fc20x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .didata0x4bf0000xd340x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .edata0x4c00000x6f0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .tls0x4c10000x580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rdata0x4c20000x5d0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .vmp00x4c30000x232c400x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .vmp10x6f60000x5e2ab00x5e2c0032b9be1317360727c8f3be3854b0bbb6unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .reloc0xcd90000x5840x6002b6ab5cf411b4a310a1a85f7acfdbf13False0.5247395833333334data4.20084185014455IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .rsrc0xcda0000xe2f440xde00616dc6aa1aab8d19dea22e9ffe53ec1dFalse0.19406320382882883data3.982593752272412IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_CURSOR0xce7c380x134dataEnglishUnited States0.04220779220779221
        RT_CURSOR0xce7d6c0x134dataEnglishUnited States0.08108108108108109
        RT_CURSOR0xce7ea00x134emptyEnglishUnited States0
        RT_CURSOR0xce7fd40x134emptyEnglishUnited States0
        RT_CURSOR0xce81080x134emptyEnglishUnited States0
        RT_CURSOR0xce823c0x134emptyEnglishUnited States0
        RT_CURSOR0xce83700x134emptyEnglishUnited States0
        RT_CURSOR0xce84a40x134emptyEnglishUnited States0
        RT_ICON0xcdb2b80x1876PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9412328329607155
        RT_ICON0xcdcb300x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.04292631081719414
        RT_ICON0xce0d580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.06006224066390042
        RT_ICON0xce33000x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 6720EnglishUnited States0.06301775147928994
        RT_ICON0xce4d680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.08536585365853659
        RT_ICON0xce5e100x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.10491803278688525
        RT_ICON0xce67980x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680EnglishUnited States0.10697674418604651
        RT_ICON0xce6e500x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.13120567375886524
        RT_STRING0xce85d80x26cempty0
        RT_STRING0xce88440x3c8empty0
        RT_STRING0xce8c0c0x308empty0
        RT_STRING0xce8f140x548empty0
        RT_STRING0xce945c0x45cempty0
        RT_STRING0xce98b80x284empty0
        RT_STRING0xce9b3c0x4c8empty0
        RT_STRING0xcea0040x574empty0
        RT_STRING0xcea5780x540empty0
        RT_STRING0xceaab80x4ccempty0
        RT_STRING0xceaf840x514empty0
        RT_STRING0xceb4980x898empty0
        RT_STRING0xcebd300x106cempty0
        RT_STRING0xcecd9c0x9f8empty0
        RT_STRING0xced7940x894empty0
        RT_STRING0xcee0280x87cempty0
        RT_STRING0xcee8a40x400empty0
        RT_STRING0xceeca40x2bcempty0
        RT_STRING0xceef600x5b0empty0
        RT_STRING0xcef5100x3e4empty0
        RT_STRING0xcef8f40x408empty0
        RT_STRING0xcefcfc0x35cempty0
        RT_STRING0xcf00580x478empty0
        RT_STRING0xcf04d00x358empty0
        RT_STRING0xcf08280x394empty0
        RT_STRING0xcf0bbc0x264empty0
        RT_STRING0xcf0e200x434empty0
        RT_STRING0xcf12540x3c0empty0
        RT_STRING0xcf16140x2ccempty0
        RT_STRING0xcf18e00x3e4empty0
        RT_STRING0xcf1cc40x260empty0
        RT_STRING0xcf1f240xbcempty0
        RT_STRING0xcf1fe00xfcempty0
        RT_STRING0xcf20dc0x3e8empty0
        RT_STRING0xcf24c40x3fcempty0
        RT_STRING0xcf28c00x3acempty0
        RT_STRING0xcf2c6c0x52cempty0
        RT_STRING0xcf31980x2b0empty0
        RT_STRING0xcf34480x3a0empty0
        RT_STRING0xcf37e80x3f8empty0
        RT_STRING0xcf3be00x650empty0
        RT_STRING0xcf42300x414empty0
        RT_STRING0xcf46440x484empty0
        RT_STRING0xcf4ac80x38cempty0
        RT_STRING0xcf4e540x32cempty0
        RT_STRING0xcf51800x44cempty0
        RT_STRING0xcf55cc0x21cempty0
        RT_STRING0xcf57e80xbcempty0
        RT_STRING0xcf58a40x100empty0
        RT_STRING0xcf59a40x3e8empty0
        RT_STRING0xcf5d8c0x498empty0
        RT_STRING0xcf62240x2f8empty0
        RT_STRING0xcf651c0x2f0empty0
        RT_STRING0xcf680c0x368empty0
        RT_RCDATA0xcf6b740x10empty0
        RT_RCDATA0xcf6b840x148bemptyEnglishUnited States0
        RT_RCDATA0xcf80100x111eemptyEnglishUnited States0
        RT_RCDATA0xcf91300xd8cemptyEnglishUnited States0
        RT_RCDATA0xcf9ebc0x11d4empty0
        RT_RCDATA0xcfb0900x2emptyEnglishUnited States0
        RT_RCDATA0xcfb0940x5e2empty0
        RT_RCDATA0xcfb6780x229empty0
        RT_RCDATA0xcfb8a40xc1600emptyEnglishUnited States0
        RT_GROUP_CURSOR0xdbcea40x14emptyEnglishUnited States0
        RT_GROUP_CURSOR0xdbceb80x14emptyEnglishUnited States0
        RT_GROUP_CURSOR0xdbcecc0x14emptyEnglishUnited States0
        RT_GROUP_CURSOR0xdbcee00x14emptyEnglishUnited States0
        RT_GROUP_CURSOR0xdbcef40x14emptyEnglishUnited States0
        RT_GROUP_CURSOR0xdbcf080x14emptyEnglishUnited States0
        RT_GROUP_CURSOR0xdbcf1c0x14emptyEnglishUnited States0
        RT_GROUP_CURSOR0xdbcf300x14emptyEnglishUnited States0
        RT_GROUP_ICON0xce72b80x76dataEnglishUnited States0.7542372881355932
        RT_VERSION0xce73300x1fcdataEnglishUnited States0.5137795275590551
        RT_MANIFEST0xce752c0x709XML 1.0 document, ASCII text, with CRLF, LF line terminatorsEnglishUnited States0.4031093836757357

        Imports

        DLLImport
        wininet.dllDeleteUrlCacheEntryW
        winspool.drvDocumentPropertiesW, ClosePrinter, OpenPrinterW, GetDefaultPrinterW, EnumPrintersW
        comctl32.dllImageList_GetImageInfo, FlatSB_SetScrollInfo, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, ImageList_Copy, FlatSB_GetScrollInfo, ImageList_Write, ImageList_DrawIndirect, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Replace, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_LoadImageW, ImageList_Draw, ImageList_Remove, ImageList_ReplaceIcon, ImageList_SetOverlayImage
        shell32.dllShell_NotifyIconW, SHGetSpecialFolderPathW, SHAppBarMessage, ShellExecuteW, ShellExecuteExW
        user32.dllCopyImage, SetMenuItemInfoW, GetMenuItemInfoW, DefFrameProcW, GetDlgCtrlID, FrameRect, RegisterWindowMessageW, GetMenuStringW, FillRect, SendMessageA, EnumWindows, ShowOwnedPopups, GetClassInfoExW, GetClassInfoW, GetScrollRange, SetActiveWindow, GetActiveWindow, DrawEdge, GetKeyboardLayoutList, LoadBitmapW, EnumChildWindows, UnhookWindowsHookEx, SetCapture, GetCapture, ShowCaret, CreatePopupMenu, GetMenuItemID, CharLowerBuffW, PostMessageW, SetWindowLongW, IsZoomed, SetParent, DrawMenuBar, GetClientRect, IsChild, IsIconic, CallNextHookEx, ShowWindow, GetWindowTextW, SetForegroundWindow, IsDialogMessageW, DestroyWindow, RegisterClassW, EndMenu, CharNextW, GetFocus, GetDC, SetFocus, ReleaseDC, GetClassLongW, SetScrollRange, DrawTextW, PeekMessageA, MessageBeep, SetClassLongW, RemovePropW, GetSubMenu, DestroyIcon, IsWindowVisible, PtInRect, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, GetComboBoxInfo, LoadStringW, CreateMenu, CharLowerW, SetWindowRgn, SetWindowPos, GetMenuItemCount, GetSysColorBrush, GetWindowDC, DrawTextExW, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, GetSysColor, EnableScrollBar, TrackPopupMenu, DrawIconEx, GetClassNameW, GetMessagePos, GetIconInfo, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, SetCursorPos, GetCursorPos, SetMenu, GetMenuState, GetMenu, SetRect, GetKeyState, IsRectEmpty, ValidateRect, GetCursor, KillTimer, WaitMessage, TranslateMDISysAccel, GetWindowPlacement, GetMenuItemRect, CreateIconIndirect, CreateWindowExW, GetMessageW, GetDCEx, PeekMessageW, MonitorFromWindow, GetUpdateRect, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, MapVirtualKeyW, OffsetRect, IsWindowUnicode, DispatchMessageW, CreateAcceleratorTableW, DefMDIChildProcW, GetSystemMenu, SetScrollPos, GetScrollPos, InflateRect, DrawFocusRect, ReleaseCapture, LoadCursorW, ScrollWindow, GetLastActivePopup, GetSystemMetrics, CharUpperBuffW, SetClipboardData, GetClipboardData, ClientToScreen, SetWindowPlacement, GetMonitorInfoW, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, EnableWindow, GetWindowThreadProcessId, RedrawWindow, EndPaint, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, ActivateKeyboardLayout, GetParent, MonitorFromRect, InsertMenuItemW, GetPropW, MessageBoxW, SetPropW, UpdateWindow, MsgWaitForMultipleObjects, OemToCharA, DestroyMenu, SetWindowsHookExW, EmptyClipboard, GetDlgItem, AdjustWindowRectEx, IsWindow, DrawIcon, EnumThreadWindows, InvalidateRect, GetKeyboardState, ScreenToClient, DrawFrameControl, SetCursor, CreateIcon, RemoveMenu, GetKeyboardLayoutNameW, OpenClipboard, TranslateMessage, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, CloseClipboard, DestroyCursor, CopyIcon, PostQuitMessage, ShowScrollBar, EnableMenuItem, HideCaret, FindWindowExW, MonitorFromPoint, LoadIconW, SystemParametersInfoW, GetWindow, GetWindowRect, GetWindowLongW, InsertMenuW, PostThreadMessageW, IsWindowEnabled, IsDialogMessageA, FindWindowW, GetKeyboardLayout, DeleteMenu
        version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
        URLMON.DLLURLDownloadToFileW
        oleaut32.dllSafeArrayPutElement, GetErrorInfo, VariantInit, VariantClear, SysFreeString, SafeArrayAccessData, SysReAllocStringLen, SafeArrayCreate, SafeArrayGetElement, GetActiveObject, SysAllocStringLen, SafeArrayUnaccessData, SafeArrayPtrOfIndex, SafeArrayGetElemsize, VariantCopy, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopyInd, VariantChangeType
        msvcrt.dllisupper, isalpha, isalnum, toupper, memchr, memcmp, memcpy, memset, isprint, isspace, iscntrl, isxdigit, ispunct, isgraph, islower, tolower
        advapi32.dllCloseServiceHandle, RegSetValueExW, RegConnectRegistryW, CreateServiceW, StartServiceCtrlDispatcherW, DeregisterEventSource, RegQueryInfoKeyW, SetServiceStatus, RegUnLoadKeyW, RegSaveKeyW, DeleteService, RegReplaceKeyW, RegisterEventSourceW, RegCreateKeyExW, RegisterServiceCtrlHandlerW, OpenServiceW, RegLoadKeyW, RegEnumKeyExW, AdjustTokenPrivileges, RegDeleteKeyW, LookupPrivilegeValueW, OpenSCManagerW, RegOpenKeyExW, OpenProcessToken, RegDeleteValueW, ReportEventW, RegFlushKey, RegQueryValueExW, RegEnumValueW, RegCloseKey, RegRestoreKeyW, EnumServicesStatusW
        kernel32.dllSetFileAttributesW, GetFileType, SetFileTime, QueryDosDeviceW, GetACP, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, QueryPerformanceFrequency, IsDebuggerPresent, FindNextFileW, GetFullPathNameW, VirtualFree, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, EnumSystemLocalesW, GetStdHandle, GetTimeZoneInformation, FileTimeToLocalFileTime, SystemTimeToTzSpecificLocalTime, GetModuleHandleW, FreeLibrary, TryEnterCriticalSection, HeapDestroy, FileTimeToDosDateTime, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, GlobalAlloc, GlobalUnlock, FindResourceW, CreateThread, CompareStringW, CopyFileW, MapViewOfFile, LoadLibraryA, GetVolumeInformationW, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, MoveFileW, GlobalAddAtomW, FormatMessageW, OpenProcess, SwitchToThread, GetExitCodeThread, GetCurrentThread, GetLogicalDrives, Wow64DisableWow64FsRedirection, GetFileAttributesExW, GlobalMemoryStatusEx, ExpandEnvironmentStringsW, GetPriorityClass, LoadLibraryExW, TerminateProcess, SetPriorityClass, LockResource, FileTimeToSystemTime, GetCurrentThreadId, UnhandledExceptionFilter, PeekNamedPipe, GlobalFindAtomW, VirtualQuery, GlobalFree, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, ReleaseMutex, LoadResource, Wow64EnableWow64FsRedirection, SuspendThread, GetTickCount, WritePrivateProfileStringW, GetFileSize, GlobalDeleteAtom, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, GlobalLock, SetThreadPriority, VirtualAlloc, GetTempPathW, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetLogicalDriveStringsW, GetVersionExW, VerifyVersionInfoW, HeapCreate, LCMapStringW, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, GetConsoleOutputCP, UnmapViewOfFile, GetConsoleCP, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, CreateMutexA, LoadLibraryW, SetEvent, GetLocaleInfoW, CreateFileW, SystemTimeToFileTime, EnumResourceNamesW, DeleteFileW, IsDBCSLeadByteEx, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateFileMappingW, ExitThread, OpenThread, CreatePipe, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, TzSpecificLocalTimeToSystemTime, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, RemoveDirectoryW, CreateEventW, GetPrivateProfileStringW, QueryFullProcessImageNameW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
        SHFolder.dllSHGetFolderPathW
        wsock32.dllgethostbyaddr, setsockopt, select, getsockopt, WSACleanup, gethostbyname, bind, gethostname, closesocket, WSAGetLastError, connect, getpeername, inet_addr, WSAAsyncSelect, WSAAsyncGetServByName, WSACancelAsyncRequest, send, accept, ntohs, htons, WSAStartup, getservbyname, getsockname, listen, socket, recv, inet_ntoa, ioctlsocket, WSAAsyncGetHostByName
        ole32.dllIsEqualGUID, ProgIDFromCLSID, OleInitialize, CLSIDFromProgID, OleUninitialize, CoInitialize, CoCreateInstance, CoUninitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID
        gdi32.dllPie, SetBkMode, CreateCompatibleBitmap, GetEnhMetaFileHeader, RectVisible, AngleArc, SetAbortProc, SetTextColor, GetTextColor, StretchBlt, RoundRect, RestoreDC, SetRectRgn, GetTextMetricsW, GetWindowOrgEx, CreatePalette, PolyBezierTo, CreateICW, CreateDCW, GetStockObject, CreateSolidBrush, GetBkMode, Polygon, MoveToEx, PlayEnhMetaFile, Ellipse, StartPage, GetBitmapBits, StartDocW, AbortDoc, GetSystemPaletteEntries, GetEnhMetaFileBits, GetEnhMetaFilePaletteEntries, CreatePenIndirect, CreateFontIndirectW, PolyBezier, EndDoc, GetObjectW, GetCurrentObject, GetWinMetaFileBits, SetROP2, GetEnhMetaFileDescriptionW, ArcTo, Arc, SelectPalette, SetGraphicsMode, ExcludeClipRect, MaskBlt, SetWindowOrgEx, EndPage, DeleteEnhMetaFile, Chord, SetDIBits, GetViewportOrgEx, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, CreateBrushIndirect, PatBlt, SetEnhMetaFileBits, Rectangle, SaveDC, DeleteDC, BitBlt, SetWorldTransform, FrameRgn, GetDeviceCaps, GetTextExtentPoint32W, GetClipBox, IntersectClipRect, Polyline, CreateBitmap, CombineRgn, SetWinMetaFileBits, GetStretchBltMode, CreateDIBitmap, SetStretchBltMode, GetDIBits, CreateDIBSection, ExtCreateRegion, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, SelectObject, DeleteObject, ExtFloodFill, UnrealizeObject, CopyEnhMetaFileW, SetBkColor, CreateCompatibleDC, GetBrushOrgEx, GetCurrentPositionEx, SetDCPenColor, CreateRoundRectRgn, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, GdiFlush, SetPixel, EnumFontFamiliesExW, StretchDIBits, GetPaletteEntries
        WTSAPI32.dllWTSSendMessageW
        kernel32.dllVirtualQuery, GetSystemTimeAsFileTime, GetModuleHandleA, CreateEventA, GetModuleFileNameW, LoadLibraryA, TerminateProcess, GetCurrentProcess, CreateToolhelp32Snapshot, Thread32First, GetCurrentProcessId, GetCurrentThreadId, OpenThread, Thread32Next, CloseHandle, SuspendThread, ResumeThread, WriteProcessMemory, GetSystemInfo, VirtualAlloc, VirtualProtect, VirtualFree, GetProcessAffinityMask, SetProcessAffinityMask, GetCurrentThread, SetThreadAffinityMask, Sleep, FreeLibrary, GetTickCount, SystemTimeToFileTime, FileTimeToSystemTime, GlobalFree, LocalAlloc, LocalFree, GetProcAddress, ExitProcess, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, GetModuleHandleW, LoadResource, MultiByteToWideChar, FindResourceExW, FindResourceExA, WideCharToMultiByte, GetThreadLocale, GetUserDefaultLCID, GetSystemDefaultLCID, EnumResourceNamesA, EnumResourceNamesW, EnumResourceLanguagesA, EnumResourceLanguagesW, EnumResourceTypesA, EnumResourceTypesW, CreateFileW, LoadLibraryW, GetLastError, FlushFileBuffers, CreateFileA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, GetCommandLineA, RaiseException, RtlUnwind, HeapFree, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, LCMapStringA, LCMapStringW, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapCreate, HeapDestroy, QueryPerformanceCounter, HeapReAlloc, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, WriteFile, SetFilePointer, GetConsoleCP, GetConsoleMode, InitializeCriticalSectionAndSpinCount, SetStdHandle
        user32.dllGetProcessWindowStation, GetUserObjectInformationW, CharUpperBuffW, MessageBoxW
        kernel32.dllLocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
        user32.dllGetProcessWindowStation, GetUserObjectInformationW

        Exports

        NameOrdinalAddress
        __dbk_fcall_wrapper20x412808
        dbkFCallWrapperAddr10x8a2644

        Possible Origin

        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States

        Network Behavior

        No network behavior found

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        System Behavior

        General

        Target ID:0
        Start time:07:11:01
        Start date:24/11/2024
        Path:C:\Users\user\Desktop\dllhost.exe
        Wow64 process (32bit):true
        Commandline:"C:\Users\user\Desktop\dllhost.exe"
        Imagebase:0xfd0000
        File size:6'231'040 bytes
        MD5 hash:7549250CA5B7F98A08707DEA4FFB06FC
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:Borland Delphi
        Yara matches:
        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
        Reputation:low
        Has exited:true

        Disassembly

        Reset < >

          Execution Graph

          Execution Coverage:1.8%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:0.2%
          Total number of Nodes:408
          Total number of Limit Nodes:32
          execution_graph 29472 fe223c 29473 fe22aa 29472->29473 29474 fe2255 29472->29474 29489 fd82dc 9 API calls 29474->29489 29476 fe225f 29490 fd82dc 9 API calls 29476->29490 29478 fe2269 29491 fd82dc 9 API calls 29478->29491 29480 fe2273 29481 fe228b 29480->29481 29482 fe2281 29480->29482 29492 fe0ba0 10 API calls 29481->29492 29501 fd5960 10 API calls 29482->29501 29485 fe2295 29493 fd6fec 29485->29493 29489->29476 29490->29478 29491->29480 29492->29485 29495 fd6ff5 29493->29495 29494 fd7015 29497 fd701e VirtualFree 29494->29497 29498 fd7037 29494->29498 29495->29494 29509 fd69c0 17 API calls 29495->29509 29497->29498 29503 fd6f3c 29498->29503 29501->29481 29502 fdc6c8 24 API calls 29502->29473 29504 fd6f61 29503->29504 29505 fd6f4f VirtualFree 29504->29505 29506 fd6f65 29504->29506 29505->29504 29507 fd6fcb VirtualFree 29506->29507 29508 fd6fe1 29506->29508 29507->29506 29508->29502 29509->29494 29510 1003b64 29524 100496c 29510->29524 29512 1003b90 29513 1003bd6 29512->29513 29514 1003b99 GetLastError 29512->29514 29516 1003a50 95 API calls 29513->29516 29515 ffeebc 11 API calls 29514->29515 29517 1003baf 29515->29517 29518 1003bee 29516->29518 29519 1000a50 64 API calls 29517->29519 29521 fdae20 9 API calls 29518->29521 29520 1003bd1 29519->29520 29522 fda4dc 9 API calls 29520->29522 29523 1003c25 29521->29523 29522->29513 29525 100497b 29524->29525 29526 10049a4 LoadLibraryW 29525->29526 29527 14a7a02 29528 14a7a0d 29527->29528 29529 14a7a12 29527->29529 29541 14abfbc GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 29528->29541 29533 14a790c 29529->29533 29532 14a7a20 29534 14a7918 _realloc 29533->29534 29538 14a79b5 _realloc 29534->29538 29539 14a7965 29534->29539 29542 14a77d7 29534->29542 29536 14a7995 29537 14a77d7 __CRT_INIT@12 155 API calls 29536->29537 29536->29538 29537->29538 29538->29532 29539->29536 29539->29538 29540 14a77d7 __CRT_INIT@12 155 API calls 29539->29540 29540->29536 29541->29529 29543 14a7862 29542->29543 29544 14a77e6 29542->29544 29546 14a7868 29543->29546 29547 14a7899 29543->29547 29591 14abd97 HeapCreate 29544->29591 29551 14a77f1 29546->29551 29554 14a7883 29546->29554 29602 14ab5e2 66 API calls _doexit 29546->29602 29548 14a789e 29547->29548 29549 14a78f7 29547->29549 29606 14a8b70 8 API calls __decode_pointer 29548->29606 29549->29551 29611 14a8e8a 78 API calls 2 library calls 29549->29611 29551->29539 29553 14a77f8 29593 14a8ef8 77 API calls 8 library calls 29553->29593 29554->29551 29603 14ab893 67 API calls __ioterm 29554->29603 29557 14a78a3 29607 14ab292 66 API calls __calloc_impl 29557->29607 29561 14a788d 29604 14a8ba4 69 API calls 2 library calls 29561->29604 29564 14a77fd __RTC_Initialize 29569 14a780d GetCommandLineA 29564->29569 29585 14a7801 29564->29585 29565 14a78af 29565->29551 29608 14a8af5 6 API calls __crt_waiting_on_module_handle 29565->29608 29567 14a7806 29567->29551 29568 14a7892 29605 14abdc7 VirtualFree HeapFree HeapFree HeapDestroy 29568->29605 29595 14abc14 75 API calls 3 library calls 29569->29595 29570 14a78cd 29575 14a78eb 29570->29575 29576 14a78d4 29570->29576 29573 14a781d 29596 14ab63f 71 API calls 3 library calls 29573->29596 29610 14a7fe4 66 API calls 6 library calls 29575->29610 29609 14a8be1 66 API calls 5 library calls 29576->29609 29577 14a7827 29580 14a782b 29577->29580 29598 14abb59 111 API calls 3 library calls 29577->29598 29597 14a8ba4 69 API calls 2 library calls 29580->29597 29582 14a78db GetCurrentThreadId 29582->29551 29584 14a7837 29586 14a784b 29584->29586 29599 14ab8e1 110 API calls 6 library calls 29584->29599 29594 14abdc7 VirtualFree HeapFree HeapFree HeapDestroy 29585->29594 29586->29567 29601 14ab893 67 API calls __ioterm 29586->29601 29589 14a7840 29589->29586 29600 14ab41b 73 API calls 5 library calls 29589->29600 29592 14a77ec 29591->29592 29592->29551 29592->29553 29593->29564 29594->29567 29595->29573 29596->29577 29597->29585 29598->29584 29599->29589 29600->29586 29601->29580 29602->29554 29603->29561 29604->29568 29605->29551 29606->29557 29607->29565 29608->29570 29609->29582 29610->29567 29611->29551 29612 149a8e0 29613 149a90b 29612->29613 29614 149a93a 29612->29614 29613->29614 29615 149a912 GetCurrentProcess WriteProcessMemory 29613->29615 29616 1001f8c 29627 fdb258 29616->29627 29620 1001fc1 29626 1002044 29620->29626 29639 fd7074 29620->29639 29624 1001fe0 29645 fd7090 29624->29645 29650 fdae20 29626->29650 29629 fdb25c 29627->29629 29628 fdb282 29631 fdb3fc 29628->29631 29629->29628 29630 fd7090 9 API calls 29629->29630 29630->29628 29632 fdb364 29631->29632 29637 fdb39f 29632->29637 29654 fdad74 29632->29654 29634 fdb37b 29659 fd7430 9 API calls 29634->29659 29636 fdb38a 29636->29637 29638 fd7090 9 API calls 29636->29638 29637->29620 29638->29637 29640 fd708b 29639->29640 29642 fd7078 29639->29642 29640->29624 29641 fd7082 29641->29624 29642->29641 29660 fd7184 9 API calls 29642->29660 29644 fd71e3 29644->29624 29646 fd709e 29645->29646 29647 fd7094 29645->29647 29646->29626 29647->29646 29661 fd7184 9 API calls 29647->29661 29649 fd71e3 29649->29626 29651 fdae26 29650->29651 29652 fdae41 29650->29652 29651->29652 29653 fd7090 9 API calls 29651->29653 29653->29652 29655 fdad78 29654->29655 29656 fdadac 29654->29656 29655->29656 29657 fd7074 9 API calls 29655->29657 29656->29634 29658 fdad87 29657->29658 29658->29634 29659->29636 29660->29644 29661->29649 29662 1001eec 29669 fd9980 29662->29669 29665 1001f18 29697 fd9c0c 32 API calls 29665->29697 29668 1001f2f 29670 fd998f 29669->29670 29671 fd9996 29669->29671 29722 fd71d0 9 API calls 29670->29722 29698 fd9cb0 29671->29698 29677 1001cb0 29678 1001ccf 29677->29678 29679 fdae20 9 API calls 29678->29679 29680 1001cfd 29679->29680 29681 1001d16 RegOpenKeyExW 29680->29681 29682 1001e49 29680->29682 29681->29682 29683 1001d38 RegQueryValueExW 29681->29683 29682->29665 29684 1001da2 RegQueryValueExW 29683->29684 29685 1001d62 29683->29685 29686 1001dfc RegQueryValueExW 29684->29686 29691 1001dbe 29684->29691 29685->29684 29689 1001d68 29685->29689 29687 1001e22 29686->29687 29688 1001e29 RegCloseKey 29686->29688 29687->29688 29688->29682 29732 fdbd30 29689->29732 29691->29686 29693 fdbd30 9 API calls 29691->29693 29692 1001d7f 29695 1001d8d RegQueryValueExW 29692->29695 29694 1001ddb 29693->29694 29696 1001de9 RegQueryValueExW 29694->29696 29695->29686 29696->29686 29697->29668 29699 fd999d 29698->29699 29700 fd9ccc 29698->29700 29705 fd9a2c 29699->29705 29723 fd98b8 22 API calls 29700->29723 29702 fd9cd1 29702->29699 29703 fd9cf5 29702->29703 29724 fd5960 10 API calls 29703->29724 29707 fd9a3a 29705->29707 29708 fd99a4 29707->29708 29709 fd9a63 GetTickCount 29707->29709 29711 fd9b0c GetTickCount 29707->29711 29725 fd9eec GetCurrentThreadId 29707->29725 29708->29665 29708->29677 29715 fd9a76 29709->29715 29710 fd9ad5 GetTickCount 29713 fd9a88 29710->29713 29710->29715 29731 fd9c30 Sleep 29711->29731 29712 fd9a7b GetTickCount 29712->29713 29712->29715 29713->29708 29715->29707 29715->29710 29715->29712 29716 fd9aaa GetCurrentThreadId 29715->29716 29730 fd96e0 Sleep Sleep 29715->29730 29716->29708 29718 fd9b36 GetTickCount 29719 fd9b1c 29718->29719 29719->29711 29719->29718 29720 fd9ba0 29719->29720 29720->29708 29721 fd9ba6 GetCurrentThreadId 29720->29721 29721->29708 29722->29671 29723->29702 29724->29699 29726 fd9ef9 29725->29726 29727 fd9f00 29725->29727 29726->29707 29728 fd9f27 29727->29728 29729 fd9f14 GetCurrentThreadId 29727->29729 29728->29707 29729->29728 29730->29715 29731->29719 29733 fdbda1 29732->29733 29738 fdbd3d 29732->29738 29735 fdae44 9 API calls 29733->29735 29734 fdbd7b 29736 fdad74 9 API calls 29734->29736 29742 fdbd78 29735->29742 29737 fdbd87 29736->29737 29737->29733 29747 fd7430 9 API calls 29737->29747 29738->29734 29739 fdbd55 29738->29739 29739->29742 29743 fdae44 29739->29743 29742->29692 29744 fdae4a 29743->29744 29745 fdae65 29743->29745 29744->29745 29746 fd7090 9 API calls 29744->29746 29745->29742 29746->29745 29747->29733 29748 fd5b50 29749 fd5b68 29748->29749 29750 fd5db0 29748->29750 29760 fd5b7a 29749->29760 29763 fd5c05 Sleep 29749->29763 29751 fd5ec8 29750->29751 29752 fd5d74 29750->29752 29753 fd58fc VirtualAlloc 29751->29753 29754 fd5ed1 29751->29754 29758 fd5d8e Sleep 29752->29758 29764 fd5dce 29752->29764 29756 fd5937 29753->29756 29757 fd5927 29753->29757 29755 fd5b89 29772 fd58b0 Sleep Sleep 29757->29772 29762 fd5da4 Sleep 29758->29762 29758->29764 29760->29755 29761 fd5c68 29760->29761 29767 fd5c49 Sleep 29760->29767 29771 fd5c74 29761->29771 29773 fd5834 29761->29773 29762->29752 29763->29760 29766 fd5c1b Sleep 29763->29766 29765 fd5dec 29764->29765 29768 fd5834 VirtualAlloc 29764->29768 29766->29749 29767->29761 29770 fd5c5f Sleep 29767->29770 29768->29765 29770->29760 29772->29756 29777 fd57c8 29773->29777 29775 fd583d VirtualAlloc 29776 fd5854 29775->29776 29776->29771 29778 fd5768 29777->29778 29778->29775 29779 1002830 29780 1002838 29779->29780 29780->29780 29789 10027c4 GetThreadLocale 29780->29789 29782 1002853 29791 fff2f4 29782->29791 29790 10027ee 29789->29790 29790->29782 29792 fff2fc 29791->29792 29793 fff32b 29792->29793 29794 fff324 GetThreadLocale 29792->29794 29877 fde358 24 API calls 29793->29877 29794->29793 29796 fff33c 29878 fffd90 94 API calls 29796->29878 29877->29796 29879 fde8ec 29880 fde8fc 29879->29880 29881 fde918 29879->29881 29883 fdfbac GetModuleFileNameW 29880->29883 29884 fdfbfa 29883->29884 29891 fdfa84 29884->29891 29892 fdfaa5 29891->29892 29893 fdae20 9 API calls 29892->29893 29894 fdfac2 29893->29894 29896 fdb258 9 API calls 29894->29896 29906 fdfb2d 29894->29906 29898 fdfad7 29896->29898 29897 fdfb9a 29902 fdfb08 29898->29902 29925 fdbf78 29898->29925 29901 fdfb1a 29903 fdfb2f 29901->29903 29904 fdfb20 29901->29904 29917 fdf798 29902->29917 29907 fdf130 22 API calls 29903->29907 29905 fdf8cc 11 API calls 29904->29905 29905->29906 29929 fdae80 9 API calls 29906->29929 29908 fdfb3c 29907->29908 29909 fdf8cc 11 API calls 29908->29909 29910 fdfb49 29909->29910 29911 fdfb71 29910->29911 29912 fdfb57 GetSystemDefaultUILanguage 29910->29912 29911->29906 29914 fdf9b4 13 API calls 29911->29914 29913 fdf130 22 API calls 29912->29913 29915 fdfb64 29913->29915 29914->29906 29916 fdf8cc 11 API calls 29915->29916 29916->29911 29918 fdf7cc 29917->29918 29919 fdf7ba 29917->29919 29922 fdae20 9 API calls 29918->29922 29930 fdf478 29919->29930 29924 fdf7ee 29922->29924 29926 fdbf83 29925->29926 29958 fdafb8 29926->29958 29929->29897 29931 fdf495 29930->29931 29932 fdf4a9 GetModuleFileNameW 29931->29932 29933 fdf4be 29931->29933 29932->29933 29934 fdf4e6 RegOpenKeyExW 29933->29934 29935 fdf683 29933->29935 29937 fdf50d RegOpenKeyExW 29934->29937 29938 fdf5a7 29934->29938 29957 fdae80 9 API calls 29935->29957 29937->29938 29941 fdf52b RegOpenKeyExW 29937->29941 29956 fdf278 15 API calls 29938->29956 29940 fdf69d 29941->29938 29943 fdf549 RegOpenKeyExW 29941->29943 29942 fdf5c3 RegQueryValueExW 29944 fdf5dd 29942->29944 29945 fdf60a RegQueryValueExW 29942->29945 29943->29938 29946 fdf567 RegOpenKeyExW 29943->29946 29947 fd7074 9 API calls 29944->29947 29948 fdf626 29945->29948 29953 fdf608 29945->29953 29946->29938 29949 fdf585 RegOpenKeyExW 29946->29949 29950 fdf5e5 RegQueryValueExW 29947->29950 29951 fd7074 9 API calls 29948->29951 29949->29935 29949->29938 29950->29953 29954 fdf62e RegQueryValueExW 29951->29954 29952 fdf670 RegCloseKey 29952->29935 29953->29952 29955 fd7090 9 API calls 29953->29955 29954->29953 29955->29952 29956->29942 29957->29940 29959 fdad74 9 API calls 29958->29959 29960 fdafc8 29959->29960 29961 fdafdb 29960->29961 29965 fd7430 9 API calls 29960->29965 29963 fdae44 9 API calls 29961->29963 29964 fdafe2 29963->29964 29964->29902 29965->29961 29966 fd67ac 29967 fd67bd 29966->29967 29969 fd67c2 29966->29969 29970 fd66f8 29967->29970 29971 fd6701 29970->29971 29972 fd6740 29970->29972 29971->29972 29975 fd6726 Sleep 29971->29975 29973 fd6749 VirtualAlloc 29972->29973 29974 fd6761 29972->29974 29973->29974 29974->29969 29975->29971 29976 fe7288 29977 fe72aa GetProcAddress 29976->29977 29980 fe72b5 29976->29980 29977->29980 29978 fdae44 9 API calls 29979 fe72ea 29978->29979 29980->29978 29981 ff9588 29982 ff9596 29981->29982 29983 ff95ac 29982->29983 29984 ff95dc GetLastError 29982->29984 29985 ff95d2 CloseHandle 29982->29985 29984->29983 29985->29983 29986 149a950 GetCurrentProcess WriteProcessMemory 29987 fdac44 29990 fdab14 29987->29990 29991 fdab3b 29990->29991 29992 fdab2a 29990->29992 29993 fdab44 GetCurrentThreadId 29991->29993 29998 fdab51 29991->29998 30006 fdaa7c GetStdHandle WriteFile GetStdHandle WriteFile 29992->30006 29993->29998 29995 fdab34 29995->29991 29996 fd7138 6 API calls 29996->29998 29998->29996 29999 fdabeb FreeLibrary 29998->29999 30000 fdac13 ExitProcess 29998->30000 30002 fda770 29998->30002 29999->29998 30003 fda7b4 30002->30003 30004 fda77f 30002->30004 30003->29998 30004->30003 30005 fda7ae KiUserCallbackDispatcher 30004->30005 30005->30004 30006->29995 30007 fdace0 30008 fdad0b 30007->30008 30010 fdacfd CreateThread 30007->30010 30009 fd7074 9 API calls 30008->30009 30009->30010 30012 fdad4c 30010->30012 30013 fdad45 30010->30013 30015 fdaca8 30010->30015 30014 fd7090 9 API calls 30013->30014 30014->30012 30016 fdacb0 30015->30016 30017 fd7090 9 API calls 30016->30017 30018 fdacce 30017->30018 30019 101803c 30020 1018044 30019->30020 30020->30020 30021 1018182 30020->30021 30052 fdae68 30020->30052 30070 fdae80 9 API calls 30021->30070 30024 101819c 30026 fdae68 SysFreeString 30024->30026 30027 10181a4 30026->30027 30029 1018097 30056 ff80a0 10 API calls 30029->30056 30031 10180b7 30057 fdb210 30031->30057 30033 10180c2 30065 ff8074 10 API calls 30033->30065 30035 10180d8 30036 fdb210 9 API calls 30035->30036 30037 10180e3 30036->30037 30038 fdae68 SysFreeString 30037->30038 30039 10180eb 30038->30039 30066 100d5d4 82 API calls 30039->30066 30041 101810b 30067 ff80a0 10 API calls 30041->30067 30043 101812c 30044 fdb210 9 API calls 30043->30044 30045 1018137 30044->30045 30068 ff8074 10 API calls 30045->30068 30047 101814d 30048 fdb210 9 API calls 30047->30048 30050 1018158 30048->30050 30050->30021 30051 fdb210 9 API calls 30050->30051 30069 ff89f0 9 API calls 30050->30069 30051->30050 30053 fdae7c 30052->30053 30054 fdae6e SysFreeString 30052->30054 30055 100d5d4 82 API calls 30053->30055 30054->30053 30055->30029 30056->30031 30058 fdb214 30057->30058 30061 fdb232 30057->30061 30060 fdad74 9 API calls 30058->30060 30058->30061 30059 fdb256 30059->30033 30062 fdb224 30060->30062 30061->30059 30064 fd7090 9 API calls 30061->30064 30071 fd7430 9 API calls 30062->30071 30064->30059 30065->30035 30066->30041 30067->30043 30068->30047 30069->30050 30070->30024 30071->30061

          Executed Functions

          Function 00FDF9B4 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,00FDFA76,?,?), ref: 00FDF9E6
          • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,00FDFA76,?,?), ref: 00FDF9EF
            • Part of subcall function 00FDF85C: FindFirstFileW.KERNEL32(00000000,?,00000000,00FDF8BC,?,?), ref: 00FDF88F
            • Part of subcall function 00FDF85C: FindClose.KERNEL32(00000000,00000000,?,00000000,00FDF8BC,?,?), ref: 00FDF89F
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
          • String ID:
          • API String ID: 3216391948-0
          • Opcode ID: 72676df13c987fc88283d149046f30654a7066abe0de1f341ce5c6e9d6d5a1de
          • Instruction ID: 5a8c8649b0547d1a31c993d80408bde65295027e0be6bbf7a01968ae1d4f971a
          • Opcode Fuzzy Hash: 72676df13c987fc88283d149046f30654a7066abe0de1f341ce5c6e9d6d5a1de
          • Instruction Fuzzy Hash: A4116370A041099BDB01EFA4CC42AADB3BAEF49300F544477F515E7345DB789E08E766
          Function 00FDF85C Relevance: 3.0, APIs: 2, Instructions: 34fileCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 219 fdf85c-fdf89c call fdaf14 call fdbba4 FindFirstFileW 224 fdf89e-fdf89f FindClose 219->224 225 fdf8a4-fdf8b9 call fdae20 219->225 224->225
          APIs
          • FindFirstFileW.KERNEL32(00000000,?,00000000,00FDF8BC,?,?), ref: 00FDF88F
          • FindClose.KERNEL32(00000000,00000000,?,00000000,00FDF8BC,?,?), ref: 00FDF89F
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: Find$CloseFileFirst
          • String ID:
          • API String ID: 2295610775-0
          • Opcode ID: 5dc9c964399cf85c770eaeddbb053142110d684fbb2f016a3ff5c5b5b9f360be
          • Instruction ID: fead8ab591f44fdd54bb00f6f44fbfc40d53e5bfa75f2cd200d3d7facdff685f
          • Opcode Fuzzy Hash: 5dc9c964399cf85c770eaeddbb053142110d684fbb2f016a3ff5c5b5b9f360be
          • Instruction Fuzzy Hash: 57F0E271900604AEC750EBB4DC52C4EB7EDEF4972076809B3F400E3791E7389E04B526
          Function 00FDF478 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 178registryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,00FDF6A0,?,?,?), ref: 00FDF4B7
          • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,00020019,?,00000000,?,00000105,00000000,00FDF6A0,?,?,?), ref: 00FDF500
          • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,00020019,?,80000001,Software\Embarcadero\Locales,00000000,00020019,?,00000000,00FDF6A0,?,?,?), ref: 00FDF522
          • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,00020019,?,80000002,Software\Embarcadero\Locales,00000000,00020019,?,80000001,Software\Embarcadero\Locales,00000000,00020019,?,00000000), ref: 00FDF540
          • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,00020019,?,80000001,Software\CodeGear\Locales,00000000,00020019,?,80000002,Software\Embarcadero\Locales,00000000,00020019,?,80000001), ref: 00FDF55E
          • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,00020019,?,80000002,Software\CodeGear\Locales,00000000,00020019,?,80000001,Software\CodeGear\Locales,00000000,00020019,?,80000002), ref: 00FDF57C
          • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,00020019,?,80000001,Software\Borland\Locales,00000000,00020019,?,80000002,Software\CodeGear\Locales,00000000,00020019,?,80000001), ref: 00FDF59A
          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,00FDF67C,?,80000001,Software\Borland\Delphi\Locales,00000000,00020019,?,80000001,Software\Borland\Locales), ref: 00FDF5D4
          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00FDF67C,?,80000001), ref: 00FDF5F9
          • RegCloseKey.ADVAPI32(?,00FDF683,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,00FDF67C,?,80000001,Software\Embarcadero\Locales), ref: 00FDF674
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: Open$QueryValue$CloseFileModuleName
          • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
          • API String ID: 2701450724-3496071916
          • Opcode ID: 308180624c574a942aa56e36db363b4c84e2de3f2e1b80f0a90534248518340e
          • Instruction ID: f4e94901617b0498a00994b3e7f0b1ee94ae1359fc94fe4fe319eb2b96b6edf2
          • Opcode Fuzzy Hash: 308180624c574a942aa56e36db363b4c84e2de3f2e1b80f0a90534248518340e
          • Instruction Fuzzy Hash: B9514471A40309BAEB10DA90DC42FAEB3BEAB04B40F684467B605F6791E6B4E904E755
          Function 01001CB0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 129registryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,?,00000114), ref: 01001D2B
          • RegQueryValueExW.ADVAPI32(?,DisplayVersion,00000000,00000000,00000000,?,00000000,01001E42,?,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,?,00000114), ref: 01001D59
          • RegQueryValueExW.ADVAPI32(?,DisplayVersion,00000000,00000000,00000000,00000002,?,DisplayVersion,00000000,00000000,00000000,?,00000000,01001E42,?,80000002), ref: 01001D9B
          • RegQueryValueExW.ADVAPI32(?,ReleaseId,00000000,00000000,00000000,?,?,DisplayVersion,00000000,00000000,00000000,?,00000000,01001E42,?,80000002), ref: 01001DB5
          • RegQueryValueExW.ADVAPI32(?,ReleaseId,00000000,00000000,00000000,00000002,?,ReleaseId,00000000,00000000,00000000,?,?,DisplayVersion,00000000,00000000), ref: 01001DF7
          • RegQueryValueExW.ADVAPI32(?,UBR,00000000,00000000,01472964,00000004,?,ReleaseId,00000000,00000000,00000000,?,?,DisplayVersion,00000000,00000000), ref: 01001E19
          • RegCloseKey.ADVAPI32(?,01001E49,00000000,01472964,00000004,?,ReleaseId,00000000,00000000,00000000,?,?,DisplayVersion,00000000,00000000,00000000), ref: 01001E3A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: QueryValue$CloseOpen
          • String ID: DisplayVersion$ReleaseId$SOFTWARE\Microsoft\Windows NT\CurrentVersion$UBR
          • API String ID: 1586453840-3678894217
          • Opcode ID: 6ac31775b7d986a0ea32d8726003dbeb4dec4ef439a66a829f73eaf1cfe8f79c
          • Instruction ID: 6e013ee51dbf22bcb7eaa6a283b89ed5730980ce4fcbb3a59177018e1ecd5d19
          • Opcode Fuzzy Hash: 6ac31775b7d986a0ea32d8726003dbeb4dec4ef439a66a829f73eaf1cfe8f79c
          • Instruction Fuzzy Hash: 63419271B40348BBFB62EAA6DC42F9E77EDEB04700F140496F640E62C1D7B4EA048754
          Function 00FDF130 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77COMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          • RtlLeaveCriticalSection.NTDLL(01471C18), ref: 00FDF172
          • RtlEnterCriticalSection.NTDLL(01471C18), ref: 00FDF1F0
          • RtlLeaveCriticalSection.NTDLL(01471C18), ref: 00FDF219
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: CriticalSection$Leave$Enter
          • String ID: en-GB,en,en-US,
          • API String ID: 2978645861-3021119265
          • Opcode ID: 380227578c07976934f87f97c9509415ec0c0aed733643f0f8b6b68ff8f1f9fe
          • Instruction ID: fe9b037cbd5125d4c12c7365b8d3366f38e6834100450f8f6ea77664a13bfd61
          • Opcode Fuzzy Hash: 380227578c07976934f87f97c9509415ec0c0aed733643f0f8b6b68ff8f1f9fe
          • Instruction Fuzzy Hash: B021D520B54604ABDB20B7E98D03A5932979B85F41BAC0437B502CB356CAB88D45B3A7
          Function 00FF9588 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 63COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 103 ff9588-ff9599 call fdbba4 call fe7210 107 ff959e-ff95a1 103->107 108 ff95a3-ff95a6 107->108 109 ff95f2-ff95fc call fe7230 107->109 110 ff95eb-ff95f0 108->110 111 ff95a8-ff95aa 108->111 119 ff95fe-ff9601 109->119 120 ff9613-ff9615 109->120 115 ff9619-ff961c 110->115 113 ff95ac-ff95ae 111->113 114 ff95b0-ff95b2 111->114 113->115 117 ff95b8-ff95d0 call fe70c8 114->117 118 ff95b4-ff95b6 114->118 126 ff95dc-ff95e9 GetLastError 117->126 127 ff95d2-ff95da CloseHandle 117->127 118->115 119->120 122 ff9603-ff9606 119->122 120->115 122->120 123 ff9608-ff9611 call ff9548 122->123 123->120 129 ff9617 123->129 126->115 127->115 129->115
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID: ${
          • API String ID: 0-4046706400
          • Opcode ID: afc6bd2bef7d5ba224d127c1a9e5923f09f3fe74c873e5654600b7cdf7d1bc77
          • Instruction ID: f256694704010b44b1959c6bca2710616b7f3fc78563b58950975a650f266c4a
          • Opcode Fuzzy Hash: afc6bd2bef7d5ba224d127c1a9e5923f09f3fe74c873e5654600b7cdf7d1bc77
          • Instruction Fuzzy Hash: 3201A22661C30825EB3630792CC6B7911844F86BB8F3C0922FB52EB1F2D6CA4C8375B1
          Function 0149A950 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20injectionCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 130 149a950-149a980 GetCurrentProcess WriteProcessMemory
          APIs
          • GetCurrentProcess.KERNEL32(?,?,00000006,00000000), ref: 0149A96A
          • WriteProcessMemory.KERNELBASE(00000000,?,?,00000006,00000000), ref: 0149A971
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1684739707.0000000001493000.00000020.00000001.01000000.00000003.sdmp, Offset: 01493000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_1493000_dllhost.jbxd
          Similarity
          • API ID: Process$CurrentMemoryWrite
          • String ID: %
          • API String ID: 4081199588-2567322570
          • Opcode ID: 53d3041bc5c716b70f5e7ec6a0d558f4b2c1f6288837c15b7bc66f99c26fbb08
          • Instruction ID: f3ad7e935fab18351b119e8e88a7923c743882e46c49044aaa59ccecc6494712
          • Opcode Fuzzy Hash: 53d3041bc5c716b70f5e7ec6a0d558f4b2c1f6288837c15b7bc66f99c26fbb08
          • Instruction Fuzzy Hash: 7EE08C70A84249ABCB20DFB99C0EB59BA79AB11A12F004398B505DA1C4EA7051148361
          Function 00FDAB14 Relevance: 4.6, APIs: 3, Instructions: 93threadCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 131 fdab14-fdab28 132 fdab3b-fdab42 131->132 133 fdab2a-fdab36 call fda9f4 call fdaa7c 131->133 134 fdab65-fdab69 132->134 135 fdab44-fdab4f GetCurrentThreadId 132->135 133->132 138 fdab8d-fdab91 134->138 139 fdab6b-fdab72 134->139 135->134 137 fdab51-fdab60 call fda748 call fdaa50 135->137 137->134 144 fdab9d-fdaba1 138->144 145 fdab93-fdab96 138->145 139->138 143 fdab74-fdab8b 139->143 143->138 147 fdabc0-fdabc9 call fda770 144->147 148 fdaba3-fdabac call fd7138 144->148 145->144 150 fdab98-fdab9a 145->150 158 fdabcb-fdabce 147->158 159 fdabd0-fdabd5 147->159 148->147 157 fdabae-fdabbe call fd903c call fd7138 148->157 150->144 157->147 158->159 161 fdabf1-fdabfc call fda748 158->161 159->161 162 fdabd7-fdabe5 call fdfdd8 159->162 170 fdabfe 161->170 171 fdac01-fdac05 161->171 162->161 169 fdabe7-fdabe9 162->169 169->161 173 fdabeb-fdabec FreeLibrary 169->173 170->171 174 fdac0e-fdac11 171->174 175 fdac07-fdac09 call fdaa50 171->175 173->161 177 fdac2a-fdac3b 174->177 178 fdac13-fdac1a 174->178 175->174 177->138 179 fdac1c 178->179 180 fdac22-fdac25 ExitProcess 178->180 179->180
          APIs
          • GetCurrentThreadId.KERNEL32 ref: 00FDAB44
          • FreeLibrary.KERNEL32(00FD0000,?,?,?,00FDAC4E,00FD7183,00FD71CA,?,?,00FD71E3,?,?,?,?,?,00FDA688), ref: 00FDABEC
          • ExitProcess.KERNEL32(00000000,?,?,?,00FDAC4E,00FD7183,00FD71CA,?,?,00FD71E3,?,?,?,?,?,00FDA688), ref: 00FDAC25
            • Part of subcall function 00FDAA7C: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00FDAB34,?,?,?,00FDAC4E,00FD7183,00FD71CA,?,?,00FD71E3), ref: 00FDAAB5
            • Part of subcall function 00FDAA7C: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00FDAB34,?,?,?,00FDAC4E,00FD7183,00FD71CA), ref: 00FDAABB
            • Part of subcall function 00FDAA7C: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00FDAB34,?,?,?), ref: 00FDAAD6
            • Part of subcall function 00FDAA7C: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00FDAB34,?,?), ref: 00FDAADC
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
          • String ID:
          • API String ID: 3490077880-0
          • Opcode ID: 0a6cb8636c74583717e5b6ed30a93162722a1b045e5be92a83d7102e9fa3307f
          • Instruction ID: 9c3d118dd72f57b88b2ab3e5d41593054385f24f6d2ef2dd03c8e40632a54adc
          • Opcode Fuzzy Hash: 0a6cb8636c74583717e5b6ed30a93162722a1b045e5be92a83d7102e9fa3307f
          • Instruction Fuzzy Hash: 79318170E003418BD731AB79988875A77E35B45734F1C0A1BE48582366D7B8DCC9E75B
          Function 00FFEEBC Relevance: 3.0, APIs: 2, Instructions: 50windowCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 204 ffeebc-ffeecb 205 ffeecd 204->205 206 ffeed3-ffeef3 FormatMessageW 204->206 205->206 207 ffeef6-ffeef8 206->207 208 ffef0e-ffef31 call fdafb8 LocalFree 207->208 209 ffeefa-ffef06 207->209 210 ffef08-ffef0c 209->210 211 ffeef5 209->211 210->208 210->211 211->207
          APIs
          • FormatMessageW.KERNEL32(00003300,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,01003C96,00000000,01003D02), ref: 00FFEEE0
          • LocalFree.KERNEL32(?,00FFEF3B,00003300,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,01003C96,00000000,01003D02), ref: 00FFEF2C
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: FormatFreeLocalMessage
          • String ID:
          • API String ID: 1427518018-0
          • Opcode ID: a88156dd39c2d502970a9836a947bab12cecd992000ea1127167b3d705be487e
          • Instruction ID: ed12fd2f4aaf5993f9122c5165d3dac59f863b56edb25013620f6ffde90e7b52
          • Opcode Fuzzy Hash: a88156dd39c2d502970a9836a947bab12cecd992000ea1127167b3d705be487e
          • Instruction Fuzzy Hash: 1D014970B5435CBEE72896189C52F7A72ADDFD4B10FA04425F601D66F0DA74DD10A260
          Function 0149A8E0 Relevance: 3.0, APIs: 2, Instructions: 44injectionCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 214 149a8e0-149a909 215 149a90b 214->215 216 149a93a-149a940 214->216 217 149a90d-149a910 215->217 218 149a912-149a939 GetCurrentProcess WriteProcessMemory 215->218 217->216 217->218
          APIs
          • GetCurrentProcess.KERNEL32(?,?,00000005,00000000), ref: 0149A922
          • WriteProcessMemory.KERNELBASE(00000000,?,?,00000005,00000000), ref: 0149A929
          Memory Dump Source
          • Source File: 00000000.00000002.1684739707.0000000001493000.00000020.00000001.01000000.00000003.sdmp, Offset: 01493000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_1493000_dllhost.jbxd
          Similarity
          • API ID: Process$CurrentMemoryWrite
          • String ID:
          • API String ID: 4081199588-0
          • Opcode ID: 0785e2cb39e82b2b6a33aff26eb8acf1c5ff4563c9623c711b7e344a29577030
          • Instruction ID: 82b2187dfcb66ddc2c59ecaeb8a81394b334e4adfbf38e614a9d0d22fe16fdc1
          • Opcode Fuzzy Hash: 0785e2cb39e82b2b6a33aff26eb8acf1c5ff4563c9623c711b7e344a29577030
          • Instruction Fuzzy Hash: 41F0217174010927DF144DBDDC05BADBBAAEFC1621F158366B509C76E4D97588054351
          Function 00FD6F3C Relevance: 2.6, APIs: 2, Instructions: 63COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 228 fd6f3c-fd6f4d 229 fd6f61-fd6f63 228->229 230 fd6f4f-fd6f5f VirtualFree 229->230 231 fd6f65-fd6f6a 229->231 230->229 232 fd6f6f-fd6f89 231->232 232->232 233 fd6f8b-fd6f95 232->233 234 fd6f9a-fd6fa5 233->234 234->234 235 fd6fa7-fd6fc9 call fd8348 234->235 238 fd6fdd-fd6fdf 235->238 239 fd6fcb-fd6fdb VirtualFree 238->239 240 fd6fe1-fd6fea 238->240 239->238
          APIs
          • VirtualFree.KERNEL32(0146FADC,00000000,00008000,?,?,?,?,00FD703C,00FE229A,00000000,00FE22BA), ref: 00FD6F5A
          • VirtualFree.KERNEL32(01471B80,00000000,00008000,0146FADC,00000000,00008000,?,?,?,?,00FD703C,00FE229A,00000000,00FE22BA), ref: 00FD6FD6
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: FreeVirtual
          • String ID:
          • API String ID: 1263568516-0
          • Opcode ID: f74e61bd16dc69dbeddac98a7a60c6e324f06fa5023abf369bc59a630c7e3e98
          • Instruction ID: 229084bde4ab8d43e64433c685081d821f7669cbed29b2724e382feb680f6beb
          • Opcode Fuzzy Hash: f74e61bd16dc69dbeddac98a7a60c6e324f06fa5023abf369bc59a630c7e3e98
          • Instruction Fuzzy Hash: DE11C471601A108FC7648F18A85071A77E6F788B24F29806FF14DCF351E774AC019B84
          Function 00FD66F8 Relevance: 2.5, APIs: 2, Instructions: 30sleepmemoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 241 fd66f8-fd66ff 242 fd6701 241->242 243 fd6740-fd6747 241->243 244 fd672d-fd673e 242->244 245 fd6749-fd675c VirtualAlloc 243->245 246 fd6761-fd676b 243->246 244->243 247 fd6703-fd670a 244->247 245->246 247->244 248 fd670c-fd6724 call fd54b4 247->248 248->243 251 fd6726-fd6728 Sleep 248->251 251->244
          APIs
          • Sleep.KERNEL32(0000000A,00000000,00FD67C2,?,?,?,00FD6855), ref: 00FD6728
          • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,0000000A,00000000,00FD67C2,?,?,?,00FD6855), ref: 00FD6757
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: AllocSleepVirtual
          • String ID:
          • API String ID: 503295252-0
          • Opcode ID: a2a2ec9fa26f681e3d0aeaf9ca393b86972c50bbaec19f52afad338cef3f3731
          • Instruction ID: 02a17aad10e66e6ee27956267943a7a9af3a00a65df5b3fa8a5747fcfea3c788
          • Opcode Fuzzy Hash: a2a2ec9fa26f681e3d0aeaf9ca393b86972c50bbaec19f52afad338cef3f3731
          • Instruction Fuzzy Hash: DBF0897050638495FF31D620A91A77526435746BADF1C0057E1459D3DBDEE914CAE342
          Function 00FDFA84 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 252 fdfa84-fdfac6 call fdaf14 * 2 call fdae20 259 fdfacc-fdfadc call fdb258 252->259 260 fdfb80-fdfb9a call fdae80 252->260 265 fdfade-fdfae1 259->265 266 fdfae3-fdfae8 259->266 265->266 267 fdfb0f-fdfb1e call fdf798 266->267 268 fdfaea-fdfaf3 266->268 275 fdfb2f-fdfb4c call fd5368 call fdf130 call fdf8cc 267->275 276 fdfb20-fdfb2d call fdf8cc 267->276 269 fdfb0a-fdfb0d 268->269 270 fdfaf5-fdfb08 call fdbf78 268->270 269->267 269->268 270->267 285 fdfb4e-fdfb55 275->285 286 fdfb71-fdfb74 275->286 276->260 285->286 287 fdfb57-fdfb6c GetSystemDefaultUILanguage call fdf130 call fdf8cc 285->287 286->260 288 fdfb76-fdfb7b call fdf9b4 286->288 287->286 288->260
          APIs
          • GetSystemDefaultUILanguage.KERNEL32(00000000,00FDFB9D,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00FDFC26,00000000,?,00000105), ref: 00FDFB57
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: DefaultLanguageSystem
          • String ID:
          • API String ID: 4166810957-0
          • Opcode ID: d5c466133534e94368e449807c28209665b8fe8abe723e0b17646c3aa9706e62
          • Instruction ID: 76b751095bb6764ae05b1fd98607a895b6acbc818feb3846a34828ac1973bf8e
          • Opcode Fuzzy Hash: d5c466133534e94368e449807c28209665b8fe8abe723e0b17646c3aa9706e62
          • Instruction Fuzzy Hash: 41311C70E1020A9BDB10EB94CC92EAEB7F6AF88310F584577E402A7391D7789D49EB51
          Function 00FDFBAC Relevance: 1.6, APIs: 1, Instructions: 56COMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,00FDFC68,?,00000000,01449048), ref: 00FDFBE8
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: FileModuleName
          • String ID:
          • API String ID: 514040917-0
          • Opcode ID: ada7cb86211b05fe44033ae4814557d4b01e115ce7cad06ae3505e3f65dbd6e8
          • Instruction ID: dbf9ba4f00a1b5dcd18eafde6c2ed004bc043d0cd8ad61f23443a3e61a017ca6
          • Opcode Fuzzy Hash: ada7cb86211b05fe44033ae4814557d4b01e115ce7cad06ae3505e3f65dbd6e8
          • Instruction Fuzzy Hash: 7C118F30A5421C9BDB10EB60CC86FDE73BAEB08700F5544B6F409A2391EB749F84EA65
          Function 010076C8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 310 10076c8-10076ec call fdb210 313 1007742-1007747 310->313 314 10076ee-10076fe call fdb3fc 310->314 317 1007700-1007703 314->317 318 1007705-100770d 314->318 317->318 319 1007714-100773b call fdbba4 * 2 LCMapStringW 318->319 320 100770f-1007712 318->320 319->313 325 100773d call 1003c50 319->325 320->319 325->313
          APIs
          • LCMapStringW.KERNEL32(01472714,Function_0002F100,00000000,?,00000000,?), ref: 01007734
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: String
          • String ID:
          • API String ID: 2568140703-0
          • Opcode ID: 5625e00ef7e2e6c57b63be73c0e1649aae1b7a48fb488a6f44868e9d752ff8c7
          • Instruction ID: 8b0c10fbd455d95422fe156b084aa8ea3f4653838ec039c54fbe71c8e86eea0b
          • Opcode Fuzzy Hash: 5625e00ef7e2e6c57b63be73c0e1649aae1b7a48fb488a6f44868e9d752ff8c7
          • Instruction Fuzzy Hash: 70014C366042109FE712EF1DC98191AB7E8FF89760F1545A9F9C8AB355CB34BC40DB62
          Function 00FDACE0 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
          Download Yara Rule
          APIs
          • CreateThread.KERNEL32(?,?,00FDACA8,00000000,?,?), ref: 00FDAD3A
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: CreateThread
          • String ID:
          • API String ID: 2422867632-0
          • Opcode ID: a57c33df1956407b7e2db5eb3226b738e2e801d95b0ef385fd96bf50f66be931
          • Instruction ID: c3acd82e8ba2104e1810f62f666a9a966227c906ce8d0f5cbd691e5c34d29ef0
          • Opcode Fuzzy Hash: a57c33df1956407b7e2db5eb3226b738e2e801d95b0ef385fd96bf50f66be931
          • Instruction Fuzzy Hash: E001A772B04214AFC720DB9CD884A8AB7EDDB48361F184067F508DB391DA70DD0097A5
          Function 00FE7288 Relevance: 1.5, APIs: 1, Instructions: 40libraryloaderCOMMON
          Download Yara Rule
          APIs
          • GetProcAddress.KERNEL32(?,?), ref: 00FE72AC
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: AddressProc
          • String ID:
          • API String ID: 190572456-0
          • Opcode ID: cc5428e7d914d45a8b53958014e81bd25b5926dbc3b4baf251ed5b79eafcc369
          • Instruction ID: 013bcd56cfa8dbff2feb5f69d1c40237698b9b07544e60049f0f61cb212a1932
          • Opcode Fuzzy Hash: cc5428e7d914d45a8b53958014e81bd25b5926dbc3b4baf251ed5b79eafcc369
          • Instruction Fuzzy Hash: EBF06D31608348BFE711EA669C52A6AB39CDB09710F614471FA00D7341D678AE01A9A5
          Function 00FDA770 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
          Download Yara Rule
          APIs
          • KiUserCallbackDispatcher.NTDLL(00000000,00FDA7BE,?,01449000,01471BA0,?,?,00FDABC5,?,?,?,00FDAC4E,00FD7183,00FD71CA), ref: 00FDA7AE
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: CallbackDispatcherUser
          • String ID:
          • API String ID: 2492992576-0
          • Opcode ID: b3a601f082b589166253c7fb9476869bc72a3ca4247d62dcd3279e1ecb7ff498
          • Instruction ID: 57c7b283e7a85e94b2e21a609a9e1fa1412e58625428c7e31e33a1d60d49fd53
          • Opcode Fuzzy Hash: b3a601f082b589166253c7fb9476869bc72a3ca4247d62dcd3279e1ecb7ff498
          • Instruction Fuzzy Hash: 34F0B472A056059FD3314E1AA880A22FBBDFB48B70759443BD80483750D2309C11EAA6
          Function 0100496C Relevance: 1.5, APIs: 1, Instructions: 34libraryCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryW.KERNEL32(00000000,00000000,010049C2,?,00000000,010049E2,?,00008000), ref: 010049A5
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: LibraryLoad
          • String ID:
          • API String ID: 1029625771-0
          • Opcode ID: f94442b834751f9bd1e4c468561b330cfa4270f56cc3ac4296e72d28ba2e37aa
          • Instruction ID: 5137daf089daf1be359c950e4751e1ec567ce6122af5dff1036133abe59a31a6
          • Opcode Fuzzy Hash: f94442b834751f9bd1e4c468561b330cfa4270f56cc3ac4296e72d28ba2e37aa
          • Instruction Fuzzy Hash: CAF08970614744BFD7025F778C5281A7BACD70DB1079348B5F900E2651E67C5C109524
          Function 014ABD97 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • HeapCreate.KERNELBASE(00000000,00001000,00000000,?,014A77EC,?), ref: 014ABDAC
          Memory Dump Source
          • Source File: 00000000.00000002.1684739707.0000000001493000.00000020.00000001.01000000.00000003.sdmp, Offset: 01493000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_1493000_dllhost.jbxd
          Similarity
          • API ID: CreateHeap
          • String ID:
          • API String ID: 10892065-0
          • Opcode ID: bfcf9cabb76eef618c00b1709f28382fdf34d1cebec379b233c45a31dd80ecb4
          • Instruction ID: 0f9bdc6b0e107789a4f0eaa60540582c62eef80396e6f9df2a3852844d7273fc
          • Opcode Fuzzy Hash: bfcf9cabb76eef618c00b1709f28382fdf34d1cebec379b233c45a31dd80ecb4
          • Instruction Fuzzy Hash: 30D05E725903459BDB209E756888B663BDCE384395F044436F80CC6294E670C5519740
          Function 00FD5834 Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,?,00FD5E4B,?,00FDF835,?,?,?,00FDF7CC,00000000,00FDF7F1), ref: 00FD584B
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 5ce569fac94ffde6605294cbb71a006dff68c8f91cb1590ea15385905035b0e1
          • Instruction ID: a74a7d59211c7474552004a08307b6828a8b8b5235c45733fd1ad2f7db67b049
          • Opcode Fuzzy Hash: 5ce569fac94ffde6605294cbb71a006dff68c8f91cb1590ea15385905035b0e1
          • Instruction Fuzzy Hash: ABF0AFF2F013014FD7248F78AA517497BD5B744758F24413EE989DB7A8D7B088049780
          Function 00FD6FEC Relevance: 1.3, APIs: 1, Instructions: 21COMMON
          Download Yara Rule
          APIs
          • VirtualFree.KERNEL32(01471B90,00000000,00008000,00FE229A,00000000,00FE22BA), ref: 00FD702B
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: FreeVirtual
          • String ID:
          • API String ID: 1263568516-0
          • Opcode ID: 1f9f1f450c8b3df1946447430998c86b91e84a06d1c94c9bc95fdbd8819c6c67
          • Instruction ID: 0a503a85f86b1376298f7cbfe0bce2ab01157170066e0f07ed1c9c0b2cc1208f
          • Opcode Fuzzy Hash: 1f9f1f450c8b3df1946447430998c86b91e84a06d1c94c9bc95fdbd8819c6c67
          • Instruction Fuzzy Hash: E4E01AB0910740DAD771FBB4A85F77532AA6304B54F58081AE108CA2EAF7785489EB01

          Non-executed Functions

          Function 00FDF278 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 151stringlibraryfileCOMMON
          Download Yara Rule
          APIs
          • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?), ref: 00FDF295
          • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 00FDF2A6
          • FindFirstFileW.KERNEL32(?,?,kernel32.dll,?,?,?), ref: 00FDF3B4
          • FindClose.KERNEL32(?,?,?,kernel32.dll,?,?,?), ref: 00FDF3C6
          • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,?,?,?), ref: 00FDF3D2
          • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,?,?,?), ref: 00FDF417
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
          • String ID: GetLongPathNameW$\$kernel32.dll
          • API String ID: 1930782624-3908791685
          • Opcode ID: ba484d3b27ae398b7a246dc1fd81001759de33e4ca998a11ad55d3c07995f65d
          • Instruction ID: da5a8931ce37917a73f549f752a8d163ae2e519ce19d050f0332a2ca5c9db5e2
          • Opcode Fuzzy Hash: ba484d3b27ae398b7a246dc1fd81001759de33e4ca998a11ad55d3c07995f65d
          • Instruction Fuzzy Hash: E9519131E006149BCB10EFA8CC85E9EB3F6AF45311F5845B69506E7341EB78AE49AB40
          Function 00FD7238 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 80memoryCOMMON
          Download Yara Rule
          APIs
          • GetProcessHeap.KERNEL32(00000000,?,00FD7317,0,?,00000000,00000000,?,00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00FD7302
          • HeapFree.KERNEL32(00000000,00000000,?,00FD7317,0,?,00000000,00000000,?,00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00FD7308
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: Heap$FreeProcess
          • String ID: GetLogicalProcessorInformation$kernel32.dll$0
          • API String ID: 3859560861-2440520447
          • Opcode ID: 573873bd0fe42a00498724abbcca711ad51b9eb20b183c795608788d3510ce0f
          • Instruction ID: 6d880781d23c410c5d025d6d950402a35b76d3061453b23a3da2f11b24fad74b
          • Opcode Fuzzy Hash: 573873bd0fe42a00498724abbcca711ad51b9eb20b183c795608788d3510ce0f
          • Instruction Fuzzy Hash: 4A219271E08704AEDB10EBA5CC41B5DB7BBEB45712F5C84A7F814DB341E678D940AB21
          Function 014A7F58 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • IsDebuggerPresent.KERNEL32 ref: 014AD187
          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 014AD19C
          • UnhandledExceptionFilter.KERNEL32(014B3468), ref: 014AD1A7
          • GetCurrentProcess.KERNEL32(C0000409), ref: 014AD1C3
          • TerminateProcess.KERNEL32(00000000), ref: 014AD1CA
          Memory Dump Source
          • Source File: 00000000.00000002.1684739707.0000000001493000.00000020.00000001.01000000.00000003.sdmp, Offset: 01493000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_1493000_dllhost.jbxd
          Similarity
          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
          • String ID:
          • API String ID: 2579439406-0
          • Opcode ID: afcaf9e8f3a5a230e0df0e42b06b82daedb60482eaecd98ee92bed3809e20332
          • Instruction ID: d66a72575983617812c01df687dc06ad4d677c0d9c3a3b3e488442d1c8ff7d08
          • Opcode Fuzzy Hash: afcaf9e8f3a5a230e0df0e42b06b82daedb60482eaecd98ee92bed3809e20332
          • Instruction Fuzzy Hash: A221BBB48013089FDB30DF6AF4C96543BF8FB58315F59506AE50887378E7B199868F1A
          Function 00FDEE14 Relevance: 4.6, APIs: 3, Instructions: 100COMMON
          Download Yara Rule
          APIs
          • IsValidLocale.KERNEL32(?,00000002,00000000,00FDEF7B,?,?,?,00000000), ref: 00FDEEBE
          • GetLocaleInfoW.KERNEL32(?,00000059,?,00000055,?,00000002,00000000,00FDEF7B,?,?,?,00000000), ref: 00FDEEDA
          • GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,00FDEF7B,?,?,?,00000000), ref: 00FDEEEB
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: Locale$Info$Valid
          • String ID:
          • API String ID: 1826331170-0
          • Opcode ID: d12fee76d113e5120ce9bc902676bba961d77026c12e30bb05d1c6380cde0548
          • Instruction ID: 3a8cfadba1d52050f01854af4fa6c8c093ebc28186fc8c060d93f59cedb16dd2
          • Opcode Fuzzy Hash: d12fee76d113e5120ce9bc902676bba961d77026c12e30bb05d1c6380cde0548
          • Instruction Fuzzy Hash: 19319135A04618EBDF20EF54DC82BDEB7B7EB48701F59049BA108AB390D7345E80AF11
          Function 00FFA10C Relevance: 1.5, APIs: 1, Instructions: 49COMMON
          Download Yara Rule
          APIs
          • GetDiskFreeSpaceW.KERNEL32(00000000,?,?,?,?), ref: 00FFA12D
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: DiskFreeSpace
          • String ID:
          • API String ID: 1705453755-0
          • Opcode ID: 65047a69eda55e2acb78d09f1e48af5556980e5adbce19436f76d5fe35eb9a04
          • Instruction ID: 5f60a88a6133622e11e623bbb12545f54405a5bffef23441c0063e55951edc7f
          • Opcode Fuzzy Hash: 65047a69eda55e2acb78d09f1e48af5556980e5adbce19436f76d5fe35eb9a04
          • Instruction Fuzzy Hash: 7C11DEB5E00209AF9B04DF99CC81DAFF7F9FFC8710B14C569A509E7255E6319A019BA0
          Function 0102FF9C Relevance: 1.5, APIs: 1, Instructions: 40COMMON
          Download Yara Rule
          APIs
          • GetSystemInfo.KERNEL32(?), ref: 0102FFE5
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: InfoSystem
          • String ID:
          • API String ID: 31276548-0
          • Opcode ID: d350ea6cf81b4c8e603a632bc10f7f12fc36fcb4eceed5c712a33f35a2fae9a8
          • Instruction ID: a8f1d4d23946829ec7354ec635077abc3127f8518e5ac18464af49f04a97ca7e
          • Opcode Fuzzy Hash: d350ea6cf81b4c8e603a632bc10f7f12fc36fcb4eceed5c712a33f35a2fae9a8
          • Instruction Fuzzy Hash: C3F0AF71A007058FC3A0EFACDC81ACABBE8AF09758B040675E89CC7744E62BA8044BD4
          Function 010045EC Relevance: 1.5, APIs: 1, Instructions: 26COMMON
          Download Yara Rule
          APIs
          • EnumSystemLocalesW.KERNEL32(010043C0,00000002), ref: 01004619
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: EnumLocalesSystem
          • String ID:
          • API String ID: 2099609381-0
          • Opcode ID: 6a8d677dd465bb5d84870983df9b86d3499a621f5b6df23170b19b34cb32768d
          • Instruction ID: bb3955dd94a4ed3e0743891bf6d643616e267205f88cf82180679d971a49062a
          • Opcode Fuzzy Hash: 6a8d677dd465bb5d84870983df9b86d3499a621f5b6df23170b19b34cb32768d
          • Instruction Fuzzy Hash: FBE020127016508BE11177EE2C437893A424F41B91F0C5671F688CB3C6E65D0D0023E7
          Function 00FFEF8C Relevance: 1.5, APIs: 1, Instructions: 24COMMON
          Download Yara Rule
          APIs
          • GetLocaleInfoW.KERNEL32(?,0000000F,00000003,00000003), ref: 00FFEFA1
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: InfoLocale
          • String ID:
          • API String ID: 2299586839-0
          • Opcode ID: 53fdf073bb0f28dd537b19913bee184b8b7af89c794532774b3d9dea83c18b3b
          • Instruction ID: f54b356e9c0aef69ce603450661dab58b19eca8ff94be2aeadee8978f176c484
          • Opcode Fuzzy Hash: 53fdf073bb0f28dd537b19913bee184b8b7af89c794532774b3d9dea83c18b3b
          • Instruction Fuzzy Hash: 20D017663082246AE220515B6D419BBA6DCCFC57B1F240576BBA8CA2E1EA108C44A3B1
          Function 00FFC7D4 Relevance: 1.5, APIs: 1, Instructions: 22timeCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: LocalTime
          • String ID:
          • API String ID: 481472006-0
          • Opcode ID: e6b99a2e0e397002abd9365916e3f46dcc412b8fe2516279be00f568dd5a02f2
          • Instruction ID: 3656ee7ed6f7d61c6da00050ccf66bcf9dc9800560048754515563519ef7a231
          • Opcode Fuzzy Hash: e6b99a2e0e397002abd9365916e3f46dcc412b8fe2516279be00f568dd5a02f2
          • Instruction Fuzzy Hash: 5EE0AE6040C626A1C244EF56C94143EBBE5AED4B42F808D8EF9D4801A1EA38C5A8E3A3
          Function 00FDD7F0 Relevance: .1, Instructions: 64COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
          • Instruction ID: bd269e9b9b7589e274237c620d53392abaaac0fac1c2187e89b5b85166e199fa
          • Opcode Fuzzy Hash: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
          • Instruction Fuzzy Hash: E1019632B057110B874CDD7ECD9962ABAD3ABD8A10F19C63E9589C77C4DD318C1AD682
          Function 0100B9D4 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
          Download Yara Rule
          APIs
          • GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 0100B9DD
            • Part of subcall function 0100B9A8: GetProcAddress.KERNEL32(00000000), ref: 0100B9C1
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: AddressHandleModuleProc
          • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
          • API String ID: 1646373207-1918263038
          • Opcode ID: ab072bea4a91b4dd73f2f10748032fcee2764623f9ffc4a5cbe4c43f944f2b02
          • Instruction ID: c356fb267ba22fd58e2deb23e1ccead03bef0b7cd24daf6d75dd41be924932fe
          • Opcode Fuzzy Hash: ab072bea4a91b4dd73f2f10748032fcee2764623f9ffc4a5cbe4c43f944f2b02
          • Instruction Fuzzy Hash: 3C41B76964420D5B72176BADF84087A77DDF7A4A11FA4801AF4C4CB7D8DE30AC428B6F
          Function 014A8BE1 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • GetModuleHandleW.KERNEL32(KERNEL32.DLL,014B5D78,0000000C,014A8D1C,00000000,00000000,?,014A661F,014A92DE,014A956E,?,?,014A661F,?), ref: 014A8BF3
          • __crt_waiting_on_module_handle.LIBCMT ref: 014A8BFE
            • Part of subcall function 014AB32C: Sleep.KERNEL32(000003E8,?,?,014A8B44,KERNEL32.DLL,?,014A9598,?,014A9568,014A661F,?,?,014A661F,?), ref: 014AB338
            • Part of subcall function 014AB32C: GetModuleHandleW.KERNEL32(014A661F,?,?,014A8B44,KERNEL32.DLL,?,014A9598,?,014A9568,014A661F,?,?,014A661F,?), ref: 014AB341
          • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 014A8C27
          • GetProcAddress.KERNEL32(014A661F,DecodePointer), ref: 014A8C37
          • __lock.LIBCMT ref: 014A8C59
          • InterlockedIncrement.KERNEL32(C35DC033), ref: 014A8C66
          • __lock.LIBCMT ref: 014A8C7A
          • ___addlocaleref.LIBCMT ref: 014A8C98
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1684739707.0000000001493000.00000020.00000001.01000000.00000003.sdmp, Offset: 01493000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_1493000_dllhost.jbxd
          Similarity
          • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
          • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
          • API String ID: 1028249917-2843748187
          • Opcode ID: 44a98ece493b26a192467ed4bea5993a4d2c32e703ba5ff8cfc3cc4190d2fbde
          • Instruction ID: d8f82705287c16fda0c710602e1f45c0a1ac1463c18aea803224920445789ec8
          • Opcode Fuzzy Hash: 44a98ece493b26a192467ed4bea5993a4d2c32e703ba5ff8cfc3cc4190d2fbde
          • Instruction Fuzzy Hash: 1E116AB0902B02ABD720AF6A9844B9ABBE4BF74214F51451E9499A72B0CB74A901CF24
          Function 00FE8170 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 61registrywindowclipboardCOMMON
          Download Yara Rule
          APIs
          • RegisterClipboardFormatW.USER32(MSH_WHEELSUPPORT_MSG), ref: 00FE81A3
          • RegisterClipboardFormatW.USER32(MSH_SCROLL_LINES_MSG), ref: 00FE81AF
          • SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FE81C7
          • SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FE81EB
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: ClipboardFormatMessageRegisterSend
          • String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
          • API String ID: 1437703442-3736581797
          • Opcode ID: cd092aa680a88bd81d60297c70c8a1ca917a156865cc37f5b9c8ef27639202e2
          • Instruction ID: 67da2bc25c72181afcd04b75b78c66f412d33891d3046659d52a584314e8b6ff
          • Opcode Fuzzy Hash: cd092aa680a88bd81d60297c70c8a1ca917a156865cc37f5b9c8ef27639202e2
          • Instruction Fuzzy Hash: E6113071644385AFE310BF96DC42B6BB7A8EF45790F104425F9489F291DBB49C42ABA0
          Function 00FFF2F4 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 257threadCOMMON
          Download Yara Rule
          APIs
          • GetThreadLocale.KERNEL32(?,00000001,00000000,00FFF655,?,?,?,?,00000000,00000000), ref: 00FFF324
            • Part of subcall function 00FFEF8C: GetLocaleInfoW.KERNEL32(?,0000000F,00000003,00000003), ref: 00FFEFA1
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: Locale$InfoThread
          • String ID: AMPM$2$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
          • API String ID: 4232894706-3379564615
          • Opcode ID: 2b1ce2481827c2d4e889abed09c36436fb4ac4e8e3b09c4594057e8f893b5216
          • Instruction ID: 06fffa1c334df48d7eb0ef68429b15b1781b2c6ea0651241f8aeac7d997d1622
          • Opcode Fuzzy Hash: 2b1ce2481827c2d4e889abed09c36436fb4ac4e8e3b09c4594057e8f893b5216
          • Instruction Fuzzy Hash: 8691033160010D9BDB01EF64DC81AAF73AAEF44700F588576F604DB366DB38DD4AA7A5
          Function 00FD5ED4 Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
          Download Yara Rule
          APIs
          • Sleep.KERNEL32(00000000,00FDE9DC,01449C20,?,00FDF818,?,?,?,00FDF7CC,00000000,00FDF7F1,?,?,?,00000000), ref: 00FD5F6A
          • Sleep.KERNEL32(0000000A,00000000,00FDE9DC,01449C20,?,00FDF818,?,?,?,00FDF7CC,00000000,00FDF7F1,?,?,?,00000000), ref: 00FD5F84
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: Sleep
          • String ID:
          • API String ID: 3472027048-0
          • Opcode ID: e98d24e10142b422152d68e16cf7feebdf8e90f5c96f277df1f9888819a59309
          • Instruction ID: d05aa586783905b88e9bc0c3ea02ce942f3dbc9c5606b8870622d579dff31ca6
          • Opcode Fuzzy Hash: e98d24e10142b422152d68e16cf7feebdf8e90f5c96f277df1f9888819a59309
          • Instruction Fuzzy Hash: 33714971604B008FD721CF28D984B1ABBD6AF85B34F1C826FE4848F396D7749845EB42
          Function 00FD60CC Relevance: 10.9, APIs: 7, Instructions: 406COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 4028bc4cb7eef77cf2fe30cc6d3f0a8e4f6c7099ef4e2831e89ea3f4c7efa817
          • Instruction ID: 77604b7084e8cf19e258845878b315a89041a48399a978eb7858bc51b64784ce
          • Opcode Fuzzy Hash: 4028bc4cb7eef77cf2fe30cc6d3f0a8e4f6c7099ef4e2831e89ea3f4c7efa817
          • Instruction Fuzzy Hash: CBC12772B10A040BDB15EA7C9C8576EB7879BC4B25F2C823FE154CB39ADA68DC45A341
          Function 00FE2988 Relevance: 10.8, APIs: 7, Instructions: 258COMMON
          Download Yara Rule
          APIs
          • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FE2A40
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: ExceptionRaise
          • String ID:
          • API String ID: 3997070919-0
          • Opcode ID: 05039f332f60166f23ea75c200beda6163cd87d45317c4162eeebe3ae71fa760
          • Instruction ID: fc083a846bb821d40d4e81abd7828bee997174247856ed185e2a3b3407ef6c32
          • Opcode Fuzzy Hash: 05039f332f60166f23ea75c200beda6163cd87d45317c4162eeebe3ae71fa760
          • Instruction Fuzzy Hash: CBA1B176D003499FDB64DFA9C880BEEB7F9FF88320F10412AE505A7294EB74A944DB50
          Function 00FD9A2C Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00FD9EEC: GetCurrentThreadId.KERNEL32 ref: 00FD9EEF
          • GetTickCount.KERNEL32 ref: 00FD9A63
          • GetTickCount.KERNEL32 ref: 00FD9A7B
          • GetCurrentThreadId.KERNEL32 ref: 00FD9AAA
          • GetTickCount.KERNEL32 ref: 00FD9AD5
          • GetTickCount.KERNEL32 ref: 00FD9B0C
          • GetTickCount.KERNEL32 ref: 00FD9B36
          • GetCurrentThreadId.KERNEL32 ref: 00FD9BA6
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: CountTick$CurrentThread
          • String ID:
          • API String ID: 3968769311-0
          • Opcode ID: ed554d04962a516221788e667b0607ca05a3b8a31d6d34531406828d7a3d277d
          • Instruction ID: d861de5885b00818845117102dda09cd660c46ccba14f8776d5efac468b3dd51
          • Opcode Fuzzy Hash: ed554d04962a516221788e667b0607ca05a3b8a31d6d34531406828d7a3d277d
          • Instruction Fuzzy Hash: BB41643160C3415ED721AEBCC88431EBBD3AB90364F1D896FD4D987382E6F9C984A752
          Function 00FD9798 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 64libraryloaderCOMMON
          Download Yara Rule
          APIs
          • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00FD97AD
          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00FD97B3
          • GetLastError.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00FD97D3
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: AddressErrorHandleLastModuleProc
          • String ID: @$GetLogicalProcessorInformation$kernel32.dll
          • API String ID: 4275029093-79381301
          • Opcode ID: 63a6bc7c4faae980e0e49ce7a3bc1d7410fda6ae2790e8743bfc303e811ccc53
          • Instruction ID: 4e67f80ee2d1b7ba364d58d32c8cbc56fa1aeef233a3827beb6b7a9fad5865b3
          • Opcode Fuzzy Hash: 63a6bc7c4faae980e0e49ce7a3bc1d7410fda6ae2790e8743bfc303e811ccc53
          • Instruction Fuzzy Hash: 4411A231D08204AEDF50EBE5DC05B5DB7BAEB06B10F9884A7E414D7381E7B88A84FB51
          Function 014B18E0 Relevance: 9.3, APIs: 6, Instructions: 262COMMON
          Download Yara Rule
          APIs
          • _ValidateScopeTableHandlers.LIBCMT ref: 014B19E1
          • __FindPESection.LIBCMT ref: 014B19FB
          Memory Dump Source
          • Source File: 00000000.00000002.1684739707.0000000001493000.00000020.00000001.01000000.00000003.sdmp, Offset: 01493000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_1493000_dllhost.jbxd
          Similarity
          • API ID: FindHandlersScopeSectionTableValidate
          • String ID:
          • API String ID: 876702719-0
          • Opcode ID: 003b439f6dcff9bd25e2534eb0414ec509fb9f725b60611cee72fab7e0114dc8
          • Instruction ID: 5054b74201791834a939f75b432ebd6a8b7fff64ea456a5ed3d21cd5d2dae1d5
          • Opcode Fuzzy Hash: 003b439f6dcff9bd25e2534eb0414ec509fb9f725b60611cee72fab7e0114dc8
          • Instruction Fuzzy Hash: 8991A132A002458BDB25CF59E9E07EEB7B5FB88B10F15412AD915D73B5E732E901CBA0
          Function 0100DF30 Relevance: 9.1, APIs: 6, Instructions: 144COMMON
          Download Yara Rule
          APIs
          • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0100DFE5
          • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0100E001
          • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0100E03A
          • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0100E0B7
          • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0100E0D0
          • VariantCopy.OLEAUT32(?,?), ref: 0100E10B
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: ArraySafe$BoundIndex$CopyCreateVariant
          • String ID:
          • API String ID: 351091851-0
          • Opcode ID: 48f9458a83960a9a089d45d2685e32004c0439aa3c30c744726355e8423e2b6e
          • Instruction ID: 36cc1e17376840cbb998ec15b24519de412aebc4c5ccda285568407013dc3ad8
          • Opcode Fuzzy Hash: 48f9458a83960a9a089d45d2685e32004c0439aa3c30c744726355e8423e2b6e
          • Instruction Fuzzy Hash: 7651DB7590022E9FDB63DB98CD80AD9B7FCAF5C200F4445D9E648E7251D630AF858F61
          Function 014AC725 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • __CreateFrameInfo.LIBCMT ref: 014AC74D
            • Part of subcall function 014A7E53: __getptd.LIBCMT ref: 014A7E61
            • Part of subcall function 014A7E53: __getptd.LIBCMT ref: 014A7E6F
          • __getptd.LIBCMT ref: 014AC757
            • Part of subcall function 014A8D41: __getptd_noexit.LIBCMT ref: 014A8D44
            • Part of subcall function 014A8D41: __amsg_exit.LIBCMT ref: 014A8D51
          • __getptd.LIBCMT ref: 014AC765
          • __getptd.LIBCMT ref: 014AC773
          • __getptd.LIBCMT ref: 014AC77E
          • _CallCatchBlock2.LIBCMT ref: 014AC7A4
            • Part of subcall function 014A7EF8: __CallSettingFrame@12.LIBCMT ref: 014A7F44
            • Part of subcall function 014AC84B: __getptd.LIBCMT ref: 014AC85A
            • Part of subcall function 014AC84B: __getptd.LIBCMT ref: 014AC868
          Memory Dump Source
          • Source File: 00000000.00000002.1684739707.0000000001493000.00000020.00000001.01000000.00000003.sdmp, Offset: 01493000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_1493000_dllhost.jbxd
          Similarity
          • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
          • String ID:
          • API String ID: 1602911419-0
          • Opcode ID: 722e7ddd8369edbbe02d8eb618c44cc989c33511ebb0a37e1b21644843c75da1
          • Instruction ID: 6cdd5237754f206492f09bd43edd9f92cdf40505b588b2720976576d42942f8d
          • Opcode Fuzzy Hash: 722e7ddd8369edbbe02d8eb618c44cc989c33511ebb0a37e1b21644843c75da1
          • Instruction Fuzzy Hash: B011C9B1D0020ADFDF00EFA5C545BAD7BB0FF38315F51806EE854AB260DB389A119B50
          Function 00FD5B50 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
          Download Yara Rule
          APIs
          • Sleep.KERNEL32(00000000,?,00FDF835,?,?,?,00FDF7CC,00000000,00FDF7F1,?,?,?,00000000,?,00FDFB1A,00000000), ref: 00FD5C07
          • Sleep.KERNEL32(0000000A,00000000,?,00FDF835,?,?,?,00FDF7CC,00000000,00FDF7F1,?,?,?,00000000,?,00FDFB1A), ref: 00FD5C1D
          • Sleep.KERNEL32(00000000,?,?,?,00FDF835,?,?,?,00FDF7CC,00000000,00FDF7F1,?,?,?,00000000), ref: 00FD5C4B
          • Sleep.KERNEL32(0000000A,00000000,?,?,?,00FDF835,?,?,?,00FDF7CC,00000000,00FDF7F1,?,?,?,00000000), ref: 00FD5C61
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: Sleep
          • String ID:
          • API String ID: 3472027048-0
          • Opcode ID: d89c5f69872deb7d061da0cb57318094a948397cb98fd8b09c960d48ee41d06a
          • Instruction ID: efaa84d9f5408a4ab60aeba450ab8e9eade018daa2e0b689b54e0c0f61bb0914
          • Opcode Fuzzy Hash: d89c5f69872deb7d061da0cb57318094a948397cb98fd8b09c960d48ee41d06a
          • Instruction Fuzzy Hash: 53C19C72901B118FCB25CF28E894319BBE3AB85725F1C826FD095CF3A9C3709845EB91
          Function 00FDAA7C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
          Download Yara Rule
          APIs
          • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00FDAB34,?,?,?,00FDAC4E,00FD7183,00FD71CA,?,?,00FD71E3), ref: 00FDAAB5
          • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00FDAB34,?,?,?,00FDAC4E,00FD7183,00FD71CA), ref: 00FDAABB
          • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00FDAB34,?,?,?), ref: 00FDAAD6
          • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00FDAB34,?,?), ref: 00FDAADC
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: FileHandleWrite
          • String ID: Runtime error at 00000000
          • API String ID: 3320372497-1393363852
          • Opcode ID: 1528dd45f2efed816fd39f1d8efefb622fbe2c7d85078a827a84843ff31253bb
          • Instruction ID: 64c8859070f91b053b587b0557f8d9954351db6734c1ff98d70f3cf40c0473ab
          • Opcode Fuzzy Hash: 1528dd45f2efed816fd39f1d8efefb622fbe2c7d85078a827a84843ff31253bb
          • Instruction Fuzzy Hash: 0FF0FCA0644341B9FA30B3609D07F2A325D5744F2AF5C0317F150982E5D6B858C8B327
          Function 01015A54 Relevance: 7.8, APIs: 5, Instructions: 340COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ee255f26ebd7f1f2e60938d6a48202a7d7b88f614c6d30d1df97bb2c328e93ed
          • Instruction ID: fa0ccf22a57e8335407c687fe366d92cf146dd91af6c1c737836e978c4c4e085
          • Opcode Fuzzy Hash: ee255f26ebd7f1f2e60938d6a48202a7d7b88f614c6d30d1df97bb2c328e93ed
          • Instruction Fuzzy Hash: 53D15E75E0020A9FDB11DFE8C8818FEB7F5EF4A300F5084A5E990AB255D738AA45CB71
          Function 01014494 Relevance: 7.8, APIs: 5, Instructions: 274COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: InitVariant
          • String ID:
          • API String ID: 1927566239-0
          • Opcode ID: ac84f5dc49b9f243b4a5f54fb379acb7db6f320c9e7e4ac2cb23b3eef2d5dab6
          • Instruction ID: f29e46d42ee5f3395b1a6018647751954c6c63b4eb8903338445dad19156a142
          • Opcode Fuzzy Hash: ac84f5dc49b9f243b4a5f54fb379acb7db6f320c9e7e4ac2cb23b3eef2d5dab6
          • Instruction Fuzzy Hash: 93B11575A0020AEFDB41EFD4C4908EDBBF9EF09710F5444A5E984E76A4D734AE86CB60
          Function 00FF9620 Relevance: 7.6, APIs: 5, Instructions: 64fileCOMMON
          Download Yara Rule
          APIs
          • GetFileAttributesW.KERNEL32(00000000,?,?,?,?,?,00FF939D), ref: 00FF9636
          • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,02000000,00000000,00000000,?,?,?,?,?,00FF939D), ref: 00FF966E
          • CloseHandle.KERNEL32(00000000,00000000,80000000,00000001,00000000,00000003,02000000,00000000,00000000,?,?,?,?,?,00FF939D), ref: 00FF9679
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: File$AttributesCloseCreateHandle
          • String ID:
          • API String ID: 4216088276-0
          • Opcode ID: f5c4194da26e5aefb5a570b2b1bbef9da726f9aa38283d3e034e75cabe832a40
          • Instruction ID: 42e2281faa4b8be401a00a0bc851fe7e180fb2ecc4fa524036170639a5d6c95b
          • Opcode Fuzzy Hash: f5c4194da26e5aefb5a570b2b1bbef9da726f9aa38283d3e034e75cabe832a40
          • Instruction Fuzzy Hash: 1901BC32E8D35829F63238694C86F7A21494F41B74F2A0B35BF68FA1F1AAD85C457099
          Function 00FD6418 Relevance: 7.6, APIs: 5, Instructions: 51fileCOMMON
          Download Yara Rule
          APIs
          • GetStdHandle.KERNEL32(000000F4,01449088,00000000,?,00000000,?,?,00000000,00FD6DC3), ref: 00FD643A
          • GetStdHandle.KERNEL32(000000F4,01449084,00000000,?,00000000,00000000,000000F4,01449088,00000000,?,00000000,?,?,00000000,00FD6DC3), ref: 00FD645F
          • WriteFile.KERNEL32(00000000,000000F4,01449084,00000000,?,00000000,00000000,000000F4,01449088,00000000,?,00000000,?,?,00000000,00FD6DC3), ref: 00FD6465
          • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,01449084,00000000,?,00000000,00000000,000000F4,01449088,00000000,?), ref: 00FD647C
          • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,01449084,00000000,?,00000000,00000000,000000F4,01449088,00000000), ref: 00FD6482
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: Handle$FileWrite
          • String ID:
          • API String ID: 2247734768-0
          • Opcode ID: f6b4db2d541db80c204cb2518afa5710a0a53e67562ab037d8924fddbcf8a2ad
          • Instruction ID: 3cee51492099b2af14beb4c4d97ffcf0e1f680c4fa4bcebc3c1b22abfa2b6e56
          • Opcode Fuzzy Hash: f6b4db2d541db80c204cb2518afa5710a0a53e67562ab037d8924fddbcf8a2ad
          • Instruction Fuzzy Hash: E701A9F12047107ED210F7A9CD86F9F3A8D8B49B21F5846177118D63D3C9689C44B372
          Function 014A8298 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • __getptd.LIBCMT ref: 014A82A4
            • Part of subcall function 014A8D41: __getptd_noexit.LIBCMT ref: 014A8D44
            • Part of subcall function 014A8D41: __amsg_exit.LIBCMT ref: 014A8D51
          • __amsg_exit.LIBCMT ref: 014A82C4
          • __lock.LIBCMT ref: 014A82D4
          • InterlockedDecrement.KERNEL32(?), ref: 014A82F1
          • InterlockedIncrement.KERNEL32(014B84B8), ref: 014A831C
          Memory Dump Source
          • Source File: 00000000.00000002.1684739707.0000000001493000.00000020.00000001.01000000.00000003.sdmp, Offset: 01493000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_1493000_dllhost.jbxd
          Similarity
          • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
          • String ID:
          • API String ID: 4271482742-0
          • Opcode ID: 597b4db54bc23447aeea05a9ea19ba554376c83d5b8dc8827bb84f4d6c201b8e
          • Instruction ID: 5802d2117f1258f33e110733ed45d01e9bde3436d01b934427f1caefcde8437d
          • Opcode Fuzzy Hash: 597b4db54bc23447aeea05a9ea19ba554376c83d5b8dc8827bb84f4d6c201b8e
          • Instruction Fuzzy Hash: 7101C432D01A13DBEB31AF6A984579A7764FF74712F86000FE805672B0C7386841CBE1
          Function 014A7FE4 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • __lock.LIBCMT ref: 014A8002
            • Part of subcall function 014AD34E: __mtinitlocknum.LIBCMT ref: 014AD364
            • Part of subcall function 014AD34E: __amsg_exit.LIBCMT ref: 014AD370
            • Part of subcall function 014AD34E: RtlEnterCriticalSection.NTDLL(?), ref: 014AD378
          • ___sbh_find_block.LIBCMT ref: 014A800D
          • ___sbh_free_block.LIBCMT ref: 014A801C
          • HeapFree.KERNEL32(00000000,014A661F,014B5CF8,0000000C,014AD32F,00000000,014B5FE8,0000000C,014AD369,014A661F,?,?,014B006A,00000004,014B60A8,0000000C), ref: 014A804C
          • GetLastError.KERNEL32(?,014B006A,00000004,014B60A8,0000000C,014AB2A8,014A661F,?,00000000,00000000,00000000,?,014A8CF3,00000001,00000214), ref: 014A805D
          Memory Dump Source
          • Source File: 00000000.00000002.1684739707.0000000001493000.00000020.00000001.01000000.00000003.sdmp, Offset: 01493000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_1493000_dllhost.jbxd
          Similarity
          • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
          • String ID:
          • API String ID: 2714421763-0
          • Opcode ID: 7082352eb84d251a12c86ae259526c04be2f52dc68c3ac91ce740a2b9de4f551
          • Instruction ID: 087b4cd319ba2d886da51192201a09c848836b487c0d871bcc56ac6d31bc4324
          • Opcode Fuzzy Hash: 7082352eb84d251a12c86ae259526c04be2f52dc68c3ac91ce740a2b9de4f551
          • Instruction Fuzzy Hash: E501A2B1C89303EADB316FB6E844B8E7B64EF30266F93051FE504AA1B0DA7885418B54
          Function 00FFFD90 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 221COMMON
          Download Yara Rule
          APIs
          • EnumCalendarInfoW.KERNEL32(00FFFC58,?,00000000,00000004), ref: 00FFFE4D
          • EnumCalendarInfoW.KERNEL32(00FFFD00,?,00000000,00000003,00FFFC58,?,00000000,00000004), ref: 00FFFE8B
          • EnumCalendarInfoW.KERNEL32(00FFFD00,?,00000000,00000003,00FFFC58,?,00000000,00000004), ref: 00FFFEEB
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: CalendarEnumInfo
          • String ID: B.C.
          • API String ID: 2925833060-621294921
          • Opcode ID: cbbe16cf5e38af22977b524e850e99ea288f72fd5d3227f5f0a83cc4d90e8fba
          • Instruction ID: e75e2ec7ef377b75fef7c5619559bd03b953a9e3f3850544bb6963835a1556b5
          • Opcode Fuzzy Hash: cbbe16cf5e38af22977b524e850e99ea288f72fd5d3227f5f0a83cc4d90e8fba
          • Instruction Fuzzy Hash: AC81BD71A0060A8FD720EF68C880AAA37E9EF44710F190375FA50DB3B9C775E805DB90
          Function 00FFCBE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78threadCOMMON
          Download Yara Rule
          APIs
          • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,00FFCCC5), ref: 00FFCC66
          • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,00FFCCC5), ref: 00FFCC6C
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: DateFormatLocaleThread
          • String ID: $yyyy
          • API String ID: 3303714858-404527807
          • Opcode ID: 885fbc0325f5e2aab499c464b288cf7d241640889fa305ecf6142f4fb5d9f921
          • Instruction ID: 384de847a765332092bcbc176e40786ccb9fabffc6a2a97d4dd54c162ac0a745
          • Opcode Fuzzy Hash: 885fbc0325f5e2aab499c464b288cf7d241640889fa305ecf6142f4fb5d9f921
          • Instruction Fuzzy Hash: 7321B231A046AC9FCB11EFA4CD45AAEB3F9EF48310B5100A6F908E7351D7349E00E7A1
          Function 00FF7750 Relevance: 6.2, APIs: 4, Instructions: 190fileCOMMON
          Download Yara Rule
          APIs
          • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000001,00000000,?,?,00000000,00FF79F6), ref: 00FF78A6
          • MapViewOfFile.KERNEL32(000003EE,00000004,00000000,00000000,00000001,00000000,00FF7983,?,?,00000000,00000002,00000000,00000001,00000000,?,?), ref: 00FF78D5
          • GetCurrentProcess.KERNEL32(00000104,00000000,00FF7963,?,000003EE,00000004,00000000,00000000,00000001,00000000,00FF7983,?,?,00000000,00000002,00000000), ref: 00FF78FA
          • UnmapViewOfFile.KERNEL32(00000000,00FF796A,000003EE,00000004,00000000,00000000,00000001,00000000,00FF7983,?,?,00000000,00000002,00000000,00000001,00000000), ref: 00FF795B
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: File$View$CreateCurrentMappingProcessUnmap
          • String ID:
          • API String ID: 585793813-0
          • Opcode ID: 147403e869c8418a0ab958b3621e0559973fb49354b80ce3121f079d85ecd3a2
          • Instruction ID: 75161c871400b2f59b1127c126506219cfd68f3ad671082e9e86fcfea57a3dc7
          • Opcode Fuzzy Hash: 147403e869c8418a0ab958b3621e0559973fb49354b80ce3121f079d85ecd3a2
          • Instruction Fuzzy Hash: CF712A31A0835DABDB21EFA5CC85BAEF7B5EF08310F5045A5E604A7290D7B89E80DF51
          Function 014AF934 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 014AF968
          • __isleadbyte_l.LIBCMT ref: 014AF99C
          • MultiByteToWideChar.KERNEL32(00000080,00000009,014A6B44,?,00000000,00000000,?,?,?,?,014A6B44), ref: 014AF9CD
          • MultiByteToWideChar.KERNEL32(00000080,00000009,014A6B44,00000001,00000000,00000000,?,?,?,?,014A6B44), ref: 014AFA3B
          Memory Dump Source
          • Source File: 00000000.00000002.1684739707.0000000001493000.00000020.00000001.01000000.00000003.sdmp, Offset: 01493000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_1493000_dllhost.jbxd
          Similarity
          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
          • String ID:
          • API String ID: 3058430110-0
          • Opcode ID: 1bdd8510b75d0864e30811c123759f7dbaec827dbffa0040188402d417d68cc6
          • Instruction ID: 309b4241c804d2dd7cd2ef0cbdc7d9bc1709d2e61d5032193acf458319065da4
          • Opcode Fuzzy Hash: 1bdd8510b75d0864e30811c123759f7dbaec827dbffa0040188402d417d68cc6
          • Instruction Fuzzy Hash: 5E31C231600246FFDB21DF68C8909BE7FB9FF14210B96856AE5958B2B1D331E948DB50
          Function 010006D0 Relevance: 6.1, APIs: 4, Instructions: 98fileCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 010004D8: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0100052F
            • Part of subcall function 010004D8: GetModuleFileNameW.KERNEL32(0147263C,?,00000105,?,?,00000105), ref: 0100054A
            • Part of subcall function 010004D8: LoadStringW.USER32(00000000,00FE8D54,?,00000100), ref: 010005E5
          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 01000764
          • GetStdHandle.KERNEL32(000000F4,01000810,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 01000790
          • WriteFile.KERNEL32(00000000,000000F4,01000810,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 01000796
          • LoadStringW.USER32(00000000,00FE9504,?,00000040), ref: 010007BA
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: File$LoadModuleNameString$ByteCharHandleMultiWideWrite
          • String ID:
          • API String ID: 1413667788-0
          • Opcode ID: 8aafcd564ce04420478cc19a777e6c1dbc289f68bd851cb3cbb02e87f69c2291
          • Instruction ID: fbf8880df1f6ccfc877775fdd52fa0326d405c380b63c2f6e1ea32fc66715581
          • Opcode Fuzzy Hash: 8aafcd564ce04420478cc19a777e6c1dbc289f68bd851cb3cbb02e87f69c2291
          • Instruction Fuzzy Hash: 4B31B4B1644308BFF711FB94DC42FEA73ADEB04700F6040A2B648EA1D1DE786E409B65
          Function 00FDF014 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
          Download Yara Rule
          APIs
          • GetThreadUILanguage.KERNEL32(?,00000000), ref: 00FDF025
          • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 00FDF083
          • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 00FDF0E0
          • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 00FDF113
            • Part of subcall function 00FDEFD0: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,00FDF091), ref: 00FDEFE7
            • Part of subcall function 00FDEFD0: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,00FDF091), ref: 00FDF004
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: Thread$LanguagesPreferred$Language
          • String ID:
          • API String ID: 2255706666-0
          • Opcode ID: f174dff7fa579b959c1cd53b82158c2655fc522f03074dbb84d04c10505000b7
          • Instruction ID: 9daaaf732fae2e1c288ff8c1dae3b0f9dcc80227248a5e9a2deb1b7fcb207df7
          • Opcode Fuzzy Hash: f174dff7fa579b959c1cd53b82158c2655fc522f03074dbb84d04c10505000b7
          • Instruction Fuzzy Hash: D6314D70E0021A9BDB10EFE4CC85AAEB7BAFF04314F484576E511EB395DB749A089B91
          Function 014A8A04 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • __getptd.LIBCMT ref: 014A8A10
            • Part of subcall function 014A8D41: __getptd_noexit.LIBCMT ref: 014A8D44
            • Part of subcall function 014A8D41: __amsg_exit.LIBCMT ref: 014A8D51
          • __getptd.LIBCMT ref: 014A8A27
          • __amsg_exit.LIBCMT ref: 014A8A35
          • __lock.LIBCMT ref: 014A8A45
          Memory Dump Source
          • Source File: 00000000.00000002.1684739707.0000000001493000.00000020.00000001.01000000.00000003.sdmp, Offset: 01493000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_1493000_dllhost.jbxd
          Similarity
          • API ID: __amsg_exit__getptd$__getptd_noexit__lock
          • String ID:
          • API String ID: 3521780317-0
          • Opcode ID: f5168d4137185a985383dea790821e8c436fb992ffe854b8001d1293af9def24
          • Instruction ID: 9082dead783e8edcff3e8e711f99ba971c6ac50f195d99e027d4086fb451cb1c
          • Opcode Fuzzy Hash: f5168d4137185a985383dea790821e8c436fb992ffe854b8001d1293af9def24
          • Instruction Fuzzy Hash: A2F03032A407038FDB31BBAA841574972A4EF74712F97455F9544AB6B0CB345902CB51
          Function 0100359C Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 330COMMON
          Download Yara Rule
          APIs
          • GetModuleHandleW.KERNEL32(00000000,00000000,00000000,00000000,010039A8,?,?,?,?,00000000,00000000), ref: 010036D4
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: HandleModule
          • String ID: .bpl$SysInit
          • API String ID: 4139908857-1949293470
          • Opcode ID: e8c3ae505ce2e9fbc2e1cfbfdc8438d9c3c9e8faf49643252f28e605c8836f85
          • Instruction ID: 431e97573fc7c5d6e17eae5e6b5a9d9cb15ebb239bb917a352fe71aa829e70b3
          • Opcode Fuzzy Hash: e8c3ae505ce2e9fbc2e1cfbfdc8438d9c3c9e8faf49643252f28e605c8836f85
          • Instruction Fuzzy Hash: 90E11874A0024ADFDB16DFA8C880ADEFBF6FF48304F148166E544AB355D734AA46CB90
          Function 014A1D90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1684739707.0000000001493000.00000020.00000001.01000000.00000003.sdmp, Offset: 01493000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_1493000_dllhost.jbxd
          Similarity
          • API ID: __wcstoui64
          • String ID: #
          • API String ID: 3882282163-1885708031
          • Opcode ID: b0c23fe929f1919966ce0c978adfdedf5002aad59e1bf918f9ee568e5a813f01
          • Instruction ID: 578b462dddd2cb9c21971801d7469f436e82fd504f0dc3a5d6397603ae54326d
          • Opcode Fuzzy Hash: b0c23fe929f1919966ce0c978adfdedf5002aad59e1bf918f9ee568e5a813f01
          • Instruction Fuzzy Hash: 411129726012006FD7609B7DEC80BA737ADEBE8364F444566F80DCF395E672E8518790
          Function 014AC84B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • __getptd.LIBCMT ref: 014AC85A
            • Part of subcall function 014A8D41: __getptd_noexit.LIBCMT ref: 014A8D44
            • Part of subcall function 014A8D41: __amsg_exit.LIBCMT ref: 014A8D51
          • __getptd.LIBCMT ref: 014AC868
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1684739707.0000000001493000.00000020.00000001.01000000.00000003.sdmp, Offset: 01493000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_1493000_dllhost.jbxd
          Similarity
          • API ID: __getptd$__amsg_exit__getptd_noexit
          • String ID: csm
          • API String ID: 803148776-1018135373
          • Opcode ID: 19a090d337b5289cb2aa2f64d74c49aadee50cee4b888bae0250ae30ba76a082
          • Instruction ID: c3a1cec0bf064bbadc5792bbb23ea386e97590d8c9cd925069415205c768151c
          • Opcode Fuzzy Hash: 19a090d337b5289cb2aa2f64d74c49aadee50cee4b888bae0250ae30ba76a082
          • Instruction Fuzzy Hash: 550162358002069BDF759F29C48066EB7B5BF30323FD6442FD440563B1CB359685CB41
          Function 01003D60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
          Download Yara Rule
          APIs
          • GetModuleHandleW.KERNEL32(kernel32.dll,?,01003E3C,00000000,01003E56,?,?,01003DF1), ref: 01003D66
            • Part of subcall function 00FE7288: GetProcAddress.KERNEL32(?,?), ref: 00FE72AC
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1683530650.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD1000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_fd1000_dllhost.jbxd
          Yara matches
          Similarity
          • API ID: AddressHandleModuleProc
          • String ID: GetDiskFreeSpaceExW$kernel32.dll
          • API String ID: 1646373207-1127948838
          • Opcode ID: 0ef5739b38d012917d70812c472a98c757a2bcc96ec72efc684ef89897e59d7f
          • Instruction ID: 7cfe13438d5527d22c08e38047605e1427f50cbc38393ec10df4505a8521be34
          • Opcode Fuzzy Hash: 0ef5739b38d012917d70812c472a98c757a2bcc96ec72efc684ef89897e59d7f
          • Instruction Fuzzy Hash: C9D05EA46043405FFB33BBE7EC8665673A4AB05618F10422BB2405E292D6A44405AF01