Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
libpkcs11-helper-1.dll.dll

Overview

General Information

Sample name:libpkcs11-helper-1.dll.dll
(renamed file extension from exe to dll)
Original sample name:libpkcs11-helper-1.dll.exe
Analysis ID:1562676
MD5:923f2b061c22b2de64f2b228f676fe95
SHA1:40830c37101ed4f779955c8d0e1718d51714eb83
SHA256:5d15ca989acd53de9e458bca2ac226ece6c3e1cf97b070c930a9f3f4b6144a21
Tags:exeuser-johnk3r
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found evasive API chain (might use process or thread times for sandbox detection)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6564 cmdline: loaddll64.exe "C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 5664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1644 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 7160 cmdline: rundll32.exe "C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7120 cmdline: rundll32.exe C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll,DTLS_get_data_mtu MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6632 cmdline: rundll32.exe C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll,DTLSv1_client_method MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 1488 cmdline: rundll32.exe C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll,DTLSv1_listen MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: libpkcs11-helper-1.dll.dllReversingLabs: Detection: 13%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.9% probability
Machine Learning detection for sample
Source: libpkcs11-helper-1.dll.dllJoe Sandbox ML: detected
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C578C0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,CreateThreadpoolWait,GetSystemDefaultLangID,lstrlenW,HeapReAlloc,UnregisterBadMemoryNotification,ConnectNamedPipe,DeleteTimerQueueEx,FindFirstFileNameW,VirtualQuery,WaitCommEvent,CompareStringOrdinal,SetThreadErrorMode,WriteConsoleOutputW,IsThreadpoolTimerSet,NeedCurrentDirectoryForExePathW,HeapFree,GetDefaultCommConfigW,GetNamedPipeClientSessionId,FindVolumeClose,CreateSemaphoreW,CloseHandle,WakeConditionVariable,VerifyVersionInfoW,CompareStringEx,ConvertFiberToThread,GetStartupInfoW,GetOverlappedResultEx,GetProcessId,GetStringTypeW,WriteConsoleOutputCharacterW,SetTapeParameters,RegisterApplicationRestart,AddScopedPolicyIDAce,ConvertThreadToFiberEx,WaitForDebugEvent,UnregisterBadMemoryNotification,GetThreadSelectorEntry,LeaveCriticalSection,SetSystemFileCacheSize,VerifyScripts,SetUserGeoID,GetLocalTime,GetShortPathNameW,IsProcessInJob,GetVolumePathNamesForVolumeNameW,EscapeCommFunction,DeleteTimerQueueEx,WriteProcessMemory,IsValidLanguageGroup,GetDynamicTimeZoneInformation,InitOnceExecuteOnce,GetNumberOfConsoleMouseButtons,RtlCaptureStackBackTrace,GetNamedPipeServerProcessId,LoadResource,WinExec,GetCommModemStatus,FreeConsole,LoadResource,GetCurrentThread,CompareFileTime,HeapLock,GetNumberOfConsoleInputEvents,OpenFileMappingW,SetCommState,IsBadStringPtrW,GetStringTypeW,VirtualProtect,0_2_00007FF8A8C578C0
Source: libpkcs11-helper-1.dll.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C5AC80 GetStartupInfoW,CopyFile2,SetProcessPriorityBoost,IsValidLanguageGroup,SetProcessPriorityBoost,AssignProcessToJobObject,GetModuleFileNameW,GetComputerNameW,GetPrivateProfileSectionW,GetDefaultCommConfigW,SystemTimeToFileTime,GetNumaProcessorNode,GetLocaleInfoEx,GetCurrentProcessorNumber,FindFirstFileNameW,CopyFileTransactedW,QueryPerformanceCounter,FlushConsoleInputBuffer,MapUserPhysicalPagesScatter,LCMapStringW,QueryMemoryResourceNotification,VerifyScripts,FindStringOrdinal,SetFileTime,SetThreadGroupAffinity,EnumTimeFormatsW,OutputDebugStringA,0_2_00007FF8A8C5AC80
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C578C0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,CreateThreadpoolWait,GetSystemDefaultLangID,lstrlenW,HeapReAlloc,UnregisterBadMemoryNotification,ConnectNamedPipe,DeleteTimerQueueEx,FindFirstFileNameW,VirtualQuery,WaitCommEvent,CompareStringOrdinal,SetThreadErrorMode,WriteConsoleOutputW,IsThreadpoolTimerSet,NeedCurrentDirectoryForExePathW,HeapFree,GetDefaultCommConfigW,GetNamedPipeClientSessionId,FindVolumeClose,CreateSemaphoreW,CloseHandle,WakeConditionVariable,VerifyVersionInfoW,CompareStringEx,ConvertFiberToThread,GetStartupInfoW,GetOverlappedResultEx,GetProcessId,GetStringTypeW,WriteConsoleOutputCharacterW,SetTapeParameters,RegisterApplicationRestart,AddScopedPolicyIDAce,ConvertThreadToFiberEx,WaitForDebugEvent,UnregisterBadMemoryNotification,GetThreadSelectorEntry,LeaveCriticalSection,SetSystemFileCacheSize,VerifyScripts,SetUserGeoID,GetLocalTime,GetShortPathNameW,IsProcessInJob,GetVolumePathNamesForVolumeNameW,EscapeCommFunction,DeleteTimerQueueEx,WriteProcessMemory,IsValidLanguageGroup,GetDynamicTimeZoneInformation,InitOnceExecuteOnce,GetNumberOfConsoleMouseButtons,RtlCaptureStackBackTrace,GetNamedPipeServerProcessId,LoadResource,WinExec,GetCommModemStatus,FreeConsole,LoadResource,GetCurrentThread,CompareFileTime,HeapLock,GetNumberOfConsoleInputEvents,OpenFileMappingW,SetCommState,IsBadStringPtrW,GetStringTypeW,VirtualProtect,0_2_00007FF8A8C578C0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8D901C0 FindFirstFileNameW,0_2_00007FF8A8D901C0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CFC1EC FindFirstFileExW,0_2_00007FF8A8CFC1EC
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C56670 GetProcessShutdownParameters,WriteConsoleOutputW,SetWaitableTimerEx,GetThreadId,LocalReAlloc,GetFirmwareEnvironmentVariableW,WakeAllConditionVariable,RegisterApplicationRecoveryCallback,GetNumberOfConsoleInputEvents,ContinueDebugEvent,DuplicateHandle,HeapReAlloc,CancelWaitableTimer,CancelIo,GetNumaHighestNodeNumber,SetFilePointer,FindNextVolumeMountPointW,InterlockedPushEntrySList,CreateWaitableTimerW,GlobalSize,DeleteVolumeMountPointW,IsWow64Process,QueryDosDeviceW,ReadFileEx,RegisterApplicationRecoveryCallback,ToAsciiEx,lstrcmpiW,SetThreadpoolTimerEx,GetRawInputData,GetFullPathNameW,TabbedTextOutW,QueryThreadProfiling,CreateMailslotW,EnumResourceTypesW,AcquireSRWLockExclusive,CharPrevExA,GetWindowsDirectoryW,GetWindowPlacement,GetFullPathNameTransactedW,SetFirmwareEnvironmentVariableW,BackupWrite,SetTapeParameters,IsValidLocaleName,CopyFileExW,LoadCursorFromFileW,FindFirstVolumeW,CharToOemW,AddSecureMemoryCacheCallback,MulDiv,QueryThreadProfiling,GetKeyboardLayout,DrawEdge,LoadPackagedLibrary,GetDynamicTimeZoneInformation,DebugActiveProcess,GetSystemDirectoryW,HeapCompact,GlobalHandle,WaitNamedPipeW,SetCommState,CreateMailslotW,VirtualProtect,InterlockedFlushSList,GlobalGetAtomNameW,AllocConsole,GetNLSVersionEx,GetSystemTimes,PowerSetRequest,WriteConsoleW,SetTimeZoneInformation,QueryProtectedPolicy,GetCurrentProcessorNumber,CompareFileTime,GetCurrentThread,ConvertDefaultLocale,GetActiveProcessorGroupCount,SetConsoleCursorPosition,SetConsoleOutputCP,NeedCurrentDirectoryForExePathW,OfferVirtualMemory,SetFileIoOverlappedRange,PrefetchVirtualMemory,SystemTimeToFileTime,GetProfileIntW,GetConsoleCursorInfo,GlobalGetAtomNameW,SizeofResource,GetCurrentThread,OpenEventW,EnumSystemGeoID,SleepConditionVariableCS,OpenWaitableTimerW,EnumResourceNamesW,SetThreadpoolStackInformation,GetLogicalProcessorInformationEx,ReadFileEx,GetConsoleAliasesW,QueryThreadProfiling,GetFileSizeEx,VirtualUnlock,GetSystemDirectoryW,FindNextChangeNotification,HeapWalk,TerminateThread,HeapWalk,UnlockFile,QueryThreadpoolStackInformation,CreateDirectoryExW,FindFirstFileTransactedW,LockFile,GetFileTime,CloseThreadpoolTimer,CheckTokenMembershipEx,UnregisterApplicationRestart,GetSystemTime,FlushFileBuffers,FindVolumeClose,GetUserDefaultLCID,ConvertThreadToFiber,AddSecureMemoryCacheCallback,GetNumaHighestNodeNumber,CloseThreadpoolIo,GetProcessPreferredUILanguages,DnsHostnameToComputerNameW,RaiseException,GetFileAttributesExW,SetVolumeMountPointW,lstrlenW,GetUserDefaultLCID,SetCommMask,SizeofResource,GetSystemDEPPolicy,GetVolumeNameForVolumeMountPointW,FreeLibrary,DrawFocusRect,DnsHostnameToComputerNameW,GetSystemMenu,GetThreadPriorityBoost,RegisterWindowMessageW,LogicalToPhysicalPoint,FreeLibraryWhenCallbackReturns,DdeSetUserHandle,GetModuleFileNameW,RemoveVectoredContinueHandler,SetConsoleMode,IsThreadpoolTimerSet,SetProcessWorkingSetSize,GetScrollPos,SetWindowContextHelpId,FlushConsoleInputBuffer,SetWaitableTimerEx,IsValidCodePage,CommConfigDialogW,EscapeCommFunct0_2_00007FF8A8C56670
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C59790 UnregisterSuspendResumeNotification,ValidateRect,MessageBoxIndirectW,SetFileAttributesW,IsProcessDPIAware,SetProcessRestrictionExemption,GetModuleHandleExW,FindWindowExW,GetGUIThreadInfo,TransmitCommChar,HeapQueryInformation,SetSystemCursor,GetNumberOfConsoleInputEvents,RemoveVectoredExceptionHandler,SetLocaleInfoW,CopyFileW,mouse_event,GetCurrentProcess,GlobalReAlloc,EndDeferWindowPos,DefRawInputProc,GetUserDefaultLocaleName,PrefetchVirtualMemory,EnumWindows,DialogBoxParamW,DialogBoxParamW,SetProcessWorkingSetSizeEx,GetLastInputInfo,GetPriorityClass,SetNamedPipeHandleState,MapVirtualKeyW,OpenPrivateNamespaceW,SetSystemCursor,GetCurrentConsoleFont,TzSpecificLocalTimeToSystemTimeEx,FlushViewOfFile,FindNextVolumeW,NotifyUILanguageChange,EscapeCommFunction,Wow64SuspendThread,DeleteAtom,GetSystemDefaultLCID,GetFirmwareType,ReleaseSRWLockExclusive,SetCommTimeouts,RtlCaptureContext,GetCommMask,QueryProtectedPolicy,WriteConsoleW,RemoveDllDirectory,GetUserDefaultLangID,CreateMailslotW,StartThreadpoolIo,FatalAppExitW,GetCommProperties,Wow64SetThreadContext,GetFileInformationByHandle,SetConsoleHistoryInfo,WriteProfileStringW,InitializeSynchronizationBarrier,SetFilePointerEx,SetMailslotInfo,GetNumaAvailableMemoryNodeEx,GetProcessGroupAffinity,FindResourceW,ApplicationRecoveryInProgress,DnsHostnameToComputerNameW,GetConsoleProcessList,DeleteTimerQueueEx,GetNLSVersionEx,PurgeComm,OpenFileMappingW,FindFirstFileNameTransactedW,SetThreadpoolStackInformation,CheckTokenCapability,GetCurrencyFormatW,GetConsoleProcessList,GetCurrentConsoleFont,MapViewOfFileEx,RequestWakeupLatency,FlsFree,ConvertDefaultLocale,GetProcessHeap,TryEnterCriticalSection,EnumLanguageGroupLocalesW,EnumLanguageGroupLocalesW,DeleteTimerQueueEx,InitializeConditionVariable,GetLongPathNameTransactedW,0_2_00007FF8A8C59790
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C533F0 GetTempPathA,GetTempFileNameA,QueryFullProcessImageNameW,CommConfigDialogW,CallbackMayRunLong,lstrcatW,UnregisterApplicationRestart,GetThreadSelectorEntry,BuildCommDCBW,SetConsoleHistoryInfo,PtVisible,CreatePrivateNamespaceW,GetConsoleSelectionInfo,WakeConditionVariable,PeekNamedPipe,EnumCalendarInfoExEx,Polygon,OpenWaitableTimerW,GetLogicalDrives,EnumResourceTypesExW,GetPhysicallyInstalledSystemMemory,SetEventWhenCallbackReturns,CopyFileW,GetFirmwareType,GetStartupInfoW,GetColorAdjustment,CreateMetaFileW,CancelWaitableTimer,BackupRead,GetCommState,GetCommandLineW,GetWindowsDirectoryW,GetConsoleCursorInfo,GetNamedPipeServerProcessId,GetMaximumProcessorGroupCount,OpenWaitableTimerW,SetFileAttributesTransactedW,DeleteTimerQueueEx,SetFileAttributesW,MoveFileExW,WaitForThreadpoolTimerCallbacks,CreateThreadpoolWait,CopyFileW,ReadConsoleOutputCharacterW,SetFirmwareEnvironmentVariableW,GetTempFileNameW,AddScopedPolicyIDAce,GetCPInfoExW,QueryInformationJobObject,FatalExit,CreateThreadpoolWork,RegOpenKeyExA,GetLongPathNameW,SetConsoleCP,VerifyScripts,CreateThreadpoolIo,EnumResourceLanguagesW,FindNLSString,CancelThreadpoolIo,UpdateResourceW,CheckNameLegalDOS8Dot3W,ScrollConsoleScreenBufferW,GetVolumeNameForVolumeMountPointW,TransactNamedPipe,ReadFile,CreateEventW,GetLogicalDriveStringsW,CreateDirectoryExW,EnumResourceTypesW,RegQueryValueExA,GetThreadGroupAffinity,CreateWaitableTimerW,GetNamedPipeClientComputerNameW,VirtualFreeEx,TerminateThread,SetDynamicTimeZoneInformation,GetLogicalDriveStringsW,CloseThreadpoolWork,GetThreadIdealProcessorEx,CreateJobObjectW,UnregisterWait,OpenFileById,MapViewOfFile,UnregisterWait,AddIntegrityLabelToBoundaryDescriptor,CancelIo,SetThreadPriorityBoost,QueryPerformanceFrequency,RegCloseKey,OutputDebugStringA,0_2_00007FF8A8C533F0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C56670 GetProcessShutdownParameters,WriteConsoleOutputW,SetWaitableTimerEx,GetThreadId,LocalReAlloc,GetFirmwareEnvironmentVariableW,WakeAllConditionVariable,RegisterApplicationRecoveryCallback,GetNumberOfConsoleInputEvents,ContinueDebugEvent,DuplicateHandle,HeapReAlloc,CancelWaitableTimer,CancelIo,GetNumaHighestNodeNumber,SetFilePointer,FindNextVolumeMountPointW,InterlockedPushEntrySList,CreateWaitableTimerW,GlobalSize,DeleteVolumeMountPointW,IsWow64Process,QueryDosDeviceW,ReadFileEx,RegisterApplicationRecoveryCallback,ToAsciiEx,lstrcmpiW,SetThreadpoolTimerEx,GetRawInputData,GetFullPathNameW,TabbedTextOutW,QueryThreadProfiling,CreateMailslotW,EnumResourceTypesW,AcquireSRWLockExclusive,CharPrevExA,GetWindowsDirectoryW,GetWindowPlacement,GetFullPathNameTransactedW,SetFirmwareEnvironmentVariableW,BackupWrite,SetTapeParameters,IsValidLocaleName,CopyFileExW,LoadCursorFromFileW,FindFirstVolumeW,CharToOemW,AddSecureMemoryCacheCallback,MulDiv,QueryThreadProfiling,GetKeyboardLayout,DrawEdge,LoadPackagedLibrary,GetDynamicTimeZoneInformation,DebugActiveProcess,GetSystemDirectoryW,HeapCompact,GlobalHandle,WaitNamedPipeW,SetCommState,CreateMailslotW,VirtualProtect,InterlockedFlushSList,GlobalGetAtomNameW,AllocConsole,GetNLSVersionEx,GetSystemTimes,PowerSetRequest,WriteConsoleW,SetTimeZoneInformation,QueryProtectedPolicy,GetCurrentProcessorNumber,CompareFileTime,GetCurrentThread,ConvertDefaultLocale,GetActiveProcessorGroupCount,SetConsoleCursorPosition,SetConsoleOutputCP,NeedCurrentDirectoryForExePathW,OfferVirtualMemory,SetFileIoOverlappedRange,PrefetchVirtualMemory,SystemTimeToFileTime,GetProfileIntW,GetConsoleCursorInfo,GlobalGetAtomNameW,SizeofResource,GetCurrentThread,OpenEventW,EnumSystemGeoID,SleepConditionVariableCS,OpenWaitableTimerW,EnumResourceNamesW,SetThreadpoolStackInformation,GetLogicalProcessorInformationEx,ReadFileEx,GetConsoleAliasesW,QueryThreadProfiling,GetFileSizeEx,VirtualUnlock,GetSystemDirectoryW,FindNextChangeNotification,HeapWalk,TerminateThread,HeapWalk,UnlockFile,QueryThreadpoolStackInformation,CreateDirectoryExW,FindFirstFileTransactedW,LockFile,GetFileTime,CloseThreadpoolTimer,CheckTokenMembershipEx,UnregisterApplicationRestart,GetSystemTime,FlushFileBuffers,FindVolumeClose,GetUserDefaultLCID,ConvertThreadToFiber,AddSecureMemoryCacheCallback,GetNumaHighestNodeNumber,CloseThreadpoolIo,GetProcessPreferredUILanguages,DnsHostnameToComputerNameW,RaiseException,GetFileAttributesExW,SetVolumeMountPointW,lstrlenW,GetUserDefaultLCID,SetCommMask,SizeofResource,GetSystemDEPPolicy,GetVolumeNameForVolumeMountPointW,FreeLibrary,DrawFocusRect,DnsHostnameToComputerNameW,GetSystemMenu,GetThreadPriorityBoost,RegisterWindowMessageW,LogicalToPhysicalPoint,FreeLibraryWhenCallbackReturns,DdeSetUserHandle,GetModuleFileNameW,RemoveVectoredContinueHandler,SetConsoleMode,IsThreadpoolTimerSet,SetProcessWorkingSetSize,GetScrollPos,SetWindowContextHelpId,FlushConsoleInputBuffer,SetWaitableTimerEx,IsValidCodePage,CommConfigDialogW,EscapeCommFunct0_2_00007FF8A8C56670
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C5AC800_2_00007FF8A8C5AC80
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C59CD00_2_00007FF8A8C59CD0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C540900_2_00007FF8A8C54090
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C533F00_2_00007FF8A8C533F0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C555A00_2_00007FF8A8C555A0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C578C00_2_00007FF8A8C578C0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C54B700_2_00007FF8A8C54B70
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C58CB00_2_00007FF8A8C58CB0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CF8C240_2_00007FF8A8CF8C24
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8D02ED00_2_00007FF8A8D02ED0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CE4EC00_2_00007FF8A8CE4EC0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CE8EA80_2_00007FF8A8CE8EA8
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CECE980_2_00007FF8A8CECE98
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8D00FE00_2_00007FF8A8D00FE0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CFC1EC0_2_00007FF8A8CFC1EC
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CF815C0_2_00007FF8A8CF815C
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CE42100_2_00007FF8A8CE4210
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CF83D80_2_00007FF8A8CF83D8
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CF24AC0_2_00007FF8A8CF24AC
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CE44140_2_00007FF8A8CE4414
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CF05880_2_00007FF8A8CF0588
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CF66E80_2_00007FF8A8CF66E8
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C5E6A00_2_00007FF8A8C5E6A0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C566700_2_00007FF8A8C56670
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CFE6140_2_00007FF8A8CFE614
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CE39F00_2_00007FF8A8CE39F0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CF5BD40_2_00007FF8A8CF5BD4
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CE3BF40_2_00007FF8A8CE3BF4
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CEBB2C0_2_00007FF8A8CEBB2C
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CE5C580_2_00007FF8A8CE5C58
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CE3E000_2_00007FF8A8CE3E00
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CEE0CC0_2_00007FF8A8CEE0CC
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CF60680_2_00007FF8A8CF6068
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CE40040_2_00007FF8A8CE4004
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CEF1080_2_00007FF8A8CEF108
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CEB2E00_2_00007FF8A8CEB2E0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CE93B40_2_00007FF8A8CE93B4
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C574600_2_00007FF8A8C57460
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CFB4100_2_00007FF8A8CFB410
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CED53C0_2_00007FF8A8CED53C
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8D0356C0_2_00007FF8A8D0356C
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C5F5300_2_00007FF8A8C5F530
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CFF7900_2_00007FF8A8CFF790
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C597900_2_00007FF8A8C59790
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CE58540_2_00007FF8A8CE5854
Source: C:\Windows\System32\loaddll64.exeCode function: String function: 00007FF8A8CDDAAC appears 216 times
Source: classification engineClassification label: mal56.winDLL@12/0@0/0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CAAD30 GetDiskFreeSpaceExA,0_2_00007FF8A8CAAD30
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C59CD0 GetDynamicTimeZoneInformation,SetUnhandledExceptionFilter,IsClipboardFormatAvailable,SleepConditionVariableSRW,GetActiveProcessorGroupCount,GetDlgItemInt,CreateDirectoryTransactedW,LoadPackagedLibrary,GetCommModemStatus,ReleaseMutex,WaitForDebugEvent,GetFullPathNameTransactedW,RaiseException,GetACP,GetBrushOrgEx,GlobalUnlock,GetNamedPipeClientComputerNameW,SetTapeParameters,WritePrivateProfileSectionW,FindCloseChangeNotification,BackupWrite,LocalFlags,GetThreadPreferredUILanguages,GetDeviceCaps,GetVolumePathNameW,CreateBrushIndirect,GetEnhMetaFileW,LPtoDP,PowerCreateRequest,GetConsoleOutputCP,SleepConditionVariableSRW,RaiseException,SetThreadPriorityBoost,OpenFile,SetFilePointerEx,FindNLSStringEx,QueryDosDeviceW,OpenMutexW,SetFileAttributesTransactedW,InterlockedPopEntrySList,PowerCreateRequest,GlobalReAlloc,GetProcAddress,LoadModule,CloseThreadpoolCleanupGroup,GetProcessHeaps,GetNLSVersionEx,GetCommState,FreeUserPhysicalPages,FreeResource,GetLocalTime,GetSystemInfo,CreateEventExW,MapViewOfFile,CreateRemoteThread,SetProcessShutdownParameters,SetDllDirectoryW,GetLongPathNameTransactedW,GetNumberOfConsoleMouseButtons,SetCalendarInfoW,DisassociateCurrentThreadFromCallback,GetCommProperties,BindIoCompletionCallback,CompareStringOrdinal,SetCommMask,Wow64GetThreadContext,IsProcessInJob,SystemTimeToTzSpecificLocalTime,IsValidLocale,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,GetProcessHeaps,SetFileApisToANSI,FindVolumeMountPointClose,InitOnceExecuteOnce,UnregisterApplicationRestart,FileTimeToDosDateTime,InitializeProcThreadAttributeList,ReOpenFile,LCMapStringW,SetProcessWorkingSetSizeEx,FindNLSString,GetMaximumProcessorCount,DdeReconnect,FindFirstVolumeW,InterlockedPushListSListEx,IsWindowUnicode,GetNumaAvailableMemoryNodeEx,TzSpecificLocalTimeToSystemTimeEx,ChangeDisplaySettingsW,UserHandleGrantAccess,GetTapeParameters,RemoveVectoredExceptionHandler,EnumTimeFormatsW,FindNextVolumeW,GetWriteWatch,SetProcessPreferredUILanguages,CharUpperW,GetStartupInfoW,DdeNameService,GetVersionExW,FatalExit,FatalExit,0_2_00007FF8A8C59CD0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_03
Source: libpkcs11-helper-1.dll.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll,DTLS_get_data_mtu
Source: libpkcs11-helper-1.dll.dllReversingLabs: Detection: 13%
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll,DTLS_get_data_mtu
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll,DTLSv1_client_method
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll,DTLSv1_listen
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll,DTLS_get_data_mtuJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll,DTLSv1_client_methodJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll,DTLSv1_listenJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: cryptbase.dllJump to behavior
Source: libpkcs11-helper-1.dll.dllStatic PE information: More than 118 > 100 exports found
Source: libpkcs11-helper-1.dll.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: libpkcs11-helper-1.dll.dllStatic file information: File size 1396736 > 1048576
Source: libpkcs11-helper-1.dll.dllStatic PE information: More than 200 imports for KERNEL32.dll
Source: libpkcs11-helper-1.dll.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: libpkcs11-helper-1.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: libpkcs11-helper-1.dll.dllStatic PE information: section name: .hdata
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8D94745 push rsi; ret 0_2_00007FF8A8D94746
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C555A0 GetLocalTime,GetCurrentProcess,GetProcessTimes,FileTimeToSystemTime,OutputDebugStringW,GetLocalTime,GetDateFormatW,VirtualQuery,FormatMessageW,FindClose,WinExec,ReadThreadProfilingData,WriteConsoleOutputCharacterW,SetThreadpoolThreadMaximum,GetCurrentConsoleFontEx,SetHandleInformation,GetCurrentThreadId,GetEnvironmentVariableW,RegisterWaitForSingleObject,OffsetClipRgn,FindNLSStringEx,OpenMutexW,OutputDebugStringW,CloseHandle,OutputDebugStringW,GetTempPathW,GetFileAttributesW,OutputDebugStringA,RegOpenKeyExW,RegCloseKey,OutputDebugStringW,Concurrency::cancel_current_task,GetConsoleAliasesW,GetConsoleCursorInfo,RegisterApplicationRecoveryCallback,lstrcmpiW,CreateThreadpool,GetSystemPowerStatus,BeginUpdateResourceW,LoadResource,UnlockFileEx,CreateMutexExW,CreateMemoryResourceNotification,FindResourceW,GetCalendarInfoEx,DosDateTimeToFileTime,CreateThreadpoolWork,UnlockFileEx,GetFirmwareEnvironmentVariableW,DeleteProcThreadAttributeList,EnumTimeFormatsW,GetSystemFileCacheSize,CreateFileW,CancelThreadpoolIo,BackupSeek,SetStdHandle,CreateThreadpoolWork,FreeEnvironmentStringsW,GetUserDefaultLangID,EnumResourceNamesExW,IsDBCSLeadByte,GetConsoleProcessList,CloseThreadpoolIo,OpenFileById,RtlCaptureStackBackTrace,GetThreadPreferredUILanguages,TerminateThread,FatalExit,0_2_00007FF8A8C555A0
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll64.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C5AC80 GetStartupInfoW,CopyFile2,SetProcessPriorityBoost,IsValidLanguageGroup,SetProcessPriorityBoost,AssignProcessToJobObject,GetModuleFileNameW,GetComputerNameW,GetPrivateProfileSectionW,GetDefaultCommConfigW,SystemTimeToFileTime,GetNumaProcessorNode,GetLocaleInfoEx,GetCurrentProcessorNumber,FindFirstFileNameW,CopyFileTransactedW,QueryPerformanceCounter,FlushConsoleInputBuffer,MapUserPhysicalPagesScatter,LCMapStringW,QueryMemoryResourceNotification,VerifyScripts,FindStringOrdinal,SetFileTime,SetThreadGroupAffinity,EnumTimeFormatsW,OutputDebugStringA,0_2_00007FF8A8C5AC80
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C578C0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,CreateThreadpoolWait,GetSystemDefaultLangID,lstrlenW,HeapReAlloc,UnregisterBadMemoryNotification,ConnectNamedPipe,DeleteTimerQueueEx,FindFirstFileNameW,VirtualQuery,WaitCommEvent,CompareStringOrdinal,SetThreadErrorMode,WriteConsoleOutputW,IsThreadpoolTimerSet,NeedCurrentDirectoryForExePathW,HeapFree,GetDefaultCommConfigW,GetNamedPipeClientSessionId,FindVolumeClose,CreateSemaphoreW,CloseHandle,WakeConditionVariable,VerifyVersionInfoW,CompareStringEx,ConvertFiberToThread,GetStartupInfoW,GetOverlappedResultEx,GetProcessId,GetStringTypeW,WriteConsoleOutputCharacterW,SetTapeParameters,RegisterApplicationRestart,AddScopedPolicyIDAce,ConvertThreadToFiberEx,WaitForDebugEvent,UnregisterBadMemoryNotification,GetThreadSelectorEntry,LeaveCriticalSection,SetSystemFileCacheSize,VerifyScripts,SetUserGeoID,GetLocalTime,GetShortPathNameW,IsProcessInJob,GetVolumePathNamesForVolumeNameW,EscapeCommFunction,DeleteTimerQueueEx,WriteProcessMemory,IsValidLanguageGroup,GetDynamicTimeZoneInformation,InitOnceExecuteOnce,GetNumberOfConsoleMouseButtons,RtlCaptureStackBackTrace,GetNamedPipeServerProcessId,LoadResource,WinExec,GetCommModemStatus,FreeConsole,LoadResource,GetCurrentThread,CompareFileTime,HeapLock,GetNumberOfConsoleInputEvents,OpenFileMappingW,SetCommState,IsBadStringPtrW,GetStringTypeW,VirtualProtect,0_2_00007FF8A8C578C0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8D901C0 FindFirstFileNameW,0_2_00007FF8A8D901C0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CFC1EC FindFirstFileExW,0_2_00007FF8A8CFC1EC
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C56670 GetProcessShutdownParameters,WriteConsoleOutputW,SetWaitableTimerEx,GetThreadId,LocalReAlloc,GetFirmwareEnvironmentVariableW,WakeAllConditionVariable,RegisterApplicationRecoveryCallback,GetNumberOfConsoleInputEvents,ContinueDebugEvent,DuplicateHandle,HeapReAlloc,CancelWaitableTimer,CancelIo,GetNumaHighestNodeNumber,SetFilePointer,FindNextVolumeMountPointW,InterlockedPushEntrySList,CreateWaitableTimerW,GlobalSize,DeleteVolumeMountPointW,IsWow64Process,QueryDosDeviceW,ReadFileEx,RegisterApplicationRecoveryCallback,ToAsciiEx,lstrcmpiW,SetThreadpoolTimerEx,GetRawInputData,GetFullPathNameW,TabbedTextOutW,QueryThreadProfiling,CreateMailslotW,EnumResourceTypesW,AcquireSRWLockExclusive,CharPrevExA,GetWindowsDirectoryW,GetWindowPlacement,GetFullPathNameTransactedW,SetFirmwareEnvironmentVariableW,BackupWrite,SetTapeParameters,IsValidLocaleName,CopyFileExW,LoadCursorFromFileW,FindFirstVolumeW,CharToOemW,AddSecureMemoryCacheCallback,MulDiv,QueryThreadProfiling,GetKeyboardLayout,DrawEdge,LoadPackagedLibrary,GetDynamicTimeZoneInformation,DebugActiveProcess,GetSystemDirectoryW,HeapCompact,GlobalHandle,WaitNamedPipeW,SetCommState,CreateMailslotW,VirtualProtect,InterlockedFlushSList,GlobalGetAtomNameW,AllocConsole,GetNLSVersionEx,GetSystemTimes,PowerSetRequest,WriteConsoleW,SetTimeZoneInformation,QueryProtectedPolicy,GetCurrentProcessorNumber,CompareFileTime,GetCurrentThread,ConvertDefaultLocale,GetActiveProcessorGroupCount,SetConsoleCursorPosition,SetConsoleOutputCP,NeedCurrentDirectoryForExePathW,OfferVirtualMemory,SetFileIoOverlappedRange,PrefetchVirtualMemory,SystemTimeToFileTime,GetProfileIntW,GetConsoleCursorInfo,GlobalGetAtomNameW,SizeofResource,GetCurrentThread,OpenEventW,EnumSystemGeoID,SleepConditionVariableCS,OpenWaitableTimerW,EnumResourceNamesW,SetThreadpoolStackInformation,GetLogicalProcessorInformationEx,ReadFileEx,GetConsoleAliasesW,QueryThreadProfiling,GetFileSizeEx,VirtualUnlock,GetSystemDirectoryW,FindNextChangeNotification,HeapWalk,TerminateThread,HeapWalk,UnlockFile,QueryThreadpoolStackInformation,CreateDirectoryExW,FindFirstFileTransactedW,LockFile,GetFileTime,CloseThreadpoolTimer,CheckTokenMembershipEx,UnregisterApplicationRestart,GetSystemTime,FlushFileBuffers,FindVolumeClose,GetUserDefaultLCID,ConvertThreadToFiber,AddSecureMemoryCacheCallback,GetNumaHighestNodeNumber,CloseThreadpoolIo,GetProcessPreferredUILanguages,DnsHostnameToComputerNameW,RaiseException,GetFileAttributesExW,SetVolumeMountPointW,lstrlenW,GetUserDefaultLCID,SetCommMask,SizeofResource,GetSystemDEPPolicy,GetVolumeNameForVolumeMountPointW,FreeLibrary,DrawFocusRect,DnsHostnameToComputerNameW,GetSystemMenu,GetThreadPriorityBoost,RegisterWindowMessageW,LogicalToPhysicalPoint,FreeLibraryWhenCallbackReturns,DdeSetUserHandle,GetModuleFileNameW,RemoveVectoredContinueHandler,SetConsoleMode,IsThreadpoolTimerSet,SetProcessWorkingSetSize,GetScrollPos,SetWindowContextHelpId,FlushConsoleInputBuffer,SetWaitableTimerEx,IsValidCodePage,CommConfigDialogW,EscapeCommFunct0_2_00007FF8A8C56670
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C59790 UnregisterSuspendResumeNotification,ValidateRect,MessageBoxIndirectW,SetFileAttributesW,IsProcessDPIAware,SetProcessRestrictionExemption,GetModuleHandleExW,FindWindowExW,GetGUIThreadInfo,TransmitCommChar,HeapQueryInformation,SetSystemCursor,GetNumberOfConsoleInputEvents,RemoveVectoredExceptionHandler,SetLocaleInfoW,CopyFileW,mouse_event,GetCurrentProcess,GlobalReAlloc,EndDeferWindowPos,DefRawInputProc,GetUserDefaultLocaleName,PrefetchVirtualMemory,EnumWindows,DialogBoxParamW,DialogBoxParamW,SetProcessWorkingSetSizeEx,GetLastInputInfo,GetPriorityClass,SetNamedPipeHandleState,MapVirtualKeyW,OpenPrivateNamespaceW,SetSystemCursor,GetCurrentConsoleFont,TzSpecificLocalTimeToSystemTimeEx,FlushViewOfFile,FindNextVolumeW,NotifyUILanguageChange,EscapeCommFunction,Wow64SuspendThread,DeleteAtom,GetSystemDefaultLCID,GetFirmwareType,ReleaseSRWLockExclusive,SetCommTimeouts,RtlCaptureContext,GetCommMask,QueryProtectedPolicy,WriteConsoleW,RemoveDllDirectory,GetUserDefaultLangID,CreateMailslotW,StartThreadpoolIo,FatalAppExitW,GetCommProperties,Wow64SetThreadContext,GetFileInformationByHandle,SetConsoleHistoryInfo,WriteProfileStringW,InitializeSynchronizationBarrier,SetFilePointerEx,SetMailslotInfo,GetNumaAvailableMemoryNodeEx,GetProcessGroupAffinity,FindResourceW,ApplicationRecoveryInProgress,DnsHostnameToComputerNameW,GetConsoleProcessList,DeleteTimerQueueEx,GetNLSVersionEx,PurgeComm,OpenFileMappingW,FindFirstFileNameTransactedW,SetThreadpoolStackInformation,CheckTokenCapability,GetCurrencyFormatW,GetConsoleProcessList,GetCurrentConsoleFont,MapViewOfFileEx,RequestWakeupLatency,FlsFree,ConvertDefaultLocale,GetProcessHeap,TryEnterCriticalSection,EnumLanguageGroupLocalesW,EnumLanguageGroupLocalesW,DeleteTimerQueueEx,InitializeConditionVariable,GetLongPathNameTransactedW,0_2_00007FF8A8C59790
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C533F0 GetTempPathA,GetTempFileNameA,QueryFullProcessImageNameW,CommConfigDialogW,CallbackMayRunLong,lstrcatW,UnregisterApplicationRestart,GetThreadSelectorEntry,BuildCommDCBW,SetConsoleHistoryInfo,PtVisible,CreatePrivateNamespaceW,GetConsoleSelectionInfo,WakeConditionVariable,PeekNamedPipe,EnumCalendarInfoExEx,Polygon,OpenWaitableTimerW,GetLogicalDrives,EnumResourceTypesExW,GetPhysicallyInstalledSystemMemory,SetEventWhenCallbackReturns,CopyFileW,GetFirmwareType,GetStartupInfoW,GetColorAdjustment,CreateMetaFileW,CancelWaitableTimer,BackupRead,GetCommState,GetCommandLineW,GetWindowsDirectoryW,GetConsoleCursorInfo,GetNamedPipeServerProcessId,GetMaximumProcessorGroupCount,OpenWaitableTimerW,SetFileAttributesTransactedW,DeleteTimerQueueEx,SetFileAttributesW,MoveFileExW,WaitForThreadpoolTimerCallbacks,CreateThreadpoolWait,CopyFileW,ReadConsoleOutputCharacterW,SetFirmwareEnvironmentVariableW,GetTempFileNameW,AddScopedPolicyIDAce,GetCPInfoExW,QueryInformationJobObject,FatalExit,CreateThreadpoolWork,RegOpenKeyExA,GetLongPathNameW,SetConsoleCP,VerifyScripts,CreateThreadpoolIo,EnumResourceLanguagesW,FindNLSString,CancelThreadpoolIo,UpdateResourceW,CheckNameLegalDOS8Dot3W,ScrollConsoleScreenBufferW,GetVolumeNameForVolumeMountPointW,TransactNamedPipe,ReadFile,CreateEventW,GetLogicalDriveStringsW,CreateDirectoryExW,EnumResourceTypesW,RegQueryValueExA,GetThreadGroupAffinity,CreateWaitableTimerW,GetNamedPipeClientComputerNameW,VirtualFreeEx,TerminateThread,SetDynamicTimeZoneInformation,GetLogicalDriveStringsW,CloseThreadpoolWork,GetThreadIdealProcessorEx,CreateJobObjectW,UnregisterWait,OpenFileById,MapViewOfFile,UnregisterWait,AddIntegrityLabelToBoundaryDescriptor,CancelIo,SetThreadPriorityBoost,QueryPerformanceFrequency,RegCloseKey,OutputDebugStringA,0_2_00007FF8A8C533F0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C59CD0 GetDynamicTimeZoneInformation,SetUnhandledExceptionFilter,IsClipboardFormatAvailable,SleepConditionVariableSRW,GetActiveProcessorGroupCount,GetDlgItemInt,CreateDirectoryTransactedW,LoadPackagedLibrary,GetCommModemStatus,ReleaseMutex,WaitForDebugEvent,GetFullPathNameTransactedW,RaiseException,GetACP,GetBrushOrgEx,GlobalUnlock,GetNamedPipeClientComputerNameW,SetTapeParameters,WritePrivateProfileSectionW,FindCloseChangeNotification,BackupWrite,LocalFlags,GetThreadPreferredUILanguages,GetDeviceCaps,GetVolumePathNameW,CreateBrushIndirect,GetEnhMetaFileW,LPtoDP,PowerCreateRequest,GetConsoleOutputCP,SleepConditionVariableSRW,RaiseException,SetThreadPriorityBoost,OpenFile,SetFilePointerEx,FindNLSStringEx,QueryDosDeviceW,OpenMutexW,SetFileAttributesTransactedW,InterlockedPopEntrySList,PowerCreateRequest,GlobalReAlloc,GetProcAddress,LoadModule,CloseThreadpoolCleanupGroup,GetProcessHeaps,GetNLSVersionEx,GetCommState,FreeUserPhysicalPages,FreeResource,GetLocalTime,GetSystemInfo,CreateEventExW,MapViewOfFile,CreateRemoteThread,SetProcessShutdownParameters,SetDllDirectoryW,GetLongPathNameTransactedW,GetNumberOfConsoleMouseButtons,SetCalendarInfoW,DisassociateCurrentThreadFromCallback,GetCommProperties,BindIoCompletionCallback,CompareStringOrdinal,SetCommMask,Wow64GetThreadContext,IsProcessInJob,SystemTimeToTzSpecificLocalTime,IsValidLocale,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,GetProcessHeaps,SetFileApisToANSI,FindVolumeMountPointClose,InitOnceExecuteOnce,UnregisterApplicationRestart,FileTimeToDosDateTime,InitializeProcThreadAttributeList,ReOpenFile,LCMapStringW,SetProcessWorkingSetSizeEx,FindNLSString,GetMaximumProcessorCount,DdeReconnect,FindFirstVolumeW,InterlockedPushListSListEx,IsWindowUnicode,GetNumaAvailableMemoryNodeEx,TzSpecificLocalTimeToSystemTimeEx,ChangeDisplaySettingsW,UserHandleGrantAccess,GetTapeParameters,RemoveVectoredExceptionHandler,EnumTimeFormatsW,FindNextVolumeW,GetWriteWatch,SetProcessPreferredUILanguages,CharUpperW,GetStartupInfoW,DdeNameService,GetVersionExW,FatalExit,FatalExit,0_2_00007FF8A8C59CD0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C54090 AllocConsole,SetConsoleScreenBufferInfoEx,TryEnterCriticalSection,AreFileApisANSI,IsValidCodePage,SetDefaultCommConfigW,GetProcessHandleCount,ReleaseMutexWhenCallbackReturns,CloseThreadpoolTimer,DeleteCriticalSection,SetFileShortNameW,SystemTimeToFileTime,GetPrivateProfileSectionW,WriteConsoleW,GetStringTypeA,CreateEventExW,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,FindNextVolumeW,GetCapture,GetEnvironmentStringsW,GetNumaAvailableMemoryNode,GetCurrentConsoleFontEx,SetComputerNameExW,UnregisterApplicationRestart,AnyPopup,IsZoomed,lstrcpyW,ReadConsoleInputW,GetMaximumProcessorCount,SetupComm,GetDiskFreeSpaceW,LocalLock,GetProcessHeap,IsDebuggerPresent,WaitForThreadpoolTimerCallbacks,GlobalHandle,SetUnhandledExceptionFilter,CreateThreadpool,HeapAlloc,MulDiv,SetCommConfig,FindNextFileW,SetFileValidData,ReleaseMutex,SetThreadLocale,CreateFileMappingFromApp,PrepareTape,GetLogicalProcessorInformation,WriteFileEx,VirtualAlloc,AllocConsole,CloseHandle,WritePrivateProfileSectionW,GetLocaleInfoW,GlobalSize,HeapFree,CreateTapePartition,GetDriveTypeW,GetErrorMode,GetCurrentThreadId,SetConsoleTextAttribute,CreateEventExW,GetProcessHandleCount,IsDBCSLeadByte,GetMaximumProcessorCount,0_2_00007FF8A8C54090
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C59CD0 GetDynamicTimeZoneInformation,SetUnhandledExceptionFilter,IsClipboardFormatAvailable,SleepConditionVariableSRW,GetActiveProcessorGroupCount,GetDlgItemInt,CreateDirectoryTransactedW,LoadPackagedLibrary,GetCommModemStatus,ReleaseMutex,WaitForDebugEvent,GetFullPathNameTransactedW,RaiseException,GetACP,GetBrushOrgEx,GlobalUnlock,GetNamedPipeClientComputerNameW,SetTapeParameters,WritePrivateProfileSectionW,FindCloseChangeNotification,BackupWrite,LocalFlags,GetThreadPreferredUILanguages,GetDeviceCaps,GetVolumePathNameW,CreateBrushIndirect,GetEnhMetaFileW,LPtoDP,PowerCreateRequest,GetConsoleOutputCP,SleepConditionVariableSRW,RaiseException,SetThreadPriorityBoost,OpenFile,SetFilePointerEx,FindNLSStringEx,QueryDosDeviceW,OpenMutexW,SetFileAttributesTransactedW,InterlockedPopEntrySList,PowerCreateRequest,GlobalReAlloc,GetProcAddress,LoadModule,CloseThreadpoolCleanupGroup,GetProcessHeaps,GetNLSVersionEx,GetCommState,FreeUserPhysicalPages,FreeResource,GetLocalTime,GetSystemInfo,CreateEventExW,MapViewOfFile,CreateRemoteThread,SetProcessShutdownParameters,SetDllDirectoryW,GetLongPathNameTransactedW,GetNumberOfConsoleMouseButtons,SetCalendarInfoW,DisassociateCurrentThreadFromCallback,GetCommProperties,BindIoCompletionCallback,CompareStringOrdinal,SetCommMask,Wow64GetThreadContext,IsProcessInJob,SystemTimeToTzSpecificLocalTime,IsValidLocale,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,GetProcessHeaps,SetFileApisToANSI,FindVolumeMountPointClose,InitOnceExecuteOnce,UnregisterApplicationRestart,FileTimeToDosDateTime,InitializeProcThreadAttributeList,ReOpenFile,LCMapStringW,SetProcessWorkingSetSizeEx,FindNLSString,GetMaximumProcessorCount,DdeReconnect,FindFirstVolumeW,InterlockedPushListSListEx,IsWindowUnicode,GetNumaAvailableMemoryNodeEx,TzSpecificLocalTimeToSystemTimeEx,ChangeDisplaySettingsW,UserHandleGrantAccess,GetTapeParameters,RemoveVectoredExceptionHandler,EnumTimeFormatsW,FindNextVolumeW,GetWriteWatch,SetProcessPreferredUILanguages,CharUpperW,GetStartupInfoW,DdeNameService,GetVersionExW,FatalExit,FatalExit,0_2_00007FF8A8C59CD0
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C59CD0 GetDynamicTimeZoneInformation,SetUnhandledExceptionFilter,IsClipboardFormatAvailable,SleepConditionVariableSRW,GetActiveProcessorGroupCount,GetDlgItemInt,CreateDirectoryTransactedW,LoadPackagedLibrary,GetCommModemStatus,ReleaseMutex,WaitForDebugEvent,GetFullPathNameTransactedW,RaiseException,GetACP,GetBrushOrgEx,GlobalUnlock,GetNamedPipeClientComputerNameW,SetTapeParameters,WritePrivateProfileSectionW,FindCloseChangeNotification,BackupWrite,LocalFlags,GetThreadPreferredUILanguages,GetDeviceCaps,GetVolumePathNameW,CreateBrushIndirect,GetEnhMetaFileW,LPtoDP,PowerCreateRequest,GetConsoleOutputCP,SleepConditionVariableSRW,RaiseException,SetThreadPriorityBoost,OpenFile,SetFilePointerEx,FindNLSStringEx,QueryDosDeviceW,OpenMutexW,SetFileAttributesTransactedW,InterlockedPopEntrySList,PowerCreateRequest,GlobalReAlloc,GetProcAddress,LoadModule,CloseThreadpoolCleanupGroup,GetProcessHeaps,GetNLSVersionEx,GetCommState,FreeUserPhysicalPages,FreeResource,GetLocalTime,GetSystemInfo,CreateEventExW,MapViewOfFile,CreateRemoteThread,SetProcessShutdownParameters,SetDllDirectoryW,GetLongPathNameTransactedW,GetNumberOfConsoleMouseButtons,SetCalendarInfoW,DisassociateCurrentThreadFromCallback,GetCommProperties,BindIoCompletionCallback,CompareStringOrdinal,SetCommMask,Wow64GetThreadContext,IsProcessInJob,SystemTimeToTzSpecificLocalTime,IsValidLocale,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,GetProcessHeaps,SetFileApisToANSI,FindVolumeMountPointClose,InitOnceExecuteOnce,UnregisterApplicationRestart,FileTimeToDosDateTime,InitializeProcThreadAttributeList,ReOpenFile,LCMapStringW,SetProcessWorkingSetSizeEx,FindNLSString,GetMaximumProcessorCount,DdeReconnect,FindFirstVolumeW,InterlockedPushListSListEx,IsWindowUnicode,GetNumaAvailableMemoryNodeEx,TzSpecificLocalTimeToSystemTimeEx,ChangeDisplaySettingsW,UserHandleGrantAccess,GetTapeParameters,RemoveVectoredExceptionHandler,EnumTimeFormatsW,FindNextVolumeW,GetWriteWatch,SetProcessPreferredUILanguages,CharUpperW,GetStartupInfoW,DdeNameService,GetVersionExW,FatalExit,FatalExit,0_2_00007FF8A8C59CD0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C54090 AllocConsole,SetConsoleScreenBufferInfoEx,TryEnterCriticalSection,AreFileApisANSI,IsValidCodePage,SetDefaultCommConfigW,GetProcessHandleCount,ReleaseMutexWhenCallbackReturns,CloseThreadpoolTimer,DeleteCriticalSection,SetFileShortNameW,SystemTimeToFileTime,GetPrivateProfileSectionW,WriteConsoleW,GetStringTypeA,CreateEventExW,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,FindNextVolumeW,GetCapture,GetEnvironmentStringsW,GetNumaAvailableMemoryNode,GetCurrentConsoleFontEx,SetComputerNameExW,UnregisterApplicationRestart,AnyPopup,IsZoomed,lstrcpyW,ReadConsoleInputW,GetMaximumProcessorCount,SetupComm,GetDiskFreeSpaceW,LocalLock,GetProcessHeap,IsDebuggerPresent,WaitForThreadpoolTimerCallbacks,GlobalHandle,SetUnhandledExceptionFilter,CreateThreadpool,HeapAlloc,MulDiv,SetCommConfig,FindNextFileW,SetFileValidData,ReleaseMutex,SetThreadLocale,CreateFileMappingFromApp,PrepareTape,GetLogicalProcessorInformation,WriteFileEx,VirtualAlloc,AllocConsole,CloseHandle,WritePrivateProfileSectionW,GetLocaleInfoW,GlobalSize,HeapFree,CreateTapePartition,GetDriveTypeW,GetErrorMode,GetCurrentThreadId,SetConsoleTextAttribute,CreateEventExW,GetProcessHandleCount,IsDBCSLeadByte,GetMaximumProcessorCount,0_2_00007FF8A8C54090
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8D90DA0 SetUnhandledExceptionFilter,0_2_00007FF8A8D90DA0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CEC8B4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF8A8CEC8B4
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CDC808 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF8A8CDC808
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C59790 UnregisterSuspendResumeNotification,ValidateRect,MessageBoxIndirectW,SetFileAttributesW,IsProcessDPIAware,SetProcessRestrictionExemption,GetModuleHandleExW,FindWindowExW,GetGUIThreadInfo,TransmitCommChar,HeapQueryInformation,SetSystemCursor,GetNumberOfConsoleInputEvents,RemoveVectoredExceptionHandler,SetLocaleInfoW,CopyFileW,mouse_event,GetCurrentProcess,GlobalReAlloc,EndDeferWindowPos,DefRawInputProc,GetUserDefaultLocaleName,PrefetchVirtualMemory,EnumWindows,DialogBoxParamW,DialogBoxParamW,SetProcessWorkingSetSizeEx,GetLastInputInfo,GetPriorityClass,SetNamedPipeHandleState,MapVirtualKeyW,OpenPrivateNamespaceW,SetSystemCursor,GetCurrentConsoleFont,TzSpecificLocalTimeToSystemTimeEx,FlushViewOfFile,FindNextVolumeW,NotifyUILanguageChange,EscapeCommFunction,Wow64SuspendThread,DeleteAtom,GetSystemDefaultLCID,GetFirmwareType,ReleaseSRWLockExclusive,SetCommTimeouts,RtlCaptureContext,GetCommMask,QueryProtectedPolicy,WriteConsoleW,RemoveDllDirectory,GetUserDefaultLangID,CreateMailslotW,StartThreadpoolIo,FatalAppExitW,GetCommProperties,Wow64SetThreadContext,GetFileInformationByHandle,SetConsoleHistoryInfo,WriteProfileStringW,InitializeSynchronizationBarrier,SetFilePointerEx,SetMailslotInfo,GetNumaAvailableMemoryNodeEx,GetProcessGroupAffinity,FindResourceW,ApplicationRecoveryInProgress,DnsHostnameToComputerNameW,GetConsoleProcessList,DeleteTimerQueueEx,GetNLSVersionEx,PurgeComm,OpenFileMappingW,FindFirstFileNameTransactedW,SetThreadpoolStackInformation,CheckTokenCapability,GetCurrencyFormatW,GetConsoleProcessList,GetCurrentConsoleFont,MapViewOfFileEx,RequestWakeupLatency,FlsFree,ConvertDefaultLocale,GetProcessHeap,TryEnterCriticalSection,EnumLanguageGroupLocalesW,EnumLanguageGroupLocalesW,DeleteTimerQueueEx,InitializeConditionVariable,GetLongPathNameTransactedW,0_2_00007FF8A8C59790
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8D05D60 cpuid 0_2_00007FF8A8D05D60
Source: C:\Windows\System32\loaddll64.exeCode function: GetStartupInfoW,CopyFile2,SetProcessPriorityBoost,IsValidLanguageGroup,SetProcessPriorityBoost,AssignProcessToJobObject,GetModuleFileNameW,GetComputerNameW,GetPrivateProfileSectionW,GetDefaultCommConfigW,SystemTimeToFileTime,GetNumaProcessorNode,GetLocaleInfoEx,GetCurrentProcessorNumber,FindFirstFileNameW,CopyFileTransactedW,QueryPerformanceCounter,FlushConsoleInputBuffer,MapUserPhysicalPagesScatter,LCMapStringW,QueryMemoryResourceNotification,VerifyScripts,FindStringOrdinal,SetFileTime,SetThreadGroupAffinity,EnumTimeFormatsW,OutputDebugStringA,0_2_00007FF8A8C5AC80
Source: C:\Windows\System32\loaddll64.exeCode function: AllocConsole,SetConsoleScreenBufferInfoEx,TryEnterCriticalSection,AreFileApisANSI,IsValidCodePage,SetDefaultCommConfigW,GetProcessHandleCount,ReleaseMutexWhenCallbackReturns,CloseThreadpoolTimer,DeleteCriticalSection,SetFileShortNameW,SystemTimeToFileTime,GetPrivateProfileSectionW,WriteConsoleW,GetStringTypeA,CreateEventExW,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,FindNextVolumeW,GetCapture,GetEnvironmentStringsW,GetNumaAvailableMemoryNode,GetCurrentConsoleFontEx,SetComputerNameExW,UnregisterApplicationRestart,AnyPopup,IsZoomed,lstrcpyW,ReadConsoleInputW,GetMaximumProcessorCount,SetupComm,GetDiskFreeSpaceW,LocalLock,GetProcessHeap,IsDebuggerPresent,WaitForThreadpoolTimerCallbacks,GlobalHandle,SetUnhandledExceptionFilter,CreateThreadpool,HeapAlloc,MulDiv,SetCommConfig,FindNextFileW,SetFileValidData,ReleaseMutex,SetThreadLocale,CreateFileMappingFromApp,PrepareTape,GetLogicalProcessorInformation,WriteFileEx,VirtualAlloc,AllocConsole,CloseHandle,WritePrivateProfileSectionW,GetLocaleInfoW,GlobalSize,HeapFree,CreateTapePartition,GetDriveTypeW,GetErrorMode,GetCurrentThreadId,SetConsoleTextAttribute,CreateEventExW,GetProcessHandleCount,IsDBCSLeadByte,GetMaximumProcessorCount,0_2_00007FF8A8C54090
Source: C:\Windows\System32\loaddll64.exeCode function: EnumSystemLocalesW,0_2_00007FF8A8CF4C50
Source: C:\Windows\System32\loaddll64.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF8A8D001E4
Source: C:\Windows\System32\loaddll64.exeCode function: EnumSystemLocalesW,0_2_00007FF8A8D0014C
Source: C:\Windows\System32\loaddll64.exeCode function: GetLocaleInfoEx,0_2_00007FF8A8D903A8
Source: C:\Windows\System32\loaddll64.exeCode function: GetLocaleInfoW,0_2_00007FF8A8D0042C
Source: C:\Windows\System32\loaddll64.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00007FF8A8D00584
Source: C:\Windows\System32\loaddll64.exeCode function: GetLocaleInfoW,0_2_00007FF8A8D904F8
Source: C:\Windows\System32\loaddll64.exeCode function: GetProcessShutdownParameters,WriteConsoleOutputW,SetWaitableTimerEx,GetThreadId,LocalReAlloc,GetFirmwareEnvironmentVariableW,WakeAllConditionVariable,RegisterApplicationRecoveryCallback,GetNumberOfConsoleInputEvents,ContinueDebugEvent,DuplicateHandle,HeapReAlloc,CancelWaitableTimer,CancelIo,GetNumaHighestNodeNumber,SetFilePointer,FindNextVolumeMountPointW,InterlockedPushEntrySList,CreateWaitableTimerW,GlobalSize,DeleteVolumeMountPointW,IsWow64Process,QueryDosDeviceW,ReadFileEx,RegisterApplicationRecoveryCallback,ToAsciiEx,lstrcmpiW,SetThreadpoolTimerEx,GetRawInputData,GetFullPathNameW,TabbedTextOutW,QueryThreadProfiling,CreateMailslotW,EnumResourceTypesW,AcquireSRWLockExclusive,CharPrevExA,GetWindowsDirectoryW,GetWindowPlacement,GetFullPathNameTransactedW,SetFirmwareEnvironmentVariableW,BackupWrite,SetTapeParameters,IsValidLocaleName,CopyFileExW,LoadCursorFromFileW,FindFirstVolumeW,CharToOemW,AddSecureMemoryCacheCallback,MulDiv,QueryThreadProfiling,GetKeyboardLayout,DrawEdge,LoadPackagedLibrary,GetDynamicTimeZoneInformation,DebugActiveProcess,GetSystemDirectoryW,HeapCompact,GlobalHandle,WaitNamedPipeW,SetCommState,CreateMailslotW,VirtualProtect,InterlockedFlushSList,GlobalGetAtomNameW,AllocConsole,GetNLSVersionEx,GetSystemTimes,PowerSetRequest,WriteConsoleW,SetTimeZoneInformation,QueryProtectedPolicy,GetCurrentProcessorNumber,CompareFileTime,GetCurrentThread,ConvertDefaultLocale,GetActiveProcessorGroupCount,SetConsoleCursorPosition,SetConsoleOutputCP,NeedCurrentDirectoryForExePathW,OfferVirtualMemory,SetFileIoOverlappedRange,PrefetchVirtualMemory,SystemTimeToFileTime,GetProfileIntW,GetConsoleCursorInfo,GlobalGetAtomNameW,SizeofResource,GetCurrentThread,OpenEventW,EnumSystemGeoID,SleepConditionVariableCS,OpenWaitableTimerW,EnumResourceNamesW,SetThreadpoolStackInformation,GetLogicalProcessorInformationEx,ReadFileEx,GetConsoleAliasesW,QueryThreadProfiling,GetFileSizeEx,VirtualUnlock,GetSystemDirectoryW,FindNextChangeNotification,HeapWalk,TerminateThread,HeapWalk,UnlockFile,QueryThreadpoolStackInformation,CreateDirectoryExW,FindFirstFileTransactedW,LockFile,GetFileTime,CloseThreadpoolTimer,CheckTokenMembershipEx,UnregisterApplicationRestart,GetSystemTime,FlushFileBuffers,FindVolumeClose,GetUserDefaultLCID,ConvertThreadToFiber,AddSecureMemoryCacheCallback,GetNumaHighestNodeNumber,CloseThreadpoolIo,GetProcessPreferredUILanguages,DnsHostnameToComputerNameW,RaiseException,GetFileAttributesExW,SetVolumeMountPointW,lstrlenW,GetUserDefaultLCID,SetCommMask,SizeofResource,GetSystemDEPPolicy,GetVolumeNameForVolumeMountPointW,FreeLibrary,DrawFocusRect,DnsHostnameToComputerNameW,GetSystemMenu,GetThreadPriorityBoost,RegisterWindowMessageW,LogicalToPhysicalPoint,FreeLibraryWhenCallbackReturns,DdeSetUserHandle,GetModuleFileNameW,RemoveVectoredContinueHandler,SetConsoleMode,IsThreadpoolTimerSet,SetProcessWorkingSetSize,GetScrollPos,SetWindowContextHelpId,FlushConsoleInputBuffer,SetWaitableTimerEx,IsValidCodePage,CommConfigDialogW,EscapeCommFunction,EnumSystemLocales0_2_00007FF8A8C56670
Source: C:\Windows\System32\loaddll64.exeCode function: GetLocaleInfoW,0_2_00007FF8A8D00634
Source: C:\Windows\System32\loaddll64.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF8A8D00768
Source: C:\Windows\System32\loaddll64.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00007FF8A8CFFD20
Source: C:\Windows\System32\loaddll64.exeCode function: EnumSystemLocalesW,0_2_00007FF8A8D0007C
Source: C:\Windows\System32\loaddll64.exeCode function: GetLocaleInfoW,0_2_00007FF8A8CF51E8
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C59CD0 GetDynamicTimeZoneInformation,SetUnhandledExceptionFilter,IsClipboardFormatAvailable,SleepConditionVariableSRW,GetActiveProcessorGroupCount,GetDlgItemInt,CreateDirectoryTransactedW,LoadPackagedLibrary,GetCommModemStatus,ReleaseMutex,WaitForDebugEvent,GetFullPathNameTransactedW,RaiseException,GetACP,GetBrushOrgEx,GlobalUnlock,GetNamedPipeClientComputerNameW,SetTapeParameters,WritePrivateProfileSectionW,FindCloseChangeNotification,BackupWrite,LocalFlags,GetThreadPreferredUILanguages,GetDeviceCaps,GetVolumePathNameW,CreateBrushIndirect,GetEnhMetaFileW,LPtoDP,PowerCreateRequest,GetConsoleOutputCP,SleepConditionVariableSRW,RaiseException,SetThreadPriorityBoost,OpenFile,SetFilePointerEx,FindNLSStringEx,QueryDosDeviceW,OpenMutexW,SetFileAttributesTransactedW,InterlockedPopEntrySList,PowerCreateRequest,GlobalReAlloc,GetProcAddress,LoadModule,CloseThreadpoolCleanupGroup,GetProcessHeaps,GetNLSVersionEx,GetCommState,FreeUserPhysicalPages,FreeResource,GetLocalTime,GetSystemInfo,CreateEventExW,MapViewOfFile,CreateRemoteThread,SetProcessShutdownParameters,SetDllDirectoryW,GetLongPathNameTransactedW,GetNumberOfConsoleMouseButtons,SetCalendarInfoW,DisassociateCurrentThreadFromCallback,GetCommProperties,BindIoCompletionCallback,CompareStringOrdinal,SetCommMask,Wow64GetThreadContext,IsProcessInJob,SystemTimeToTzSpecificLocalTime,IsValidLocale,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,GetProcessHeaps,SetFileApisToANSI,FindVolumeMountPointClose,InitOnceExecuteOnce,UnregisterApplicationRestart,FileTimeToDosDateTime,InitializeProcThreadAttributeList,ReOpenFile,LCMapStringW,SetProcessWorkingSetSizeEx,FindNLSString,GetMaximumProcessorCount,DdeReconnect,FindFirstVolumeW,InterlockedPushListSListEx,IsWindowUnicode,GetNumaAvailableMemoryNodeEx,TzSpecificLocalTimeToSystemTimeEx,ChangeDisplaySettingsW,UserHandleGrantAccess,GetTapeParameters,RemoveVectoredExceptionHandler,EnumTimeFormatsW,FindNextVolumeW,GetWriteWatch,SetProcessPreferredUILanguages,CharUpperW,GetStartupInfoW,DdeNameService,GetVersionExW,FatalExit,FatalExit,0_2_00007FF8A8C59CD0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8CF815C _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF8A8CF815C
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C59CD0 GetDynamicTimeZoneInformation,SetUnhandledExceptionFilter,IsClipboardFormatAvailable,SleepConditionVariableSRW,GetActiveProcessorGroupCount,GetDlgItemInt,CreateDirectoryTransactedW,LoadPackagedLibrary,GetCommModemStatus,ReleaseMutex,WaitForDebugEvent,GetFullPathNameTransactedW,RaiseException,GetACP,GetBrushOrgEx,GlobalUnlock,GetNamedPipeClientComputerNameW,SetTapeParameters,WritePrivateProfileSectionW,FindCloseChangeNotification,BackupWrite,LocalFlags,GetThreadPreferredUILanguages,GetDeviceCaps,GetVolumePathNameW,CreateBrushIndirect,GetEnhMetaFileW,LPtoDP,PowerCreateRequest,GetConsoleOutputCP,SleepConditionVariableSRW,RaiseException,SetThreadPriorityBoost,OpenFile,SetFilePointerEx,FindNLSStringEx,QueryDosDeviceW,OpenMutexW,SetFileAttributesTransactedW,InterlockedPopEntrySList,PowerCreateRequest,GlobalReAlloc,GetProcAddress,LoadModule,CloseThreadpoolCleanupGroup,GetProcessHeaps,GetNLSVersionEx,GetCommState,FreeUserPhysicalPages,FreeResource,GetLocalTime,GetSystemInfo,CreateEventExW,MapViewOfFile,CreateRemoteThread,SetProcessShutdownParameters,SetDllDirectoryW,GetLongPathNameTransactedW,GetNumberOfConsoleMouseButtons,SetCalendarInfoW,DisassociateCurrentThreadFromCallback,GetCommProperties,BindIoCompletionCallback,CompareStringOrdinal,SetCommMask,Wow64GetThreadContext,IsProcessInJob,SystemTimeToTzSpecificLocalTime,IsValidLocale,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,GetProcessHeaps,SetFileApisToANSI,FindVolumeMountPointClose,InitOnceExecuteOnce,UnregisterApplicationRestart,FileTimeToDosDateTime,InitializeProcThreadAttributeList,ReOpenFile,LCMapStringW,SetProcessWorkingSetSizeEx,FindNLSString,GetMaximumProcessorCount,DdeReconnect,FindFirstVolumeW,InterlockedPushListSListEx,IsWindowUnicode,GetNumaAvailableMemoryNodeEx,TzSpecificLocalTimeToSystemTimeEx,ChangeDisplaySettingsW,UserHandleGrantAccess,GetTapeParameters,RemoveVectoredExceptionHandler,EnumTimeFormatsW,FindNextVolumeW,GetWriteWatch,SetProcessPreferredUILanguages,CharUpperW,GetStartupInfoW,DdeNameService,GetVersionExW,FatalExit,FatalExit,0_2_00007FF8A8C59CD0
Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8A8C59CD0 GetDynamicTimeZoneInformation,SetUnhandledExceptionFilter,IsClipboardFormatAvailable,SleepConditionVariableSRW,GetActiveProcessorGroupCount,GetDlgItemInt,CreateDirectoryTransactedW,LoadPackagedLibrary,GetCommModemStatus,ReleaseMutex,WaitForDebugEvent,GetFullPathNameTransactedW,RaiseException,GetACP,GetBrushOrgEx,GlobalUnlock,GetNamedPipeClientComputerNameW,SetTapeParameters,WritePrivateProfileSectionW,FindCloseChangeNotification,BackupWrite,LocalFlags,GetThreadPreferredUILanguages,GetDeviceCaps,GetVolumePathNameW,CreateBrushIndirect,GetEnhMetaFileW,LPtoDP,PowerCreateRequest,GetConsoleOutputCP,SleepConditionVariableSRW,RaiseException,SetThreadPriorityBoost,OpenFile,SetFilePointerEx,FindNLSStringEx,QueryDosDeviceW,OpenMutexW,SetFileAttributesTransactedW,InterlockedPopEntrySList,PowerCreateRequest,GlobalReAlloc,GetProcAddress,LoadModule,CloseThreadpoolCleanupGroup,GetProcessHeaps,GetNLSVersionEx,GetCommState,FreeUserPhysicalPages,FreeResource,GetLocalTime,GetSystemInfo,CreateEventExW,MapViewOfFile,CreateRemoteThread,SetProcessShutdownParameters,SetDllDirectoryW,GetLongPathNameTransactedW,GetNumberOfConsoleMouseButtons,SetCalendarInfoW,DisassociateCurrentThreadFromCallback,GetCommProperties,BindIoCompletionCallback,CompareStringOrdinal,SetCommMask,Wow64GetThreadContext,IsProcessInJob,SystemTimeToTzSpecificLocalTime,IsValidLocale,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,GetProcessHeaps,SetFileApisToANSI,FindVolumeMountPointClose,InitOnceExecuteOnce,UnregisterApplicationRestart,FileTimeToDosDateTime,InitializeProcThreadAttributeList,ReOpenFile,LCMapStringW,SetProcessWorkingSetSizeEx,FindNLSString,GetMaximumProcessorCount,DdeReconnect,FindFirstVolumeW,InterlockedPushListSListEx,IsWindowUnicode,GetNumaAvailableMemoryNodeEx,TzSpecificLocalTimeToSystemTimeEx,ChangeDisplaySettingsW,UserHandleGrantAccess,GetTapeParameters,RemoveVectoredExceptionHandler,EnumTimeFormatsW,FindNextVolumeW,GetWriteWatch,SetProcessPreferredUILanguages,CharUpperW,GetStartupInfoW,DdeNameService,GetVersionExW,FatalExit,FatalExit,0_2_00007FF8A8C59CD0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		11
Process Injection		1
Virtualization/Sandbox Evasion		11
Input Capture		2
System Time Discovery		Remote Services11
Input Capture		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory2
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS2
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32		LSA Secrets27
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1562676 Sample: libpkcs11-helper-1.dll.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 56 19 Multi AV Scanner detection for submitted file 2->19 21 Machine Learning detection for sample 2->21 23 AI detected suspicious sample 2->23 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 2 other processes 7->15 process5 17 rundll32.exe 9->17         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
libpkcs11-helper-1.dll.dll13%ReversingLabs
libpkcs11-helper-1.dll.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1562676
Start date and time:2024-11-25 21:33:06 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 39s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:libpkcs11-helper-1.dll.dll
(renamed file extension from exe to dll)
Original Sample Name:libpkcs11-helper-1.dll.exe
Detection:MAL
Classification:mal56.winDLL@12/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 33
  • Number of non-executed functions: 111
Cookbook Comments:
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: libpkcs11-helper-1.dll.dll

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):6.735401999676938
TrID:
  • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
  • Win64 Executable (generic) (12005/4) 10.17%
  • Generic Win/DOS Executable (2004/3) 1.70%
  • DOS Executable Generic (2002/1) 1.70%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:libpkcs11-helper-1.dll.dll
File size:1'396'736 bytes
MD5:923f2b061c22b2de64f2b228f676fe95
SHA1:40830c37101ed4f779955c8d0e1718d51714eb83
SHA256:5d15ca989acd53de9e458bca2ac226ece6c3e1cf97b070c930a9f3f4b6144a21
SHA512:c74840d5d5da8e7b5befdd5dd4fdff5bbd96d0e4d244cd69672c665cf490b7936347b66ac505fd3d1e7f75104281cfcb0702022274fa40ee71d6f08e672e896d
SSDEEP:12288:ofcrcqxscK9J+jARFtUGRPIsTywaHC/Vm4sXCYl7Ks5mehO3y/7Q31jfMYgk/yJh:ErzGD+mfXCYVKjLxM
TLSH:0E55B531B522B162E0385077D74F65CAC7E7A83A0BF15ACB8ADF07D9475ADB70129232
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Cg.........." ...).x...$......P.....................................................`................................

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x18008c350
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x180000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x674381BE [Sun Nov 24 19:42:54 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:e387dc4bdb5cad8e22d8d6f93255e70f

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007F4074C3E477h
call 00007F4074C3EA54h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007F4074C3E310h
int3
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F4074C3E482h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F4074C3E485h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F4074C3E47Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F4074C3E48Ah
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x155de00xf58.hdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x156d380x8c.hdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1380000x7b00.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x15c0000x1228.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x14f1600x1c.hdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x14f3000x28.hdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x14f0200x140.hdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x1400000x12a0.hdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xb776c0xb7800b57a10af318c8f657ba255011a4e5121False0.2834466003916894data6.282067419257649IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0xb90000x7e13c0x792006a950a7c61dd7c9c4d473a0db89a73a0False0.4171363035345717DOS executable (block device driver)5.981572925789988IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x1380000x7b000x7c00f5883b3d0ab4ca12b3c2898190c39ff0False0.4255922379032258PEX Binary Archive5.784283108873415IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.hdata0x1400000x1b17a0x1b200aa2c1b6ed0781a7f3de99bbc62a9a463False0.40666402649769584data5.101172330682713IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x15c0000x12280x140060019b946543072edb9f437826abddc0False0.4306640625data5.154396489304555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
KERNEL32.dllInitOnceExecuteOnce, GetNumaAvailableMemoryNodeEx, GetProcessShutdownParameters, CreateThreadpool, WriteProcessMemory, SetHandleInformation, NeedCurrentDirectoryForExePathW, SetEventWhenCallbackReturns, LoadModule, GetConsoleAliasesW, MapUserPhysicalPagesScatter, FindFirstVolumeW, GetSystemDefaultLCID, VirtualProtect, CopyFileTransactedW, CreateDirectoryTransactedW, HeapFree, GetPhysicallyInstalledSystemMemory, CreateEventExW, SetConsoleTextAttribute, GetCommProperties, FindFirstFileNameW, RtlCaptureContext, GetCommandLineW, CreateTapePartition, IsThreadpoolTimerSet, EnumCalendarInfoExEx, FindVolumeMountPointClose, QueryProtectedPolicy, GetFullPathNameW, FindNextFileW, FindNLSString, GetLongPathNameW, GetCurrentProcess, GetConsoleOutputCP, lstrlenW, CreateWaitableTimerW, SetFileShortNameW, EnumResourceTypesW, SetDynamicTimeZoneInformation, WriteFile, Wow64DisableWow64FsRedirection, TzSpecificLocalTimeToSystemTimeEx, GetThreadIdealProcessorEx, CheckTokenMembershipEx, RegisterWaitForSingleObject, RemoveDllDirectory, GetModuleHandleExW, SetTimeZoneInformation, CreatePrivateNamespaceW, UnregisterWait, GetShortPathNameW, GetDiskFreeSpaceW, SetConsoleMode, GetConsoleCursorInfo, OutputDebugStringA, VirtualAlloc, AssignProcessToJobObject, GetNumberOfConsoleMouseButtons, WaitForDebugEvent, GetProfileIntW, PrefetchVirtualMemory, WakeAllConditionVariable, HeapLock, DisassociateCurrentThreadFromCallback, SetFileTime, GetUserDefaultLangID, AddSecureMemoryCacheCallback, GetModuleFileNameW, OpenPrivateNamespaceW, WakeConditionVariable, CreateThreadpoolIo, ReOpenFile, PurgeComm, GetSystemTimes, SetMailslotInfo, InitializeProcThreadAttributeList, GetCommModemStatus, RequestWakeupLatency, SetProcessShutdownParameters, GetThreadSelectorEntry, AddScopedPolicyIDAce, GetLocaleInfoEx, GetUserDefaultLocaleName, Wow64SetThreadContext, CheckTokenCapability, GetProcessId, VirtualUnlock, CreateJobObjectW, DeleteTimerQueueEx, GetUserDefaultUILanguage, GetNamedPipeClientComputerNameW, CompareStringOrdinal, SetSystemFileCacheSize, LockFile, DnsHostnameToComputerNameW, GetThreadPreferredUILanguages, DeleteAtom, GetNamedPipeClientProcessId, GetDynamicTimeZoneInformation, LeaveCriticalSection, Wow64GetThreadContext, InitializeConditionVariable, SetFilePointer, GetNumaAvailableMemoryNode, GetNumaProcessorNode, OpenFileById, GetEnvironmentVariableW, WriteFileEx, GetSystemPowerStatus, FindFirstFileTransactedW, EnumResourceNamesW, UnlockFileEx, PeekNamedPipe, FatalExit, GetTempPathW, GetWriteWatch, CreateMutexW, OpenFile, TrySubmitThreadpoolCallback, GetPrivateProfileSectionW, WaitForThreadpoolTimerCallbacks, ResetWriteWatch, FindClose, GetLocaleInfoW, GetVolumePathNameW, GetCommMask, LocalAlloc, CreateFileW, GetFileAttributesW, FreeLibraryAndExitThread, GetCurrentThreadId, UnregisterBadMemoryNotification, SetComputerNameExW, OpenEventW, GetVersionExW, EnumSystemCodePagesW, ReleaseMutex, OpenFileMappingW, CancelThreadpoolIo, SetThreadpoolThreadMinimum, SetupComm, GetSystemDirectoryW, FreeEnvironmentStringsW, HeapWalk, CallbackMayRunLong, QueryMemoryResourceNotification, ContinueDebugEvent, GlobalGetAtomNameW, DuplicateHandle, IsProcessInJob, GetSystemDefaultLangID, GetACP, PrepareTape, RtlCaptureStackBackTrace, FreeResource, LCIDToLocaleName, GetVersion, ApplicationRecoveryInProgress, CancelWaitableTimer, GetVolumeNameForVolumeMountPointW, ClosePrivateNamespace, SetFileAttributesW, IsValidCodePage, GetLogicalDriveStringsW, CloseThreadpoolCleanupGroup, CreateEventW, SetFileAttributesTransactedW, ConvertThreadToFiberEx, GetFileInformationByHandle, SetTapeParameters, LoadPackagedLibrary, QueryThreadProfiling, GetTempPathA, FormatMessageW, ReadThreadProfilingData, SetConsoleScreenBufferInfoEx, PowerCreateRequest, BuildCommDCBW, VerifyScripts, OpenWaitableTimerW, SetCalendarInfoW, GetMaximumProcessorCount, FlsSetValue, OpenMutexA, WaitForThreadpoolWaitCallbacks, EnumSystemLocalesEx, SetUserGeoID, EscapeCommFunction, SetThreadpoolThreadMaximum, GetLogicalProcessorInformationEx, GetFileAttributesExW, ReleaseSRWLockExclusive, GetConsoleProcessList, OutputDebugStringW, GetMaximumProcessorGroupCount, ConvertDefaultLocale, FindNextVolumeMountPointW, WaitCommEvent, ReadConsoleInputW, SetThreadpoolTimerEx, FlushViewOfFile, GlobalSize, GetThreadUILanguage, GetUserDefaultLCID, GetLogicalProcessorInformation, FileTimeToSystemTime, CloseThreadpoolTimer, GetSystemFileCacheSize, OfferVirtualMemory, GetCurrentThread, InterlockedFlushSList, AcquireSRWLockExclusive, TerminateThread, GetActiveProcessorGroupCount, FindCloseChangeNotification, lstrcatW, GetTapeParameters, SetWaitableTimerEx, CreateThreadpoolWait, GetFullPathNameTransactedW, QueryPerformanceFrequency, EnumResourceNamesExW, GetCommState, GlobalAlloc, InterlockedPushListSListEx, TransmitCommChar, GetSystemDEPPolicy, GlobalFree, HeapReAlloc, CloseHandle, SetProcessPreferredUILanguages, ReleaseMutexWhenCallbackReturns, CompareStringEx, EnumResourceLanguagesW, GetFileSizeEx, RaiseException, FreeConsole, GetSystemInfo, GetProcessHeaps, BindIoCompletionCallback, SetProcessWorkingSetSizeEx, ReadFileEx, LoadLibraryW, IsDBCSLeadByte, ScrollConsoleScreenBufferW, LoadResource, DeleteProcThreadAttributeList, FindResourceW, HeapAlloc, Wow64SuspendThread, GetCurrencyFormatW, FatalAppExitW, GetLocalTime, GetDefaultCommConfigW, GetNLSVersionEx, GetCurrentDirectoryW, GetProcessPreferredUILanguages, SetStdHandle, UpdateResourceW, GetCurrentConsoleFontEx, CloseThreadpoolIo, SetCommMask, HeapCompact, FindNextChangeNotification, SetVolumeMountPointW, GetNamedPipeServerProcessId, SetFirmwareEnvironmentVariableW, GetNamedPipeClientSessionId, QueryIdleProcessorCycleTimeEx, GetCurrentProcessorNumber, UnlockFile, CreateFileMappingFromApp, DeleteFileTransactedW, FlushConsoleInputBuffer, SetLocaleInfoW, SetThreadGroupAffinity, GetWindowsDirectoryW, WriteConsoleW, GetErrorMode, SetThreadPriorityBoost, GetPriorityClass, GetProcAddress, GlobalLock, UnregisterApplicationRestart, SetFilePointerEx, CreateMutexExW, DebugActiveProcess, FindFirstFileNameTransactedW, HeapQueryInformation, GetTimeFormatW, MoveFileExW, GetThreadId, GetOverlappedResultEx, GetFileSize, SetDefaultCommConfigW, CreateMemoryResourceNotification, DeleteCriticalSection, ExitProcess, LCMapStringW, GetComputerNameW, FindVolumeClose, SetConsoleCP, FindFirstStreamW, CopyFile2, GetProcessHeap, SystemTimeToFileTime, GetNumberOfConsoleInputEvents, IsValidLocale, FreeLibrary, CreateSemaphoreW, IsValidLanguageGroup, TransactNamedPipe, CopyFileW, SetThreadpoolStackInformation, GetVolumePathNamesForVolumeNameW, lstrcpyW, GetLongPathNameTransactedW, WinExec, CreateRemoteThread, SleepConditionVariableSRW, RemoveVectoredContinueHandler, VerifyVersionInfoW, WritePrivateProfileSectionW, BeginUpdateResourceW, SystemTimeToTzSpecificLocalTime, FreeUserPhysicalPages, QueryFullProcessImageNameW, ReadConsoleOutputCharacterW, CommConfigDialogW, LocalReAlloc, GetTempFileNameW, SetConsoleOutputCP, ConvertFiberToThread, AddAtomW, EnumSystemGeoID, LocalFlags, GetDiskFreeSpaceExA, SetFileApisToANSI, GetSystemTime, GetThreadGroupAffinity, GetFirmwareType, DeleteVolumeMountPointW, SetThreadErrorMode, VirtualFreeEx, CopyFileExW, SetProcessWorkingSetSize, GetTempFileNameA, BackupRead, InterlockedPushEntrySList, SetConsoleCursorPosition, DosDateTimeToFileTime, MapViewOfFile, GetNumaNodeProcessorMaskEx, FindNextVolumeW, SetFileValidData, IsValidLocaleName, lstrcmpiW, BackupSeek, QueryPerformanceCounter, GetProcessGroupAffinity, CreateMailslotW, GetStringTypeW, GetDateFormatW, FreeLibraryWhenCallbackReturns, OpenMutexW, SetCommTimeouts, GetEnvironmentStringsW, WaitNamedPipeW, GlobalUnlock, FlsFree, SetCommState, SetDllDirectoryW, SetCommConfig, GetCalendarInfoEx, AllocConsole, ConvertThreadToFiber, WriteConsoleOutputW, GetStringTypeA, GetProcessHandleCount, MulDiv, InitializeSynchronizationBarrier, MapViewOfFileEx, GetFirmwareEnvironmentVariableW, VirtualQuery, RegisterApplicationRestart, IsWow64Process, CheckNameLegalDOS8Dot3W, GetProcessTimes, GetDriveTypeW, GetFileTime, InterlockedPopEntrySList, GlobalReAlloc, AddIntegrityLabelToBoundaryDescriptor, GetConsoleSelectionInfo, IsDebuggerPresent, ConnectNamedPipe, QueryDepthSList, SetFileCompletionNotificationModes, WriteConsoleOutputCharacterW, CreateDirectoryExW, SetUnhandledExceptionFilter, IsBadStringPtrW, FlushFileBuffers, GetCurrentConsoleFont, FileTimeToDosDateTime, RegisterApplicationRecoveryCallback, CreateThreadpoolWork, SetEndOfFile, HeapSize, SetEnvironmentVariableW, GetCommandLineA, GetOEMCP, FindFirstFileExW, ReadConsoleW, GetTimeZoneInformation, EnumSystemLocalesW, CompareStringW, FlsGetValue, FlsAlloc, GetConsoleMode, GetFileType, GetStdHandle, ExitThread, CreateThread, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, SetLastError, GetLastError, RtlPcToFileHeader, RtlUnwindEx, TerminateProcess, InitializeSListHead, GetCurrentProcessId, IsProcessorFeaturePresent, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, GetCPInfo, LCMapStringEx, DecodePointer, EncodePointer, EnterCriticalSection, GetModuleHandleW, GetSystemTimeAsFileTime, InitializeCriticalSectionEx, GetExitCodeThread, WaitForSingleObjectEx, Sleep, TryAcquireSRWLockExclusive, WideCharToMultiByte, GlobalHandle, CompareFileTime, SetThreadLocale, NotifyUILanguageChange, StartThreadpoolIo, EnumResourceTypesExW, SetNamedPipeHandleState, CloseThreadpoolWork, QueryInformationJobObject, QueryThreadpoolStackInformation, LocalLock, WriteProfileStringW, CancelIo, GetThreadPriorityBoost, GetLogicalDrives, EnumTimeFormatsW, RemoveVectoredExceptionHandler, SetConsoleCtrlHandler, SetConsoleHistoryInfo, SetFileIoOverlappedRange, TryEnterCriticalSection, QueryDosDeviceW, BackupWrite, PowerSetRequest, FindStringOrdinal, SizeofResource, EnumLanguageGroupLocalesW, ReadFile, GetCPInfoExW, GetStartupInfoW, SleepConditionVariableCS, SetProcessPriorityBoost, GetNumaHighestNodeNumber, FindNLSStringEx, AreFileApisANSI, MultiByteToWideChar, RtlUnwind
USER32.dllValidateRect, GetMessageW, CharPrevExA, TabbedTextOutW, DefWindowProcW, GetSystemMenu, CharUpperW, LogicalToPhysicalPoint, MapVirtualKeyW, FindWindowExW, GetLastInputInfo, MessageBoxW, SetWindowLongPtrW, DefRawInputProc, CreateWindowExW, ShowOwnedPopups, ToAsciiEx, SendMessageW, DdeReconnect, UnregisterSuspendResumeNotification, SetWindowTextW, GetWindowLongPtrW, GetScrollPos, GetWindowPlacement, ShowWindow, AnyPopup, ChangeDisplaySettingsW, GetCapture, DispatchMessageW, DdeSetUserHandle, EndPaint, GetRawInputData, RegisterClassW, GetKeyboardLayout, SetProcessRestrictionExemption, IsProcessDPIAware, DrawFocusRect, MessageBoxIndirectW, EnumWindows, TranslateMessage, SetWindowContextHelpId, CharToOemW, mouse_event, EndDeferWindowPos, GetDlgItemInt, GetClientRect, IsZoomed, IsClipboardFormatAvailable, DrawTextW, DdeNameService, PostQuitMessage, DrawEdge, UserHandleGrantAccess, IsWindowUnicode, SetSystemCursor, RegisterWindowMessageW, DialogBoxParamW, LoadCursorFromFileW, LoadImageW, InvalidateRect, GetGUIThreadInfo, BeginPaint
GDI32.dllBitBlt, SelectObject, CreateCompatibleDC, SetPixel, GetColorAdjustment, CreateBrushIndirect, GetEnhMetaFileW, GetStockObject, OffsetClipRgn, GetDeviceCaps, DeleteDC, TextOutW, LineTo, CreatePen, GetObjectW, Polygon, MoveToEx, Ellipse, LPtoDP, DeleteObject, CreateSolidBrush, GetBrushOrgEx, PtVisible, CreateMetaFileW
ADVAPI32.dllRegCloseKey, CryptAcquireContextW, RegQueryValueExA, CryptGenRandom, RegCreateKeyExW, RegSetValueExW, RegOpenKeyExA, RegOpenKeyExW, CryptReleaseContext
SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW
ole32.dllCoTaskMemFree

Exports

NameOrdinalAddress
DTLS_get_data_mtu10x18000aa30
DTLSv1_client_method20x18000ac20
DTLSv1_listen30x18000abc0
DTLSv1_method40x18000ab60
eglBindAPI50x18000bf70
eglBindTexImage60x18000bf70
eglChooseConfig70x18000bf70
eglClientWaitSync80x18000bf70
eglClientWaitSyncKHR90x18000bf70
eglCopyBuffers100x18000bf70
eglCreateContext110x18000bf70
eglCreateDeviceANGLE120x18000bf70
eglCreateImage130x18000bf70
eglCreateImageKHR140x18000bf70
eglCreatePbufferFromClientBuffer150x18000bf70
eglCreatePbufferSurface160x18000bf70
eglCreatePixmapSurface170x18000bf70
eglCreatePlatformPixmapSurface180x18000bf70
eglCreatePlatformPixmapSurfaceEXT190x18000bf70
eglCreatePlatformWindowSurface200x18000bf70
eglCreatePlatformWindowSurfaceEXT210x18000bf70
eglCreateStreamKHR220x18000bf70
eglCreateStreamProducerD3DTextureANGLE230x18000bf70
eglCreateSync240x18000bf70
eglCreateSyncKHR250x18000bf70
eglCreateWindowSurface260x18000bf70
eglDebugMessageControlKHR270x18000bf70
eglDestroyContext280x18000bf70
eglDestroyImage290x18000bf70
eglDestroyImageKHR300x18000bf70
eglDestroyStreamKHR310x18000bf70
eglDestroySurface320x18000bf70
eglDestroySync330x18000bf70
eglDestroySyncKHR340x18000bf70
eglDupNativeFenceFDANDROID350x18000bf70
eglGetConfigAttrib360x18000bf70
eglGetConfigs370x18000bf70
eglGetCurrentContext380x18000bf70
eglGetCurrentDisplay390x18000bf70
eglGetCurrentSurface400x18000bf70
eglGetDisplay410x18000bf70
eglGetError420x18000bf70
eglGetMscRateANGLE430x18000bf70
eglGetNativeClientBufferANDROID440x18000bf70
eglGetPlatformDisplay450x18000bf70
eglGetPlatformDisplayEXT460x18000bf70
eglGetProcAddress470x18000bf70
eglGetSyncAttrib480x18000bf70
eglGetSyncAttribKHR490x18000bf70
eglGetSyncValuesCHROMIUM500x18000bf70
eglInitialize510x18000bf70
eglLabelObjectKHR520x18000bf70
eglMakeCurrent530x18000bf70
eglPostSubBufferNV540x18000bf70
eglPresentationTimeANDROID550x18000bf70
eglProgramCacheGetAttribANGLE560x18000bf70
eglProgramCachePopulateANGLE570x18000bf70
eglProgramCacheQueryANGLE580x18000bf70
eglProgramCacheResizeANGLE590x18000bf70
eglQueryAPI600x18000bf70
eglQueryContext610x18000bf70
eglQueryDebugKHR620x18000bf70
eglQueryDeviceAttribEXT630x18000bf70
eglQueryDeviceStringEXT640x18000bf70
eglQueryDisplayAttribANGLE650x18000bf70
eglQueryDisplayAttribEXT660x18000bf70
eglQueryStreamKHR670x18000bf70
eglQueryStreamu64KHR680x18000bf70
eglQueryString690x18000bf70
eglQueryStringiANGLE700x18000bf70
eglQuerySurface710x18000bf70
eglQuerySurfacePointerANGLE720x18000bf70
eglReleaseDeviceANGLE730x18000bf70
eglReleaseTexImage740x18000bf70
eglReleaseThread750x18000bf70
eglSetBlobCacheFuncsANDROID760x18000bf70
eglSignalSyncKHR770x18000bf70
eglStreamAttribKHR780x18000bf70
eglStreamConsumerAcquireKHR790x18000bf70
eglStreamConsumerGLTextureExternalAttribsNV800x18000bf70
eglStreamConsumerGLTextureExternalKHR810x18000bf70
eglStreamConsumerReleaseKHR820x18000bf70
eglStreamPostD3DTextureANGLE830x18000bf70
eglSurfaceAttrib840x18000bf70
eglSwapBuffers850x18000bf70
eglSwapBuffersWithDamageKHR860x18000bf70
eglSwapInterval870x18000bf70
eglTerminate880x18000bf70
eglWaitClient890x18000bf70
eglWaitGL900x18000bf70
eglWaitNative910x18000bf70
eglWaitSync920x18000bf70
eglWaitSyncKHR930x18000bf70
pkcs11h_certificate_create940x18000bf70
pkcs11h_certificate_deserializeCertificateId950x18000bf70
pkcs11h_certificate_enumCertificateIds960x18000bf70
pkcs11h_certificate_freeCertificate970x18000bf70
pkcs11h_certificate_freeCertificateId980x18000bf70
pkcs11h_certificate_freeCertificateIdList990x18000bf70
pkcs11h_certificate_getCertificateBlob1000x18000bf70
pkcs11h_certificate_serializeCertificateId1010x18000bf70
pkcs11h_certificate_signAny_ex1020x18000bf70
pkcs11h_engine_setSystem1030x18000bf70
pkcs11h_getMessage1040x18000bf70
pkcs11h_initialize1050x18000bf70
pkcs11h_initializeProvider1060x18000bf70
pkcs11h_logout1070x18000bf70
pkcs11h_openssl_getX5091080x18000bf70
pkcs11h_registerProvider1090x18000bf70
pkcs11h_removeProvider1100x18000bf70
pkcs11h_setForkMode1110x18000bf70
pkcs11h_setLogHook1120x18000bf70
pkcs11h_setLogLevel1130x18000bf70
pkcs11h_setPINCachePeriod1140x18000bf70
pkcs11h_setPINPromptHook1150x18000bf70
pkcs11h_setProtectedAuthentication1160x18000bf70
pkcs11h_setProviderProperty1170x18000bf70
pkcs11h_setTokenPromptHook1180x18000bf70
pkcs11h_terminate1190x18000bf70

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:15:33:57
Start date:25/11/2024
Path:C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):false
Commandline:loaddll64.exe "C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll"
Imagebase:0x7ff745cb0000
File size:165'888 bytes
MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:1
Start time:15:33:57
Start date:25/11/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6d64d0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:15:33:57
Start date:25/11/2024
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll",#1
Imagebase:0x7ff7ff0a0000
File size:289'792 bytes
MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:15:33:57
Start date:25/11/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll,DTLS_get_data_mtu
Imagebase:0x7ff6e4740000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:15:33:57
Start date:25/11/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll",#1
Imagebase:0x7ff6e4740000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:6
Start time:15:34:00
Start date:25/11/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll,DTLSv1_client_method
Imagebase:0x7ff6e4740000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:7
Start time:15:34:03
Start date:25/11/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\libpkcs11-helper-1.dll.dll,DTLSv1_listen
Imagebase:0x7ff6e4740000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:19.6%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:88
    Total number of Limit Nodes:12
    execution_graph 64840 7ff8a8c666dd 64843 7ff8a8c6e750 64840->64843 64842 7ff8a8c666f9 64859 7ff8a8c80440 64843->64859 64845 7ff8a8c6e76e 64846 7ff8a8c6e772 64845->64846 64867 7ff8a8c80610 64845->64867 64846->64842 64848 7ff8a8c6e797 64849 7ff8a8c6e7ed 64848->64849 64873 7ff8a8c7b580 20 API calls std::_Facet_Register 64848->64873 64850 7ff8a8c6e7fb 64849->64850 64877 7ff8a8c7c250 20 API calls 64849->64877 64850->64842 64853 7ff8a8c6e7b1 64853->64849 64874 7ff8a8c7b710 AcquireSRWLockExclusive SleepConditionVariableSRW ReleaseSRWLockExclusive __std_exception_destroy 64853->64874 64855 7ff8a8c6e7c2 64875 7ff8a8c6b6b0 23 API calls 64855->64875 64857 7ff8a8c6e7df 64857->64849 64876 7ff8a8c7c250 20 API calls 64857->64876 64860 7ff8a8c8048c 64859->64860 64866 7ff8a8c80590 64859->64866 64861 7ff8a8c80508 64860->64861 64878 7ff8a8cdbc60 64860->64878 64863 7ff8a8c8055d 64861->64863 64887 7ff8a8c99e60 20 API calls 4 library calls 64861->64887 64865 7ff8a8cdbc60 std::_Facet_Register 20 API calls 64863->64865 64863->64866 64865->64866 64866->64845 64868 7ff8a8c8065d 64867->64868 64870 7ff8a8c80669 64867->64870 64900 7ff8a8cdbbe8 AcquireSRWLockExclusive SleepConditionVariableSRW ReleaseSRWLockExclusive 64868->64900 64898 7ff8a8caa520 VirtualProtect 64870->64898 64871 7ff8a8c806cd __std_exception_destroy 64871->64848 64873->64853 64874->64855 64875->64857 64876->64849 64877->64850 64880 7ff8a8cdbc6b 64878->64880 64879 7ff8a8cdbc84 64879->64861 64880->64879 64882 7ff8a8cdbc8a 64880->64882 64888 7ff8a8cef7c0 64880->64888 64883 7ff8a8cdbc95 64882->64883 64891 7ff8a8cda6bc RtlPcToFileHeader Concurrency::cancel_current_task std::bad_alloc::bad_alloc 64882->64891 64892 7ff8a8c51280 20 API calls 2 library calls 64883->64892 64886 7ff8a8cdbc9b 64887->64863 64893 7ff8a8cef800 64888->64893 64890 7ff8a8cef7d2 __crtLCMapStringW 64890->64880 64892->64886 64894 7ff8a8cef80d 64893->64894 64897 7ff8a8cecdb8 LeaveCriticalSection 64894->64897 64896 7ff8a8cef82e 64896->64890 64899 7ff8a8caa5b9 64898->64899 64899->64871 64901 7ff8a8cf592c 64902 7ff8a8cf5977 64901->64902 64906 7ff8a8cf593b wcsftime 64901->64906 64908 7ff8a8ce78ec 10 API calls _get_daylight 64902->64908 64904 7ff8a8cf595e HeapAlloc 64905 7ff8a8cf5975 64904->64905 64904->64906 64906->64902 64906->64904 64907 7ff8a8cef7c0 std::_Facet_Register LeaveCriticalSection 64906->64907 64907->64906 64908->64905 64909 7ff8a8cf38b8 64910 7ff8a8cf38c8 64909->64910 64919 7ff8a8cfdcd0 64910->64919 64913 7ff8a8cf38df 64940 7ff8a8cecdb8 LeaveCriticalSection 64913->64940 64920 7ff8a8cfdcef 64919->64920 64921 7ff8a8cfdd18 64919->64921 64948 7ff8a8ce78ec 10 API calls _get_daylight 64920->64948 64926 7ff8a8cfdd51 64921->64926 64941 7ff8a8cfdbd8 64921->64941 64923 7ff8a8cfdcf4 64949 7ff8a8cecb80 19 API calls _invalid_parameter_noinfo 64923->64949 64925 7ff8a8cf38d1 64925->64913 64929 7ff8a8cf36c0 GetStartupInfoW 64925->64929 64950 7ff8a8cecdb8 LeaveCriticalSection 64926->64950 64930 7ff8a8cf36f5 64929->64930 64931 7ff8a8cf378f 64929->64931 64930->64931 64932 7ff8a8cfdcd0 22 API calls 64930->64932 64935 7ff8a8cf37b0 64931->64935 64933 7ff8a8cf371e 64932->64933 64933->64931 64934 7ff8a8cf3748 GetFileType 64933->64934 64934->64933 64936 7ff8a8cf37ce 64935->64936 64937 7ff8a8cf3829 GetStdHandle 64936->64937 64938 7ff8a8cf389d 64936->64938 64937->64936 64939 7ff8a8cf383c GetFileType 64937->64939 64938->64913 64939->64936 64951 7ff8a8cf3934 64941->64951 64943 7ff8a8cfdc5b 64959 7ff8a8cf4794 10 API calls 2 library calls 64943->64959 64945 7ff8a8cfdc65 64945->64921 64947 7ff8a8cfdbf9 64947->64943 64958 7ff8a8cf5398 GetLastError FreeLibrary InitializeCriticalSectionAndSpinCount __crtLCMapStringW 64947->64958 64948->64923 64949->64925 64956 7ff8a8cf3945 wcsftime 64951->64956 64952 7ff8a8cf3996 64960 7ff8a8ce78ec 10 API calls _get_daylight 64952->64960 64953 7ff8a8cf397a HeapAlloc 64954 7ff8a8cf3994 64953->64954 64953->64956 64954->64947 64956->64952 64956->64953 64957 7ff8a8cef7c0 std::_Facet_Register LeaveCriticalSection 64956->64957 64957->64956 64958->64947 64959->64945 64960->64954

    Executed Functions

    Function 00007FF8A8C59CD0 Relevance: 238.9, APIs: 108, Strings: 28, Instructions: 947threadtimefileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 7ff8a8c59cd0-7ff8a8c59cf8 1 7ff8a8c59cfa-7ff8a8c59d0c 0->1 2 7ff8a8c59d13-7ff8a8c59d1d 0->2 1->2 3 7ff8a8c59d1f-7ff8a8c59d92 GetDynamicTimeZoneInformation call 7ff8a8d90da0 IsClipboardFormatAvailable SleepConditionVariableSRW GetActiveProcessorGroupCount GetDlgItemInt CreateDirectoryTransactedW LoadPackagedLibrary GetCommModemStatus ReleaseMutex WaitForDebugEvent 2->3 4 7ff8a8c59d98-7ff8a8c59e73 call 7ff8a8cdbc60 call 7ff8a8c66310 call 7ff8a8c6a680 call 7ff8a8cdbb74 2->4 3->4 15 7ff8a8c59e7c-7ff8a8c59e7e 4->15 16 7ff8a8c59e75-7ff8a8c59e7a 4->16 17 7ff8a8c59e8a-7ff8a8c59e98 15->17 18 7ff8a8c59e80-7ff8a8c59e85 15->18 16->15 20 7ff8a8c59f7d-7ff8a8c59f80 17->20 21 7ff8a8c59e9e-7ff8a8c59f77 GetFullPathNameTransactedW call 7ff8a8d90878 GetACP GetBrushOrgEx GlobalUnlock GetNamedPipeClientComputerNameW SetTapeParameters WritePrivateProfileSectionW FindCloseChangeNotification BackupWrite LocalFlags GetThreadPreferredUILanguages GetDeviceCaps GetVolumePathNameW CreateBrushIndirect GetEnhMetaFileW LPtoDP PowerCreateRequest 17->21 19 7ff8a8c5aa02-7ff8a8c5aa15 18->19 23 7ff8a8c59f94-7ff8a8c59f9e 20->23 24 7ff8a8c59f82-7ff8a8c59f8f call 7ff8a8cecc18 20->24 21->20 25 7ff8a8c5a068-7ff8a8c5a082 23->25 26 7ff8a8c59fa4-7ff8a8c5a062 GetConsoleOutputCP SleepConditionVariableSRW call 7ff8a8d90878 SetThreadPriorityBoost OpenFile call 7ff8a8d90a00 FindNLSStringEx QueryDosDeviceW OpenMutexW SetFileAttributesTransactedW InterlockedPopEntrySList 23->26 30 7ff8a8c5a089-7ff8a8c5a0a1 24->30 25->30 26->25 33 7ff8a8c5a0a5-7ff8a8c5a0ba 30->33 35 7ff8a8c5a0bc-7ff8a8c5a12c PowerCreateRequest GlobalReAlloc call 7ff8a8d909e8 LoadModule CloseThreadpoolCleanupGroup GetProcessHeaps GetNLSVersionEx GetCommState FreeUserPhysicalPages FreeResource 33->35 36 7ff8a8c5a132-7ff8a8c5a140 33->36 35->36 36->33 39 7ff8a8c5a146-7ff8a8c5a172 call 7ff8a8c638c0 36->39 42 7ff8a8c5a177-7ff8a8c5a195 GetLocalTime 39->42 43 7ff8a8c5a9ff 42->43 44 7ff8a8c5a19b-7ff8a8c5a1a5 42->44 43->19 45 7ff8a8c5a1b0-7ff8a8c5a1ba 44->45 46 7ff8a8c5a1c0-7ff8a8c5a2bd GetSystemInfo CreateEventExW MapViewOfFile CreateRemoteThread SetProcessShutdownParameters SetDllDirectoryW GetLongPathNameTransactedW GetNumberOfConsoleMouseButtons SetCalendarInfoW DisassociateCurrentThreadFromCallback GetCommProperties BindIoCompletionCallback CompareStringOrdinal SetCommMask Wow64GetThreadContext IsProcessInJob SystemTimeToTzSpecificLocalTime call 7ff8a8d90ab8 45->46 47 7ff8a8c5a2c3-7ff8a8c5a2d6 45->47 46->47 49 7ff8a8c5a2de-7ff8a8c5a2ed call 7ff8a8cddc8c 47->49 50 7ff8a8c5a2d8-7ff8a8c5a2dc 47->50 51 7ff8a8c5a2f1-7ff8a8c5a2f4 49->51 50->51 54 7ff8a8c5a39f-7ff8a8c5a3b3 51->54 55 7ff8a8c5a2fa-7ff8a8c5a308 51->55 57 7ff8a8c5a3bc-7ff8a8c5a3cb call 7ff8a8cddc8c 54->57 58 7ff8a8c5a3b5-7ff8a8c5a3ba 54->58 55->54 56 7ff8a8c5a30e-7ff8a8c5a313 55->56 56->54 61 7ff8a8c5a319-7ff8a8c5a35f RegCreateKeyExW 56->61 59 7ff8a8c5a3d0 57->59 58->59 63 7ff8a8c5a3d6-7ff8a8c5a3dd 59->63 61->54 64 7ff8a8c5a361-7ff8a8c5a399 RegSetValueExW RegCloseKey 61->64 63->63 65 7ff8a8c5a3df-7ff8a8c5a3f9 63->65 64->54 66 7ff8a8c5a3fb 65->66 67 7ff8a8c5a407-7ff8a8c5a41a 65->67 68 7ff8a8c5a400-7ff8a8c5a405 66->68 69 7ff8a8c5a41c 67->69 70 7ff8a8c5a437-7ff8a8c5a440 67->70 68->67 68->68 71 7ff8a8c5a420-7ff8a8c5a435 69->71 72 7ff8a8c5aa16-7ff8a8c5aa98 FatalExit call 7ff8a8c63a90 70->72 73 7ff8a8c5a446-7ff8a8c5a44d 70->73 71->70 71->71 78 7ff8a8c5aaa0-7ff8a8c5aab8 72->78 73->72 75 7ff8a8c5a453-7ff8a8c5a45a 73->75 75->72 77 7ff8a8c5a460-7ff8a8c5a467 75->77 77->72 79 7ff8a8c5a46d-7ff8a8c5a480 77->79 78->78 82 7ff8a8c5aaba 78->82 80 7ff8a8c5a486-7ff8a8c5a493 call 7ff8a8cddc8c 79->80 81 7ff8a8c5a482-7ff8a8c5a484 79->81 84 7ff8a8c5a495-7ff8a8c5a49c 80->84 81->84 83 7ff8a8c5aac0-7ff8a8c5aad8 82->83 83->83 86 7ff8a8c5aada-7ff8a8c5aae9 83->86 88 7ff8a8c5a49e-7ff8a8c5a4b5 CreateMutexW 84->88 89 7ff8a8c5a4f2-7ff8a8c5a509 84->89 90 7ff8a8c5aaf0-7ff8a8c5ab08 86->90 91 7ff8a8c5a4de-7ff8a8c5a4e5 OutputDebugStringA 88->91 92 7ff8a8c5a4b7-7ff8a8c5a4dc MessageBoxW CloseHandle 88->92 93 7ff8a8c5a50b-7ff8a8c5a510 89->93 94 7ff8a8c5a512-7ff8a8c5a521 call 7ff8a8cddc8c 89->94 90->90 95 7ff8a8c5ab0a-7ff8a8c5ab21 90->95 96 7ff8a8c5a4eb 91->96 92->96 97 7ff8a8c5a526-7ff8a8c5a52b 93->97 94->97 99 7ff8a8c5ab47-7ff8a8c5ab52 FatalExit 95->99 100 7ff8a8c5ab23-7ff8a8c5ab2a 95->100 96->89 102 7ff8a8c5a530-7ff8a8c5a535 97->102 105 7ff8a8c5ab53-7ff8a8c5ab57 99->105 100->99 104 7ff8a8c5ab2c-7ff8a8c5ab34 100->104 102->102 103 7ff8a8c5a537-7ff8a8c5a597 102->103 106 7ff8a8c5a599-7ff8a8c5a59c 103->106 107 7ff8a8c5a5a5-7ff8a8c5a5af 103->107 104->99 108 7ff8a8c5ab36-7ff8a8c5ab3d 104->108 106->107 109 7ff8a8c5a59e 106->109 110 7ff8a8c5a5b5-7ff8a8c5a5bc 107->110 108->99 111 7ff8a8c5ab3f-7ff8a8c5ab45 108->111 109->107 110->110 112 7ff8a8c5a5be-7ff8a8c5a5e6 110->112 111->99 111->105 113 7ff8a8c5a5ee-7ff8a8c5a617 112->113 114 7ff8a8c5a5e8-7ff8a8c5a5ec 112->114 115 7ff8a8c5a619 113->115 116 7ff8a8c5a63a-7ff8a8c5a66d 113->116 114->113 114->114 117 7ff8a8c5a620-7ff8a8c5a638 115->117 118 7ff8a8c5a66f 116->118 119 7ff8a8c5a679-7ff8a8c5a6f1 116->119 117->116 117->117 120 7ff8a8c5a670-7ff8a8c5a677 118->120 121 7ff8a8c5a6fa-7ff8a8c5a700 119->121 122 7ff8a8c5a6f3-7ff8a8c5a6f8 119->122 120->119 120->120 121->72 123 7ff8a8c5a706-7ff8a8c5a70d 121->123 122->121 122->122 123->72 124 7ff8a8c5a713-7ff8a8c5a718 123->124 124->72 125 7ff8a8c5a71e-7ff8a8c5a724 124->125 125->72 126 7ff8a8c5a72a-7ff8a8c5a730 125->126 126->72 127 7ff8a8c5a736-7ff8a8c5a73d 126->127 127->72 128 7ff8a8c5a743-7ff8a8c5a74a 127->128 128->72 129 7ff8a8c5a750-7ff8a8c5a757 128->129 129->72 130 7ff8a8c5a75d-7ff8a8c5a764 129->130 130->72 131 7ff8a8c5a76a-7ff8a8c5a770 130->131 131->72 132 7ff8a8c5a776-7ff8a8c5a77d 131->132 132->72 133 7ff8a8c5a783-7ff8a8c5a7bb 132->133 134 7ff8a8c5a7c1-7ff8a8c5a880 GetProcessHeaps SetFileApisToANSI FindVolumeMountPointClose InitOnceExecuteOnce UnregisterApplicationRestart FileTimeToDosDateTime InitializeProcThreadAttributeList ReOpenFile call 7ff8a8d90a70 SetProcessWorkingSetSizeEx FindNLSString GetMaximumProcessorCount 133->134 135 7ff8a8c5a882 133->135 137 7ff8a8c5a885-7ff8a8c5a896 134->137 135->137 138 7ff8a8c5a898-7ff8a8c5a8ac 137->138 139 7ff8a8c5a8b1-7ff8a8c5a8de call 7ff8a8c638c0 137->139 138->139 143 7ff8a8c5a8f5-7ff8a8c5a8ff 139->143 144 7ff8a8c5a8e0-7ff8a8c5a8f0 139->144 145 7ff8a8c5a9de-7ff8a8c5a9f2 143->145 146 7ff8a8c5a905-7ff8a8c5a9d8 DdeReconnect FindFirstVolumeW InterlockedPushListSListEx IsWindowUnicode GetNumaAvailableMemoryNodeEx TzSpecificLocalTimeToSystemTimeEx ChangeDisplaySettingsW UserHandleGrantAccess GetTapeParameters RemoveVectoredExceptionHandler EnumTimeFormatsW FindNextVolumeW GetWriteWatch SetProcessPreferredUILanguages CharUpperW GetStartupInfoW DdeNameService GetVersionExW 143->146 144->143 145->45 147 7ff8a8c5a9f8 145->147 146->145 147->43
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: Time$CreateFile$FindProcessThread$CloseNameString$CommExceptionListLocalTransactedVolume$InfoMutexOpenParametersPathSystemWrite$AvailableBrushCallbackChangeConditionConsoleCountDebugDeviceDirectoryEventExitFatalFreeGlobalGroupHandleHeapsInterlockedLanguagesLoadOnceOutputPowerPreferredProcProcessorRaiseRequestSleepSpecificTapeUserVariableVersion$AccessActiveAddressAllocApisApplicationAttributeAttributesBackupBindBoostButtonsCalendarCapsCharCleanupClientClipboardCompareCompletionComputerContextCurrentDateDisassociateDisplayDynamicEntryEnumExecuteFilterFirstFlagsFormatFormatsFromFullGrantHandlerIndirectInformationInitInitializeItemLibraryLocaleLongMaskMaximumMemoryMessageMetaModemModuleMountMouseNamedNextNodeNotificationNumaNumberOrdinalPackagedPagesPhysicalPipePointPointerPriorityPrivateProfilePropertiesPushQueryReconnectReleaseRemoteRemoveResourceRestartSectionServiceSettingsShutdownSizeStartupStateStatusThreadpoolUnhandledUnicodeUnlockUnregisterUpperValidValueVectoredViewWaitWatchWindowWorkingWow64Zone
    • String ID: 3re3o5aA4HTYIeL4B6$90$CXERZaji8iTErRk66Tl31$DnFJ8XHHv6v3LAN6N92mV3$JeEu6HO65A25HpJsSqv$Software\aJHdXBlMuxgZHPTeQNWXhlfVCjtHF$VUUU$VUUU$VUUU$VUUU$VUUU$VUUU$VUUU$VUUU$VUUU$Vjx753Au3vKZFYp36TuP4ftwyeX6$Vst7mgaB7x5p8CBDf1$YDdxeBPelaniEHxnpISBVxEEFn$ZNQgipRfuHAwydEiKvDC$ZQzBH1fejINWQDl3hNaW$bq28v4Pk1PsFZdYm7CfR8Du7K$gJdnA5SKl1MCYJkebfN193YbU$i62xKH1dE4XdRxCLh$lgQ6gAxJE83p7WbG541L4O$ltpyAndBGtgTnNYsWLvigOtbhtE$nKByysQPvonAAFdADgWvEDdaSIwHX$p1N24XHoAeo58Xzgu$wjQRPNXhMJQkvRPXcwpG
    • API String ID: 543866257-1801069392
    • Opcode ID: 7a08c5da373c1c7d7c23dd0845f581f6b769f4a97f9ed1175626bbf20827b7b9
    • Instruction ID: 7c51f0dd026b8bdc7e469bc219d58d2dfc1d1095de4307d6a71277eb5fe44c77
    • Opcode Fuzzy Hash: 7a08c5da373c1c7d7c23dd0845f581f6b769f4a97f9ed1175626bbf20827b7b9
    • Instruction Fuzzy Hash: 2D920332E1AA5196EB68CF75E814B6E33A1FF98784F409139DA0A47E54CF3CD548CB18
    Function 00007FF8A8C533F0 Relevance: 160.1, APIs: 84, Strings: 7, Instructions: 802threadtimefileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 148 7ff8a8c533f0-7ff8a8c534e8 call 7ff8a8c59790 call 7ff8a8cdbc60 call 7ff8a8c69880 call 7ff8a8c6a680 call 7ff8a8cdbb74 159 7ff8a8c534ee-7ff8a8c535d6 call 7ff8a8cdbc60 call 7ff8a8c69680 call 7ff8a8c6a680 call 7ff8a8cdbb74 148->159 160 7ff8a8c53876-7ff8a8c538bf call 7ff8a8ce1b38 148->160 159->160 177 7ff8a8c535dc-7ff8a8c536ce call 7ff8a8cdbc60 call 7ff8a8c69460 call 7ff8a8c6a680 call 7ff8a8cdbb74 159->177 166 7ff8a8c53a2a-7ff8a8c53a86 call 7ff8a8c62a80 160->166 167 7ff8a8c538c5-7ff8a8c53a24 QueryFullProcessImageNameW CommConfigDialogW CallbackMayRunLong lstrcatW UnregisterApplicationRestart GetThreadSelectorEntry BuildCommDCBW SetConsoleHistoryInfo PtVisible CreatePrivateNamespaceW GetConsoleSelectionInfo WakeConditionVariable PeekNamedPipe EnumCalendarInfoExEx Polygon OpenWaitableTimerW GetLogicalDrives EnumResourceTypesExW GetPhysicallyInstalledSystemMemory SetEventWhenCallbackReturns CopyFileW GetFirmwareType GetStartupInfoW GetColorAdjustment CreateMetaFileW CancelWaitableTimer BackupRead GetCommState GetCommandLineW 160->167 172 7ff8a8c53a8c-7ff8a8c53b8e GetWindowsDirectoryW GetConsoleCursorInfo GetNamedPipeServerProcessId GetMaximumProcessorGroupCount OpenWaitableTimerW SetFileAttributesTransactedW DeleteTimerQueueEx SetFileAttributesW MoveFileExW WaitForThreadpoolTimerCallbacks CreateThreadpoolWait CopyFileW ReadConsoleOutputCharacterW SetFirmwareEnvironmentVariableW GetTempFileNameW AddScopedPolicyIDAce GetCPInfoExW QueryInformationJobObject FatalExit CreateThreadpoolWork 166->172 173 7ff8a8c53b94-7ff8a8c53ba9 166->173 167->166 172->173 177->160 186 7ff8a8c536d4-7ff8a8c536ee 177->186 187 7ff8a8c536f0-7ff8a8c536f8 186->187 187->187 188 7ff8a8c536fa-7ff8a8c5371d call 7ff8a8c64380 187->188 191 7ff8a8c5371f-7ff8a8c53736 188->191 192 7ff8a8c5374a 188->192 193 7ff8a8c53738-7ff8a8c5373b 191->193 194 7ff8a8c53745-7ff8a8c53748 191->194 195 7ff8a8c53751-7ff8a8c53843 call 7ff8a8c60a70 call 7ff8a8cdbc60 call 7ff8a8c69270 call 7ff8a8c6a680 call 7ff8a8cdbb74 192->195 193->192 196 7ff8a8c5373d-7ff8a8c53743 193->196 194->195 195->160 207 7ff8a8c53845-7ff8a8c53856 195->207 196->193 196->194 208 7ff8a8c53858-7ff8a8c5386b 207->208 209 7ff8a8c53871 call 7ff8a8cdbb74 207->209 208->209 210 7ff8a8c53baa-7ff8a8c53c30 call 7ff8a8cecba0 call 7ff8a8c62b70 208->210 209->160 215 7ff8a8c53c35-7ff8a8c53c41 210->215 216 7ff8a8c53d87-7ff8a8c53d89 215->216 217 7ff8a8c53c47-7ff8a8c53d81 GetLongPathNameW SetConsoleCP VerifyScripts CreateThreadpoolIo EnumResourceLanguagesW FindNLSString CancelThreadpoolIo UpdateResourceW CheckNameLegalDOS8Dot3W ScrollConsoleScreenBufferW GetVolumeNameForVolumeMountPointW TransactNamedPipe call 7ff8a8d91028 CreateEventW GetLogicalDriveStringsW CreateDirectoryExW EnumResourceTypesW 215->217 219 7ff8a8c53d8f-7ff8a8c53e0b call 7ff8a8c62e60 216->219 220 7ff8a8c54072 216->220 217->216 225 7ff8a8c53edf-7ff8a8c53fa3 call 7ff8a8cdbc60 call 7ff8a8c68e90 call 7ff8a8c6a680 call 7ff8a8cdbb74 219->225 226 7ff8a8c53e11-7ff8a8c53ed9 GetThreadGroupAffinity CreateWaitableTimerW GetNamedPipeClientComputerNameW VirtualFreeEx TerminateThread SetDynamicTimeZoneInformation GetLogicalDriveStringsW CloseThreadpoolWork GetThreadIdealProcessorEx CreateJobObjectW UnregisterWait OpenFileById MapViewOfFile UnregisterWait AddIntegrityLabelToBoundaryDescriptor CancelIo SetThreadPriorityBoost QueryPerformanceFrequency 219->226 221 7ff8a8c54074-7ff8a8c54086 220->221 235 7ff8a8c53fa5-7ff8a8c53fa9 225->235 236 7ff8a8c53fb2-7ff8a8c5406d call 7ff8a8cdbc60 call 7ff8a8c68ca0 call 7ff8a8c6a680 call 7ff8a8cdbb74 225->236 226->225 235->236 237 7ff8a8c53fab-7ff8a8c53fad 235->237 236->220 237->221
    APIs
    Strings
    • 7+NtR/ISF9z+Hx77mLX8UcEjad55ZXY8LqQ4yPAxRJToRmDIIzGbUytQj0qBZA4eF2p9/3blutOZ59txJeRfMZA9DSPA4WDwZaNpqLuT0PEEpTygJ50ssm4KeGalbUMtIg9Nsjyg3DEm9nsDdIh0WPzO0vUzVZJt3MbULKC/ASDtHIO+s54aXib5aU+aXFl3rxG2BeN1cJkSWXLeySdQkS0QQHXZt0k0UfnAmztyJVB9f9l8DRh2oOSUvkClPeJtfEAE, xrefs: 00007FF8A8C53A6E
    • GlMGnHUXGrikFQwGsw, xrefs: 00007FF8A8C53966
    • B69pRqd7PuJt61du2P1i, xrefs: 00007FF8A8C53CA7
    • TNU2c6xtdj7442G5, xrefs: 00007FF8A8C53C60
    • dUFRUaq3xRDI35YYmpeCZW9ydzSg, xrefs: 00007FF8A8C53CB6
    • xVQ2m838HA8YKr1fmnZ, xrefs: 00007FF8A8C53970
    • l7eDhLPkyPlOcU1Jvq8z3HxlhRVD5, xrefs: 00007FF8A8C53C6A
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: File$Create$Info$ConsoleName$ThreadThreadpoolTimer$EnumProcess$CommNamedPipeQueryResourceUnregisterWaitWaitable$AttributesCancelCopyInformationLogicalOpenRead$CallbackConcurrency::cancel_current_taskCursorDirectoryDriveEventFindFirmwareGroupInputLocaleLongMemoryObjectProcessorStringsSystemTypesVariableVirtualVolumeWindowWindowsWork$AdjustmentAffinityAllocApplicationAwareBackupBoostBoundaryBufferBuildCalendarCallbacksCharCharacterCheckClientCloseColorCommandComputerConditionConfigCountCurrentDefaultDeferDeleteDescriptorDialogDot3DrivesDynamicEntryEnvironmentEventsExceptionExemptionExitFatalFreeFrequencyFullGlobalHandleHandlerHeapHistoryIdealImageIndirectInstalledIntegrityLabelLanguagesLegalLineMaximumMessageMetaModuleMountMoveNamespaceNotificationNumberOutputPathPeekPerformancePhysicallyPointPolicyPolygonPrefetchPriorityPrivateProcQueueRectRemoveRestartRestrictionResumeReturnsScopedScreenScriptsScrollSelectionSelectorServerStartupStateStringSuspendTempTerminateTimeTransactTransactedTransmitTypeUpdateUserValidateVectoredVerifyViewVisibleWakeWhenZonelstrcatmouse_event
    • String ID: 7+NtR/ISF9z+Hx77mLX8UcEjad55ZXY8LqQ4yPAxRJToRmDIIzGbUytQj0qBZA4eF2p9/3blutOZ59txJeRfMZA9DSPA4WDwZaNpqLuT0PEEpTygJ50ssm4KeGalbUMtIg9Nsjyg3DEm9nsDdIh0WPzO0vUzVZJt3MbULKC/ASDtHIO+s54aXib5aU+aXFl3rxG2BeN1cJkSWXLeySdQkS0QQHXZt0k0UfnAmztyJVB9f9l8DRh2oOSUvkClPeJtfEAE$B69pRqd7PuJt61du2P1i$GlMGnHUXGrikFQwGsw$TNU2c6xtdj7442G5$dUFRUaq3xRDI35YYmpeCZW9ydzSg$l7eDhLPkyPlOcU1Jvq8z3HxlhRVD5$xVQ2m838HA8YKr1fmnZ
    • API String ID: 858035477-3186825483
    • Opcode ID: 68342b25a8afa93e473770bb2aa6fdf9f277a872e3cf5525fdf41b4cd48d18be
    • Instruction ID: 55baa0e42363111539e7d6c094fb8d2cfb805c5b034064b4f97fb714c18c732f
    • Opcode Fuzzy Hash: 68342b25a8afa93e473770bb2aa6fdf9f277a872e3cf5525fdf41b4cd48d18be
    • Instruction Fuzzy Hash: B9828F32A19B919AF714CFB4E45129E33B5FB98788F00813AEA8947E58DF3CD509CB54
    Function 00007FF8A8C578C0 Relevance: 158.6, APIs: 72, Strings: 18, Instructions: 1102threadtimememoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 245 7ff8a8c578c0-7ff8a8c5797a call 7ff8a8cebab8 call 7ff8a8ce1b64 call 7ff8a8c639a0 CryptAcquireContextW 252 7ff8a8c5797c-7ff8a8c579a4 CryptGenRandom CryptReleaseContext 245->252 253 7ff8a8c579a6 245->253 254 7ff8a8c579a9-7ff8a8c57b17 call 7ff8a8c639a0 call 7ff8a8cdbc60 call 7ff8a8c66720 call 7ff8a8c6a680 call 7ff8a8cdbb74 call 7ff8a8cdbc60 252->254 253->254 267 7ff8a8c57b1d-7ff8a8c57bf5 call 7ff8a8c62080 call 7ff8a8c61fa0 254->267 268 7ff8a8c57efa-7ff8a8c5819a call 7ff8a8cdbc60 call 7ff8a8c66b10 call 7ff8a8c6a680 call 7ff8a8cdbb74 call 7ff8a8cdbc60 call 7ff8a8c66720 call 7ff8a8c6a680 call 7ff8a8cdbb74 call 7ff8a8cdbc60 call 7ff8a8c66910 call 7ff8a8c6a680 call 7ff8a8cdbb74 254->268 278 7ff8a8c57bf8-7ff8a8c57bfb 267->278 334 7ff8a8c58330-7ff8a8c58505 call 7ff8a8cdbc60 call 7ff8a8c66720 call 7ff8a8c6a680 call 7ff8a8cdbb74 call 7ff8a8cdbc60 call 7ff8a8c66720 call 7ff8a8c6a680 call 7ff8a8cdbb74 268->334 335 7ff8a8c581a0-7ff8a8c581a3 268->335 280 7ff8a8c57bfd-7ff8a8c57c00 278->280 281 7ff8a8c57c15-7ff8a8c57c9e call 7ff8a8cdae44 call 7ff8a8c5da10 call 7ff8a8c627d0 278->281 280->281 283 7ff8a8c57c02-7ff8a8c57c10 call 7ff8a8c627d0 280->283 281->278 300 7ff8a8c57ca4-7ff8a8c57cd8 281->300 283->281 302 7ff8a8c57cda-7ff8a8c57ce7 300->302 303 7ff8a8c57d07-7ff8a8c57d0a 300->303 302->303 305 7ff8a8c57ce9-7ff8a8c57d05 302->305 306 7ff8a8c57d0c-7ff8a8c57d19 303->306 307 7ff8a8c57d37-7ff8a8c57d3b 303->307 309 7ff8a8c57d3f-7ff8a8c57d42 305->309 306->307 310 7ff8a8c57d1b-7ff8a8c57d35 306->310 307->309 312 7ff8a8c57d44-7ff8a8c57d4d call 7ff8a8c62130 309->312 313 7ff8a8c57d52-7ff8a8c57d5a 309->313 310->309 312->313 314 7ff8a8c57d5c-7ff8a8c57d6d 313->314 315 7ff8a8c57d8d-7ff8a8c57ef9 call 7ff8a8cdbc60 call 7ff8a8c678c0 call 7ff8a8c6a680 call 7ff8a8cdbb74 call 7ff8a8c5b6b0 call 7ff8a8cdabdc 313->315 319 7ff8a8c57d6f-7ff8a8c57d82 314->319 320 7ff8a8c57d88 call 7ff8a8cdbb74 314->320 315->268 319->320 323 7ff8a8c58c0f-7ff8a8c58c14 call 7ff8a8cecba0 319->323 320->315 382 7ff8a8c5850b-7ff8a8c585fc CreateThreadpoolWait GetSystemDefaultLangID lstrlenW HeapReAlloc UnregisterBadMemoryNotification ConnectNamedPipe DeleteTimerQueueEx FindFirstFileNameW VirtualQuery WaitCommEvent CompareStringOrdinal SetThreadErrorMode WriteConsoleOutputW IsThreadpoolTimerSet NeedCurrentDirectoryForExePathW HeapFree GetDefaultCommConfigW GetNamedPipeClientSessionId FindVolumeClose 334->382 383 7ff8a8c58602-7ff8a8c5860a 334->383 335->334 338 7ff8a8c581a9-7ff8a8c581e7 GetTempPathW GetTempFileNameW 335->338 341 7ff8a8c581f0-7ff8a8c581f9 338->341 341->341 344 7ff8a8c581fb-7ff8a8c58239 call 7ff8a8cecc20 call 7ff8a8c5d590 341->344 357 7ff8a8c5823b-7ff8a8c58268 call 7ff8a8c6bc40 call 7ff8a8c60710 344->357 358 7ff8a8c582b2 344->358 362 7ff8a8c582b5-7ff8a8c5832f call 7ff8a8c5d310 call 7ff8a8cdabdc 357->362 373 7ff8a8c5826a-7ff8a8c5829c 357->373 358->362 362->334 373->362 376 7ff8a8c5829e-7ff8a8c582a0 373->376 378 7ff8a8c58bcd-7ff8a8c58bdd 376->378 379 7ff8a8c582a6-7ff8a8c582ad 376->379 381 7ff8a8c58be1-7ff8a8c58c0e call 7ff8a8c51440 call 7ff8a8c52340 call 7ff8a8cddd08 378->381 379->381 381->323 382->383 385 7ff8a8c5860c-7ff8a8c5860f 383->385 386 7ff8a8c58636-7ff8a8c58726 call 7ff8a8cdbc60 call 7ff8a8c66720 call 7ff8a8c6a680 call 7ff8a8cdbb74 383->386 385->386 389 7ff8a8c58611-7ff8a8c5862b CreateSemaphoreW 385->389 402 7ff8a8c5872c-7ff8a8c5889e WakeConditionVariable VerifyVersionInfoW CompareStringEx ConvertFiberToThread GetStartupInfoW GetOverlappedResultEx GetProcessId call 7ff8a8d90c68 WriteConsoleOutputCharacterW SetTapeParameters RegisterApplicationRestart AddScopedPolicyIDAce ConvertThreadToFiberEx WaitForDebugEvent UnregisterBadMemoryNotification GetThreadSelectorEntry LeaveCriticalSection SetSystemFileCacheSize VerifyScripts SetUserGeoID GetLocalTime GetShortPathNameW IsProcessInJob GetVolumePathNamesForVolumeNameW EscapeCommFunction 386->402 403 7ff8a8c588a4-7ff8a8c589ac call 7ff8a8cdbc60 call 7ff8a8c66720 call 7ff8a8c6a680 call 7ff8a8cdbb74 call 7ff8a8c54090 386->403 389->386 392 7ff8a8c5862d-7ff8a8c58630 CloseHandle 389->392 392->386 402->403 416 7ff8a8c58aa0-7ff8a8c58b83 call 7ff8a8cdbc60 call 7ff8a8c66500 403->416 417 7ff8a8c589b2-7ff8a8c58a9a DeleteTimerQueueEx WriteProcessMemory IsValidLanguageGroup GetDynamicTimeZoneInformation InitOnceExecuteOnce GetNumberOfConsoleMouseButtons RtlCaptureStackBackTrace GetNamedPipeServerProcessId LoadResource WinExec GetCommModemStatus FreeConsole LoadResource GetCurrentThread CompareFileTime HeapLock GetNumberOfConsoleInputEvents OpenFileMappingW SetCommState IsBadStringPtrW call 7ff8a8d90c68 403->417 422 7ff8a8c58b88-7ff8a8c58bcc call 7ff8a8c6a680 call 7ff8a8cdbb74 call 7ff8a8c60a10 416->422 417->416
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: File$CommConsoleStringThreadTime$NamePathProcess$CompareCryptHeapMemoryNamedPipeSystemTimerVolumeWaitWrite$CloseConcurrency::cancel_current_taskContextConvertCreateCurrentDefaultDeleteEventFiberFindFreeInfoLoadNotificationNumberOnceOutputQueueResourceTempThreadpoolTypeUnregisterVerify$AcquireAllocApplicationBackButtonsCacheCaptureCharacterClientConditionConfigConnectCriticalDebugDirectoryDynamicEntryErrorEscapeEventsExecExecuteFirstFunctionGroupHandleInformationInitInputLangLanguageLeaveLocalLockMappingModeModemMouseNamesNeedOpenOrdinalOverlappedParametersPolicyQueryRandomRegisterReleaseRestartResultScopedScriptsSectionSelectorSemaphoreServerSessionShortSizeStackStartupStateStatusTapeTraceUserValidVariableVersionVirtualWakeZonelstrlen
    • String ID: 3KQ5Y831J1naUTKTMVZe8D9II$3o1nWce16yNPnwrND7X7af2u$7jDC433sAxX62XWGP326bkR1F8mv$84HiMbeEzDLu255867N94q45Tp$84KHyVHvKPK52qUtF4$8NxviUB22I3V2l76qG7nmudwpEyU$CkyfLdWneOPdzGhIxzb$HEX$HGNjbGd5Q9q1873SFVZ2632jtj3$L2RHu4JiwkbJ7rffD8vZev$WB74wNky3w9MqIEST88Lz$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$k4kfRMOadwmFr1xIq16Eq83Gb2iDo$kjFbxle2rAmx6OCg5p7KCcH8$nTVYlIVr2oRitKfET32ny7v3rjp$txt
    • API String ID: 2553382334-2758290097
    • Opcode ID: 492dd72faaad20e4189b06892ac2f37adad20faffff2fb28e566f278dc064f78
    • Instruction ID: af93494f111c5c2401e5c514bf16420c40db1148674abdaf7dbb378849596282
    • Opcode Fuzzy Hash: 492dd72faaad20e4189b06892ac2f37adad20faffff2fb28e566f278dc064f78
    • Instruction Fuzzy Hash: 49C26933A09B819AE750DFB4E8402EE37B1FB94758F008539DA8D5BA69DF38D148CB54
    Function 00007FF8A8C555A0 Relevance: 144.5, APIs: 64, Strings: 18, Instructions: 1018threadtimeregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 429 7ff8a8c555a0-7ff8a8c558da call 7ff8a8c63510 call 7ff8a8cdbc60 call 7ff8a8c678c0 call 7ff8a8c6a680 call 7ff8a8cdbb74 call 7ff8a8c5b7e0 call 7ff8a8c5c470 call 7ff8a8c63160 call 7ff8a8c5c470 call 7ff8a8c63160 call 7ff8a8c5c470 call 7ff8a8c63160 call 7ff8a8c5c470 call 7ff8a8c63160 call 7ff8a8c5c470 call 7ff8a8c63160 call 7ff8a8c5c470 call 7ff8a8c60320 call 7ff8a8cdbc60 call 7ff8a8c676c0 call 7ff8a8c6a680 call 7ff8a8cdbb74 GetCurrentProcess GetProcessTimes 474 7ff8a8c558e0-7ff8a8c55b02 call 7ff8a8cdbc60 call 7ff8a8c674c0 call 7ff8a8c6a680 call 7ff8a8cdbb74 call 7ff8a8c5b7e0 call 7ff8a8c63160 call 7ff8a8c5c470 call 7ff8a8c63160 call 7ff8a8c5c470 call 7ff8a8c63160 call 7ff8a8c5c470 call 7ff8a8c63160 call 7ff8a8c5c470 call 7ff8a8c63160 call 7ff8a8c5c470 call 7ff8a8c63160 call 7ff8a8c5c470 call 7ff8a8c60320 OutputDebugStringW call 7ff8a8c5dd90 call 7ff8a8c5bf00 call 7ff8a8cdabdc 429->474 475 7ff8a8c55b03-7ff8a8c55b0d 429->475 474->475 476 7ff8a8c55c35-7ff8a8c55c4f OpenMutexW 475->476 477 7ff8a8c55b13-7ff8a8c55c2f GetLocalTime call 7ff8a8d90c70 VirtualQuery FormatMessageW FindClose WinExec ReadThreadProfilingData WriteConsoleOutputCharacterW SetThreadpoolThreadMaximum GetCurrentConsoleFontEx SetHandleInformation call 7ff8a8d90530 GetEnvironmentVariableW RegisterWaitForSingleObject OffsetClipRgn FindNLSStringEx 475->477 480 7ff8a8c55c69-7ff8a8c55c70 OutputDebugStringW 476->480 481 7ff8a8c55c51-7ff8a8c55c67 OutputDebugStringW CloseHandle 476->481 477->476 484 7ff8a8c55c76-7ff8a8c55dae GetTempPathW call 7ff8a8c510c0 call 7ff8a8cdbc60 call 7ff8a8c672c0 call 7ff8a8c6a680 call 7ff8a8cdbb74 GetFileAttributesW 480->484 481->484 509 7ff8a8c55db4-7ff8a8c55dd3 call 7ff8a8c5d590 484->509 510 7ff8a8c56027-7ff8a8c56052 RegOpenKeyExW 484->510 521 7ff8a8c55fbc-7ff8a8c56022 call 7ff8a8c5d310 call 7ff8a8cdabdc 509->521 522 7ff8a8c55dd9-7ff8a8c55e0f 509->522 511 7ff8a8c56058-7ff8a8c56134 call 7ff8a8cdbc60 call 7ff8a8c68e90 call 7ff8a8c6a680 call 7ff8a8cdbb74 510->511 512 7ff8a8c56136 510->512 518 7ff8a8c5613d OutputDebugStringW 511->518 512->518 523 7ff8a8c56143-7ff8a8c56213 call 7ff8a8c638c0 call 7ff8a8c5dd90 call 7ff8a8c5bf00 call 7ff8a8cdabdc 518->523 521->523 527 7ff8a8c55e1a-7ff8a8c55e2d 522->527 528 7ff8a8c55e11-7ff8a8c55e15 522->528 535 7ff8a8c5626d-7ff8a8c56272 call 7ff8a8c51320 527->535 536 7ff8a8c55e33-7ff8a8c55e36 527->536 534 7ff8a8c55f04-7ff8a8c55f35 call 7ff8a8c6bc40 call 7ff8a8c627d0 528->534 574 7ff8a8c55f68-7ff8a8c55f74 call 7ff8a8c60710 534->574 575 7ff8a8c55f37-7ff8a8c55f48 534->575 558 7ff8a8c56273-7ff8a8c5636b call 7ff8a8cecba0 call 7ff8a8cdbc60 call 7ff8a8c66ee0 call 7ff8a8c6a680 call 7ff8a8cdbb74 535->558 543 7ff8a8c55e3c-7ff8a8c55e46 536->543 544 7ff8a8c55ebf 536->544 552 7ff8a8c55e48-7ff8a8c55e55 543->552 553 7ff8a8c55e80-7ff8a8c55e93 543->553 551 7ff8a8c55ec3-7ff8a8c55ed8 544->551 561 7ff8a8c55eda 551->561 562 7ff8a8c55ef3-7ff8a8c55f00 551->562 563 7ff8a8c55e59-7ff8a8c55e64 call 7ff8a8cdbc60 552->563 556 7ff8a8c55eb5-7ff8a8c55ebd 553->556 557 7ff8a8c55e95-7ff8a8c55e9c 553->557 556->551 567 7ff8a8c55ead-7ff8a8c55eb2 call 7ff8a8cdbc60 557->567 568 7ff8a8c55e9e-7ff8a8c55ea5 557->568 616 7ff8a8c5642d-7ff8a8c56447 558->616 617 7ff8a8c56371-7ff8a8c56427 GetConsoleAliasesW GetConsoleCursorInfo RegisterApplicationRecoveryCallback lstrcmpiW CreateThreadpool GetSystemPowerStatus BeginUpdateResourceW LoadResource UnlockFileEx CreateMutexExW CreateMemoryResourceNotification FindResourceW GetCalendarInfoEx 558->617 572 7ff8a8c55ee0-7ff8a8c55ef1 561->572 562->534 563->558 583 7ff8a8c55e6a-7ff8a8c55e7e 563->583 567->556 577 7ff8a8c55eab 568->577 578 7ff8a8c56267-7ff8a8c5626c call 7ff8a8c51280 568->578 572->562 572->572 597 7ff8a8c55fa8-7ff8a8c55fb5 OutputDebugStringA 574->597 598 7ff8a8c55f76-7ff8a8c55fa2 574->598 585 7ff8a8c55f4a-7ff8a8c55f5d 575->585 586 7ff8a8c55f63 call 7ff8a8cdbb74 575->586 577->563 578->535 583->551 585->558 585->586 586->574 597->521 598->597 601 7ff8a8c56214-7ff8a8c56217 598->601 604 7ff8a8c56219-7ff8a8c56220 601->604 605 7ff8a8c56222-7ff8a8c56233 601->605 609 7ff8a8c56237-7ff8a8c56266 call 7ff8a8c51440 call 7ff8a8c52340 call 7ff8a8cddd08 604->609 605->609 609->578 620 7ff8a8c5644d-7ff8a8c56582 DosDateTimeToFileTime CreateThreadpoolWork UnlockFileEx GetFirmwareEnvironmentVariableW DeleteProcThreadAttributeList EnumTimeFormatsW GetSystemFileCacheSize CreateFileW CancelThreadpoolIo BackupSeek SetStdHandle CreateThreadpoolWork FreeEnvironmentStringsW GetUserDefaultLangID EnumResourceNamesExW IsDBCSLeadByte GetConsoleProcessList CloseThreadpoolIo OpenFileById RtlCaptureStackBackTrace GetThreadPreferredUILanguages TerminateThread 616->620 621 7ff8a8c56588-7ff8a8c5658a 616->621 617->616 620->621 625 7ff8a8c5658c-7ff8a8c56590 621->625 626 7ff8a8c56596-7ff8a8c5663c call 7ff8a8cdbc60 call 7ff8a8c66cf0 621->626 625->626 629 7ff8a8c5665d-7ff8a8c56667 625->629 636 7ff8a8c56641-7ff8a8c56658 call 7ff8a8c6a680 call 7ff8a8cdbb74 626->636 636->629
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: File$CreateOutputStringThreadThreadpool$ConsoleDebugResource$Time$CloseConcurrency::cancel_current_taskCurrentEnvironmentFindHandleOpenProcess$DateEnumFormatInfoListMutexRegisterSystemUnlockVariableWork$AliasesApplicationAttributeAttributesBackBackupBeginByteCacheCalendarCallbackCancelCaptureCharacterClipCursorDataDefaultDeleteExceptionExecFirmwareFontFormatsFreeHeaderInformationLangLanguagesLeadLoadLocalMaximumMemoryMessageNamesNotificationObjectOffsetPathPowerPreferredProcProfilingQueryRaiseReadRecoverySeekSingleSizeStackStatusStringsTempTerminateTimesTraceUpdateUserVirtualWaitWrite__std_exception_copylstrcmpi
    • String ID: %s\FoToIxlpxZgvjkBkrtuURKlTDNDgF$5GZab3L9Nr8eo7gYNOTRoRst$C6dJkommwFrUPgX441ln4Cz$Kuzrs8im19t335xmyNGZFNot58$Mutex does not exist.$Mutex exists.$MyUniqueMutex$Oq28ZHC8F7Gu15gw$Process started at: $QWpKPLqCamQtAxGcqwVqJksRDBwI$Software\FxkIvcaluufkvuMeyzcOPp$UF93nk7FgvT6MiryfpQHS5e8ACKs$XhRE9GsDku8BYak85jkUlcf7M$bFURlLyvBdEyBZwiMKDtpi$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$mEqASpgOskMpurtSucuOxvjgTZggd
    • API String ID: 1401062970-266131634
    • Opcode ID: e264e32380c695827505607a9f50c94212778ccd7484a9884592ec7b1a0250e9
    • Instruction ID: 0dbbec84e5632976fdedd8766f8090922a6faf97364686a56777721e55465de5
    • Opcode Fuzzy Hash: e264e32380c695827505607a9f50c94212778ccd7484a9884592ec7b1a0250e9
    • Instruction Fuzzy Hash: AAB2B032A0AB81A9EB54DFB4E8402ED77B1FB94388F40503ADA4D57E69DF38D508CB54
    Function 00007FF8A8C54090 Relevance: 131.9, APIs: 62, Strings: 13, Instructions: 612memorythreadtimeCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 644 7ff8a8c54090-7ff8a8c540d6 call 7ff8a8ce1b38 647 7ff8a8c540d8-7ff8a8c5412f AllocConsole SetConsoleScreenBufferInfoEx TryEnterCriticalSection AreFileApisANSI call 7ff8a8d90630 SetDefaultCommConfigW GetProcessHandleCount ReleaseMutexWhenCallbackReturns CloseThreadpoolTimer call 7ff8a8d90a60 644->647 648 7ff8a8c54136-7ff8a8c54149 644->648 647->648 650 7ff8a8c5414f-7ff8a8c54156 call 7ff8a8cdc00c 648->650 651 7ff8a8c541d5-7ff8a8c541dc 648->651 656 7ff8a8c5415b-7ff8a8c54168 650->656 653 7ff8a8c541de-7ff8a8c541e3 651->653 654 7ff8a8c541e5-7ff8a8c541e7 651->654 653->654 657 7ff8a8c541ed-7ff8a8c541f7 call 7ff8a8ce1b38 654->657 658 7ff8a8c54854-7ff8a8c54857 654->658 662 7ff8a8c549de-7ff8a8c549e1 656->662 663 7ff8a8c5416e-7ff8a8c541d0 SetFileShortNameW SystemTimeToFileTime GetPrivateProfileSectionW WriteConsoleW GetStringTypeA CreateEventExW 656->663 673 7ff8a8c541f9-7ff8a8c541fe 657->673 674 7ff8a8c54200-7ff8a8c54204 657->674 660 7ff8a8c548dd-7ff8a8c548e4 658->660 661 7ff8a8c5485d-7ff8a8c54899 call 7ff8a8c63510 658->661 667 7ff8a8c548ea-7ff8a8c5496a MulDiv SetCommConfig FindNextFileW SetFileValidData ReleaseMutex SetThreadLocale CreateFileMappingFromApp PrepareTape GetLogicalProcessorInformation WriteFileEx 660->667 668 7ff8a8c54970-7ff8a8c549d6 call 7ff8a8c635f0 660->668 678 7ff8a8c5489b-7ff8a8c548bd IsDebuggerPresent WaitForThreadpoolTimerCallbacks GlobalHandle call 7ff8a8d90da0 CreateThreadpool 661->678 679 7ff8a8c548c3-7ff8a8c548d8 HeapAlloc 661->679 670 7ff8a8c549e7-7ff8a8c549f1 662->670 671 7ff8a8c54ad1-7ff8a8c54adf 662->671 663->662 667->668 683 7ff8a8c549db 668->683 676 7ff8a8c54a8f-7ff8a8c54ad0 call 7ff8a8c62a80 670->676 677 7ff8a8c549f7-7ff8a8c54a89 AllocConsole CloseHandle WritePrivateProfileSectionW call 7ff8a8d904f8 GlobalSize HeapFree CreateTapePartition GetDriveTypeW GetErrorMode call 7ff8a8d90530 SetConsoleTextAttribute CreateEventExW GetProcessHandleCount IsDBCSLeadByte GetMaximumProcessorCount 670->677 673->674 681 7ff8a8c5420a-7ff8a8c54503 call 7ff8a8cdbc60 call 7ff8a8c68aa0 call 7ff8a8c6a680 call 7ff8a8cdbb74 call 7ff8a8cdbc60 call 7ff8a8c688b0 call 7ff8a8c6a680 call 7ff8a8cdbb74 call 7ff8a8cdbc60 call 7ff8a8c686b0 call 7ff8a8c6a680 call 7ff8a8cdbb74 call 7ff8a8c5b7e0 call 7ff8a8c63160 * 4 674->681 682 7ff8a8c54761-7ff8a8c54781 LocalAlloc 674->682 677->676 678->679 679->683 731 7ff8a8c54515-7ff8a8c54519 681->731 732 7ff8a8c54505-7ff8a8c54510 call 7ff8a8c63160 681->732 688 7ff8a8c54819-7ff8a8c5484f call 7ff8a8c63420 682->688 689 7ff8a8c54787-7ff8a8c54813 FindNextVolumeW GetCapture call 7ff8a8d90c90 GetNumaAvailableMemoryNode GetCurrentConsoleFontEx SetComputerNameExW UnregisterApplicationRestart AnyPopup IsZoomed lstrcpyW ReadConsoleInputW GetMaximumProcessorCount SetupComm GetDiskFreeSpaceW 682->689 683->662 688->683 689->688 733 7ff8a8c5452b-7ff8a8c5452f 731->733 734 7ff8a8c5451b-7ff8a8c54526 call 7ff8a8c63160 731->734 732->731 737 7ff8a8c54541-7ff8a8c54545 733->737 738 7ff8a8c54531-7ff8a8c5453c call 7ff8a8c63160 733->738 734->733 740 7ff8a8c54557-7ff8a8c5455b 737->740 741 7ff8a8c54547-7ff8a8c54552 call 7ff8a8c63160 737->741 738->737 743 7ff8a8c5456d-7ff8a8c54571 740->743 744 7ff8a8c5455d-7ff8a8c54568 call 7ff8a8c63160 740->744 741->740 746 7ff8a8c54583-7ff8a8c54587 743->746 747 7ff8a8c54573-7ff8a8c5457e call 7ff8a8c63160 743->747 744->743 748 7ff8a8c54599-7ff8a8c5459d 746->748 749 7ff8a8c54589-7ff8a8c54594 call 7ff8a8c63160 746->749 747->746 752 7ff8a8c545af-7ff8a8c5468e call 7ff8a8c60320 call 7ff8a8cdbc60 call 7ff8a8c684c0 748->752 753 7ff8a8c5459f-7ff8a8c545aa call 7ff8a8c63160 748->753 749->748 760 7ff8a8c54693-7ff8a8c5475c call 7ff8a8c6a680 call 7ff8a8cdbb74 call 7ff8a8c5dd90 call 7ff8a8c63420 call 7ff8a8c5bf00 call 7ff8a8cdabdc 752->760 753->752 760->662
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: Console$Section$CountCreateFileHandle$AllocCloseCriticalEventInfoPrivateProcessProfileTimeTypeWrite$ApisAttributeBufferByteCallbackCodeCommConfigCurrentDefaultDeleteDriveEnterErrorFreeGlobalHeapLeadLocaleMaximumModeMutexNamePagePartitionProcessorReleaseReturnsScreenShortSizeStringSystemTapeTextThreadThreadpoolTimerValidWhen
    • String ID: - Archive$ - Compressed$ - Directory$ - Encrypted$ - Hidden$ - Read-only$ - System$ - Temporary$Attributes:$Current Directory: $VUUU$uqo4qJ12sX1m12J1FuF8TO6X8j$v3OU2MlwL8gPcVAkbeX
    • API String ID: 4139790471-1023201208
    • Opcode ID: b7a509154a13f8015b61b11dbb9031719fabeda0ade3d7b8582a691031e3fb28
    • Instruction ID: 70b9dd943cae916b9fd24a70afc4e5f04919ca20ad647d641746e3d71274a69c
    • Opcode Fuzzy Hash: b7a509154a13f8015b61b11dbb9031719fabeda0ade3d7b8582a691031e3fb28
    • Instruction Fuzzy Hash: 0F52C232A1AB8296E7549FB4E8412AE7770FF94784F10503AEA4E47E68DF3CD509CB14
    Function 00007FF8A8C5AC80 Relevance: 63.2, APIs: 27, Strings: 9, Instructions: 194timethreadCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: File$Time$NameProcessString$BoostCopyFindGroupInfoPriorityProcessorQuery$AffinityAssignBufferCommComputerConfigConsoleCounterCurrentDebugDefaultEnumFile2FirstFlushFormatsInputLanguageLocaleMemoryModuleNodeNotificationNumaNumberObjectOrdinalOutputPagesPerformancePhysicalPrivateProfileResourceScatterScriptsSectionStartupSystemThreadTransactedUserValidVerify
    • String ID: CwMO9TngM79xYYUeI8c4OT$DsbjzvXjNgL4k48gO3LW2V$INfZVNtC38o1Mz6727419LbxnczSs$K6mQLsWasfbs6ylow$W765XNqjufb9d6FKVtMjuff1F$h2226O6n2RnJ7r1ezmRe2IvN9$oqVlXzKgAfqVJRvawU$sHtc9hSTD4XQqn7LV$t1d2Z5B477n8moRq
    • API String ID: 3494401022-3528938499
    • Opcode ID: ab08d34a5c7972b40d0707bbac1a15a1564a6a7b63a42ae3d7664d543b7a34c3
    • Instruction ID: b4ef2d1b34d9c0e9f5c90c978fff21425ca76bdcb51a0d7865285153987905bd
    • Opcode Fuzzy Hash: ab08d34a5c7972b40d0707bbac1a15a1564a6a7b63a42ae3d7664d543b7a34c3
    • Instruction Fuzzy Hash: E7918132A05B41AAE724DF75E8516AE73A2FF98388F44803ADA4D47D68DF3DD148C718
    Function 00007FF8A8CAAD30 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: DiskFreeSpace
    • String ID:
    • API String ID: 1705453755-0
    • Opcode ID: 5f538518f70937bf11e419d51a4fea6598bbd6422f46c342526eb7ef06b1ca16
    • Instruction ID: d6bd023aef13f88f7da155c71dc16a27506a3a5de3dcecbee528923cabe123b6
    • Opcode Fuzzy Hash: 5f538518f70937bf11e419d51a4fea6598bbd6422f46c342526eb7ef06b1ca16
    • Instruction Fuzzy Hash: ECF092B7600A8496CB50CFAAD584AAD77A0F758BD8B258027EB5C83714CB3AC495CB00
    Function 00007FF8A8CDC040 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 796 7ff8a8cdc040-7ff8a8cdc046 797 7ff8a8cdc081-7ff8a8cdc08b 796->797 798 7ff8a8cdc048-7ff8a8cdc04b 796->798 801 7ff8a8cdc1a8-7ff8a8cdc1bd 797->801 799 7ff8a8cdc075-7ff8a8cdc0ad call 7ff8a8cdbe08 798->799 800 7ff8a8cdc04d-7ff8a8cdc050 798->800 815 7ff8a8cdc0b2-7ff8a8cdc0b4 799->815 802 7ff8a8cdc052-7ff8a8cdc055 800->802 803 7ff8a8cdc068 __scrt_dllmain_crt_thread_attach 800->803 804 7ff8a8cdc1cc-7ff8a8cdc1e6 call 7ff8a8cdbc9c 801->804 805 7ff8a8cdc1bf 801->805 807 7ff8a8cdc057-7ff8a8cdc060 802->807 808 7ff8a8cdc061-7ff8a8cdc066 call 7ff8a8cdbd4c 802->808 811 7ff8a8cdc06d-7ff8a8cdc074 803->811 819 7ff8a8cdc1e8-7ff8a8cdc219 call 7ff8a8cdbdc4 call 7ff8a8cdca0c call 7ff8a8cdca80 call 7ff8a8cdbf68 call 7ff8a8cdbf8c call 7ff8a8cdbdf4 804->819 820 7ff8a8cdc21b-7ff8a8cdc24c call 7ff8a8cdc808 804->820 809 7ff8a8cdc1c1-7ff8a8cdc1cb 805->809 808->811 816 7ff8a8cdc182 815->816 817 7ff8a8cdc0ba-7ff8a8cdc0cf call 7ff8a8cdbc9c 815->817 821 7ff8a8cdc184-7ff8a8cdc199 816->821 828 7ff8a8cdc0d5-7ff8a8cdc0e6 call 7ff8a8cdbd0c 817->828 829 7ff8a8cdc19a-7ff8a8cdc1a7 call 7ff8a8cdc808 817->829 819->809 830 7ff8a8cdc25d-7ff8a8cdc263 820->830 831 7ff8a8cdc24e-7ff8a8cdc254 820->831 848 7ff8a8cdc137-7ff8a8cdc141 call 7ff8a8cdbf68 828->848 849 7ff8a8cdc0e8-7ff8a8cdc10c call 7ff8a8cdca44 call 7ff8a8cdc9fc call 7ff8a8cdca20 call 7ff8a8cf0b0c 828->849 829->801 836 7ff8a8cdc2a5-7ff8a8cdc2ad call 7ff8a8c5afa0 830->836 837 7ff8a8cdc265-7ff8a8cdc26f 830->837 831->830 835 7ff8a8cdc256-7ff8a8cdc258 831->835 842 7ff8a8cdc342-7ff8a8cdc34f 835->842 850 7ff8a8cdc2b2-7ff8a8cdc2bb 836->850 843 7ff8a8cdc276-7ff8a8cdc27c call 7ff8a8d912b0 837->843 844 7ff8a8cdc271-7ff8a8cdc274 837->844 851 7ff8a8cdc27e-7ff8a8cdc284 843->851 844->851 848->816 871 7ff8a8cdc143-7ff8a8cdc14f call 7ff8a8cdca3c 848->871 849->848 901 7ff8a8cdc10e-7ff8a8cdc115 __scrt_dllmain_after_initialize_c 849->901 858 7ff8a8cdc2f3-7ff8a8cdc2f5 850->858 859 7ff8a8cdc2bd-7ff8a8cdc2bf 850->859 854 7ff8a8cdc338-7ff8a8cdc340 851->854 855 7ff8a8cdc28a-7ff8a8cdc292 call 7ff8a8cdc040 851->855 854->842 870 7ff8a8cdc297-7ff8a8cdc29f 855->870 861 7ff8a8cdc2f7-7ff8a8cdc2fa 858->861 862 7ff8a8cdc2fc-7ff8a8cdc311 call 7ff8a8cdc040 858->862 859->858 866 7ff8a8cdc2c1-7ff8a8cdc2e3 call 7ff8a8c5afa0 call 7ff8a8cdc1a8 859->866 861->854 861->862 862->854 880 7ff8a8cdc313-7ff8a8cdc31d 862->880 866->858 895 7ff8a8cdc2e5-7ff8a8cdc2ed call 7ff8a8d912b0 866->895 870->836 870->854 887 7ff8a8cdc175-7ff8a8cdc180 871->887 888 7ff8a8cdc151-7ff8a8cdc15b call 7ff8a8cdbed0 871->888 885 7ff8a8cdc324-7ff8a8cdc332 call 7ff8a8d912b0 880->885 886 7ff8a8cdc31f-7ff8a8cdc322 880->886 891 7ff8a8cdc334 885->891 886->891 887->821 888->887 900 7ff8a8cdc15d-7ff8a8cdc16b 888->900 891->854 895->858 900->887 901->848 902 7ff8a8cdc117-7ff8a8cdc134 call 7ff8a8cf0ac8 901->902 902->848
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
    • String ID:
    • API String ID: 190073905-0
    • Opcode ID: 246ea4d73848f51b4afbd247b9c89f376c14e35868bb7bacca2e5da668b8e543
    • Instruction ID: 8fa07cab003916f6a726dec940e63ab577bdce23de49f1f52fb0806b743ae32f
    • Opcode Fuzzy Hash: 246ea4d73848f51b4afbd247b9c89f376c14e35868bb7bacca2e5da668b8e543
    • Instruction Fuzzy Hash: B5818F21E0F643A6FBB4BB6694412B962E0EF95BC0F448135D95C43796DF3CE8498F28
    Function 00007FF8A8CF37B0 Relevance: 3.1, APIs: 2, Instructions: 71COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: FileHandleType
    • String ID:
    • API String ID: 3000768030-0
    • Opcode ID: 6baec63feb1a4407557d6251544551a24ed08cc6170edb8c31f62c33efaa1f4f
    • Instruction ID: 8a10b13d5f0e83bbc961ee12acdb836688dd0abbd6bf91d98da9936f8f9e6064
    • Opcode Fuzzy Hash: 6baec63feb1a4407557d6251544551a24ed08cc6170edb8c31f62c33efaa1f4f
    • Instruction Fuzzy Hash: 1A31B222E19B51B2E7A88B2595401782650FB45BF0F64133ADB6E077E0CF7CE8A1D758
    Function 00007FF8A8CDBC60 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
    • String ID:
    • API String ID: 1173176844-0
    • Opcode ID: 1ebb9326b1c6de14f351838dad7be59f1ebc5aba309e2b44231de6eeee9aa3d8
    • Instruction ID: 6cffc1aef8c4c82712b9afd62e85bccad1b790effad5589b2831320b5c6864fa
    • Opcode Fuzzy Hash: 1ebb9326b1c6de14f351838dad7be59f1ebc5aba309e2b44231de6eeee9aa3d8
    • Instruction Fuzzy Hash: 13E0B680E1B60761FFF8316214560B900409F987F0E181B30E93E492D3AF1CA4928D78
    Function 00007FF8A8CAA520 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 989 7ff8a8caa520-7ff8a8caa5b2 VirtualProtect 990 7ff8a8caa5b9-7ff8a8caa5d3 989->990
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 08162ecbcb6fe265952aeab26004fd56f186c16ea12c815fdaed98c207f13e25
    • Instruction ID: 010ad77b46231546ad8e563a91b9bd877a52f49bfa2d6eec000b6cc97054d2fc
    • Opcode Fuzzy Hash: 08162ecbcb6fe265952aeab26004fd56f186c16ea12c815fdaed98c207f13e25
    • Instruction Fuzzy Hash: 381133B7600A88C6CB50CF6AD988AA87760F79CB89F268116DF0D43350DB36C495CB40
    Function 00007FF8A8C8E2C0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AcquireExclusiveLock__std_exception_destroy
    • String ID:
    • API String ID: 504776981-0
    • Opcode ID: f66b9508e528772ae19c2a6d3ea917364f03120cd1a1b9f731b054640fea4449
    • Instruction ID: 9eea21176cdfdbb0f89dbdf790cdded316661a1e0275ca76dcb768bb91fb62de
    • Opcode Fuzzy Hash: f66b9508e528772ae19c2a6d3ea917364f03120cd1a1b9f731b054640fea4449
    • Instruction Fuzzy Hash: BD215731A0AB42A6E760DB11F84007973B5FB887D0F544236E5AD43764EF3CEA99CB18
    Function 00007FF8A8C846F0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AcquireExclusiveLock__std_exception_destroy
    • String ID:
    • API String ID: 504776981-0
    • Opcode ID: 4278b4a0d322c34a03724e4d4ce591d765b46d14e1e973994541ddeb78597b63
    • Instruction ID: f53f70b3936c3d7411b2cf69935757ffcc0ff64d68931853b94f14338130b20f
    • Opcode Fuzzy Hash: 4278b4a0d322c34a03724e4d4ce591d765b46d14e1e973994541ddeb78597b63
    • Instruction Fuzzy Hash: F2216A31A0AF42A1E750DB21F88007877A9FB887D0F154235D5AC43765EF3CE599CB28
    Function 00007FF8A8C80610 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AcquireExclusiveLock__std_exception_destroy
    • String ID:
    • API String ID: 504776981-0
    • Opcode ID: 330af779436e796a39aa7a6803f0049bb7ec6903eba815cd3aec02ea144364f5
    • Instruction ID: a57d9c1b124b4038f9e92b783884bf8867d8d57320fbb273b1efb3e72060366b
    • Opcode Fuzzy Hash: 330af779436e796a39aa7a6803f0049bb7ec6903eba815cd3aec02ea144364f5
    • Instruction Fuzzy Hash: A6215C31A4AF42A1E750DB52F8C006973A5FB887D4F544235E96D43B64EF3CE499CB18
    Function 00007FF8A8C8C8C0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AcquireExclusiveLock__std_exception_destroy
    • String ID:
    • API String ID: 504776981-0
    • Opcode ID: 6ddabe38642e5f553cf386b1aca0ce9693158dea4834493e6fd50f400d4e90fd
    • Instruction ID: 2c51451f754fd1841a358126019729d82e3848d3bf9d14310a9b5729169e2e19
    • Opcode Fuzzy Hash: 6ddabe38642e5f553cf386b1aca0ce9693158dea4834493e6fd50f400d4e90fd
    • Instruction Fuzzy Hash: AD217831A4AB82A5E750DB21F84017977A5FB88BD0F004235E5AD037A4EF3CE549CB18
    Function 00007FF8A8C839F0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AcquireExclusiveLock__std_exception_destroy
    • String ID:
    • API String ID: 504776981-0
    • Opcode ID: ca388407abd75436559ac309b8d95ec9af4446b8ade2a6768df823f57358d544
    • Instruction ID: bd96cddd92a51b817a5560d8e113995bd0ed8ff92686f4462763b62565bae21f
    • Opcode Fuzzy Hash: ca388407abd75436559ac309b8d95ec9af4446b8ade2a6768df823f57358d544
    • Instruction Fuzzy Hash: 33213735A0EF42A5E750CF21E8411A973A5FB887E0F544236D9AC43764EF3CE559CB28
    Function 00007FF8A8C99940 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AcquireExclusiveLock__std_exception_destroy
    • String ID:
    • API String ID: 504776981-0
    • Opcode ID: 467fa180b9341d9d7db0258047ef367013953028c771bd1387b475188cada7fb
    • Instruction ID: eee5a48693616fb62680dd1bb7c58046bbd74b756ba6f8e5b73aff4732d08460
    • Opcode Fuzzy Hash: 467fa180b9341d9d7db0258047ef367013953028c771bd1387b475188cada7fb
    • Instruction Fuzzy Hash: 4B213635A0AB42A6EB508B21F8401A47766FB887D0F044236D5AC03764EF3CE559CB18
    Function 00007FF8A8C87AB0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AcquireExclusiveLock__std_exception_destroy
    • String ID:
    • API String ID: 504776981-0
    • Opcode ID: 1ad0cf307b20a09f7a1c11651f5f2f9852345e2de3553354130868b7e6d21ccc
    • Instruction ID: 99bec9fc12a0df01155567a7a7bde11d354e356d39f3f62a97072465a7969c8a
    • Opcode Fuzzy Hash: 1ad0cf307b20a09f7a1c11651f5f2f9852345e2de3553354130868b7e6d21ccc
    • Instruction Fuzzy Hash: B6213D31A0AB42AAEB90CB21F8401797766FB887C4F444239D56C43765EF3CE599CB18
    Function 00007FF8A8C8BBE0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AcquireExclusiveLock__std_exception_destroy
    • String ID:
    • API String ID: 504776981-0
    • Opcode ID: 1c6a916dc9237179688f8ff1c6f52b5bcde3ce8354cfc59eeadf82e84a0d353a
    • Instruction ID: 2f134f17b8d976249ccd83d786e78c1977b11a3c2f5ef0949bf62ec41a26f7d2
    • Opcode Fuzzy Hash: 1c6a916dc9237179688f8ff1c6f52b5bcde3ce8354cfc59eeadf82e84a0d353a
    • Instruction Fuzzy Hash: 22215731A0AB42A2E760CB21F84017577A5FF887D4F444236E6AD03765EF3CE458CB28
    Function 00007FF8A8C8FCB0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AcquireExclusiveLock__std_exception_destroy
    • String ID:
    • API String ID: 504776981-0
    • Opcode ID: cea088f2820e75e25aecc4aa681e4bf93f02cc27244ae5e1e54440551fdceff2
    • Instruction ID: 9afbff4c87eba135c3e7d11d5278c446c3a7244790c10fbf429da6c533f83a87
    • Opcode Fuzzy Hash: cea088f2820e75e25aecc4aa681e4bf93f02cc27244ae5e1e54440551fdceff2
    • Instruction Fuzzy Hash: D4214535A0AF42A5EB90CF15E8400A973B5FB887D4F444636D6AD03765EF3CE458CB28
    Function 00007FF8A8C93E20 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AcquireExclusiveLock__std_exception_destroy
    • String ID:
    • API String ID: 504776981-0
    • Opcode ID: 5f8ae0a2be13ab2076e37824bc8d676975906e31c1ebb0035824de83e6b86731
    • Instruction ID: 0dbe4abf42d3eb80436ca516879a4a0e63d526c6f94b687110aed304513f0307
    • Opcode Fuzzy Hash: 5f8ae0a2be13ab2076e37824bc8d676975906e31c1ebb0035824de83e6b86731
    • Instruction Fuzzy Hash: EC213631A0AB42E1EB508B21F8400A973A5FB987D4F444236E5AC03B64EF3CE458CB58
    Function 00007FF8A8C97F20 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AcquireExclusiveLock__std_exception_destroy
    • String ID:
    • API String ID: 504776981-0
    • Opcode ID: 9e65af6732581b26a9fd2163da3696d58528150a9acd69e65b06b9f90d3cd10e
    • Instruction ID: f3aaad464cdbb0b65ecd3307f5d767fdc80477c62aa4e88a6117d1e1a80c4bdd
    • Opcode Fuzzy Hash: 9e65af6732581b26a9fd2163da3696d58528150a9acd69e65b06b9f90d3cd10e
    • Instruction Fuzzy Hash: 86212331A0AF46E1EB509B11F8405A873A4FB88BD4F544236D9AD037A4EF3CE558CB28
    Function 00007FF8A8C7D1F0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AcquireExclusiveLock__std_exception_destroy
    • String ID:
    • API String ID: 504776981-0
    • Opcode ID: c338118c99b954676fec626e0e5e16c09eaece1e3a0ee4897fd5e345748919be
    • Instruction ID: aa49ed58cd9dcdbe6b7e0fc90c3ea957e11a07a8ae1b8f74b87b28ff7dc5ae8d
    • Opcode Fuzzy Hash: c338118c99b954676fec626e0e5e16c09eaece1e3a0ee4897fd5e345748919be
    • Instruction Fuzzy Hash: 07213831A0AF42A1E790CB21F9441B977A5FB887D0F444236D6AC47768EF3CE559CB28
    Function 00007FF8A8C853D0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AcquireExclusiveLock__std_exception_destroy
    • String ID:
    • API String ID: 504776981-0
    • Opcode ID: be2882889c5a38e688faa0dbadddcf6f8ffdf35bf657b2ec37264657d760cf5d
    • Instruction ID: b6e14d080e3c31ff0e69f3733391b8caa0af40fa35405b071357843ad03cdabf
    • Opcode Fuzzy Hash: be2882889c5a38e688faa0dbadddcf6f8ffdf35bf657b2ec37264657d760cf5d
    • Instruction Fuzzy Hash: DA216A31A0AF42A9EB50DB21F8400797765FB887D4F44423AE5AC03764EF3CE558CB18
    Function 00007FF8A8C81310 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AcquireExclusiveLock__std_exception_destroy
    • String ID:
    • API String ID: 504776981-0
    • Opcode ID: 6f99457a0e386d421e091149835e0a0e85496f33b68614a8e840ac05b2320b29
    • Instruction ID: 533e26629209387fb4822a5511bc282786c52d12147eb15ef0bedbe45829e4a9
    • Opcode Fuzzy Hash: 6f99457a0e386d421e091149835e0a0e85496f33b68614a8e840ac05b2320b29
    • Instruction Fuzzy Hash: B821E535A0AB42A1E750DB11F88017573B5FB887D0F544236D5AC43765EF3CE599CB28
    Function 00007FF8A8CFDCD0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID:
    • API String ID: 3215553584-0
    • Opcode ID: 7097b2d52f1b4ac38c73c491a33784019e875e8d080d305ec7f1a3106f3632f1
    • Instruction ID: 2f047108e9a64fa7a7323cbc30e0c8baee13a48aef9ab22e604539e2d31e154f
    • Opcode Fuzzy Hash: 7097b2d52f1b4ac38c73c491a33784019e875e8d080d305ec7f1a3106f3632f1
    • Instruction Fuzzy Hash: FC113A3291A742A3F3A8AB15A4402697BA4EB807C0F550039E79D57796DFBCE910CB68
    Function 00007FF8A8CAAB70 Relevance: 1.5, APIs: 1, Instructions: 30registryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: Open
    • String ID:
    • API String ID: 71445658-0
    • Opcode ID: cfebc1515fc543b2b083fe2095759787ddce3388642ce27f36cb7901a027486b
    • Instruction ID: 7c15578d300e577eb2588c54f86070f396cfde503b42f02a8c29891fe5e503b2
    • Opcode Fuzzy Hash: cfebc1515fc543b2b083fe2095759787ddce3388642ce27f36cb7901a027486b
    • Instruction Fuzzy Hash: EEF0B2BB610A84D6CB50CF6AE484A9D7760F359FD8B258126DF5C43724CB3AC455CB00
    Function 00007FF8A8CAAA00 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID:
    • API String ID: 3188754299-0
    • Opcode ID: 2ba6818c44b3c839024e50f709396ad1f8f57b850ceec6c737bacfcb6873c483
    • Instruction ID: ef376864580e8a8876c0b650256e5046ad582dc95c722622520f6c1bd50b2383
    • Opcode Fuzzy Hash: 2ba6818c44b3c839024e50f709396ad1f8f57b850ceec6c737bacfcb6873c483
    • Instruction Fuzzy Hash: F9E0E5B3600AC0D6DB40CF6AE584269B360EB48B99F19C02ADB184B718DA39C094CB00
    Function 00007FF8A8CDBE08 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
    Download Yara Rule
    APIs
    • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF8A8CDBE1C
      • Part of subcall function 00007FF8A8CDDE1C: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF8A8CDDE24
      • Part of subcall function 00007FF8A8CDDE1C: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FF8A8CDDE29
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
    • String ID:
    • API String ID: 1208906642-0
    • Opcode ID: ace1e87e0addd771cc244c9e6dcdaad3f3a174f17219fae7662bfe84eee06147
    • Instruction ID: cb0681800352f2130ae7d89eda38abe9529245762d712c8a7a19aca04dfb9c92
    • Opcode Fuzzy Hash: ace1e87e0addd771cc244c9e6dcdaad3f3a174f17219fae7662bfe84eee06147
    • Instruction Fuzzy Hash: 16E0EC54D0F24371FFF4366115022B916809F313C5F5060B9DA5D43AC3AF0E74561D3A
    Function 00007FF8A8CAA630 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: ExitFatal
    • String ID:
    • API String ID: 3155629236-0
    • Opcode ID: 00ca3bb6c16bf401e8107cfd5d380dc7284680fb22f24669aa6de33ca1ad307b
    • Instruction ID: acba1fe49ee8351d4f0489dbb5485bd46bb8baaf7d3ea97e89b45ff6e6ab8d73
    • Opcode Fuzzy Hash: 00ca3bb6c16bf401e8107cfd5d380dc7284680fb22f24669aa6de33ca1ad307b
    • Instruction Fuzzy Hash: BEE0E2F3701A80C6DB14CF69C48536877A1EB58B8AF19D019CB1C4B394EA3AC489CB10
    Function 00007FF8A8CAA830 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 58984d69895f230553de08d39cbae206efa4d1f7ff968e70513416a8fd665297
    • Instruction ID: 3d8f7e631a3ccd99bc0deaa089928b8581e76186698eec05205fca20e431eef2
    • Opcode Fuzzy Hash: 58984d69895f230553de08d39cbae206efa4d1f7ff968e70513416a8fd665297
    • Instruction Fuzzy Hash: 1411F0B7700A88C6CB10CF6AD888AA837A4F75CB89F268016DF1C83750DB36C495CB00
    Function 00007FF8A8CF3934 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AllocHeap
    • String ID:
    • API String ID: 4292702814-0
    • Opcode ID: 4aeada3056b48720d5248332ab97d1d4c82a395e32c37c5675c881d1979179e2
    • Instruction ID: 485f46bbc1463463a4d6e3854e310a87dbf230f1bd06b907beff07272d070bc9
    • Opcode Fuzzy Hash: 4aeada3056b48720d5248332ab97d1d4c82a395e32c37c5675c881d1979179e2
    • Instruction Fuzzy Hash: 12F03754B0B70272FF9866A599553B912909F88BD0F085434C91E862C1EFACAE848A38
    Function 00007FF8A8CF592C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AllocHeap
    • String ID:
    • API String ID: 4292702814-0
    • Opcode ID: dd70e7eb700f8c4287a77a10fb0ad5a6c6e94079e811acb9a381f47546fba9b5
    • Instruction ID: c59dc1462e16df24e6390f1a3a455c7d5355f494d8b8de00ef5b973d07d42961
    • Opcode Fuzzy Hash: dd70e7eb700f8c4287a77a10fb0ad5a6c6e94079e811acb9a381f47546fba9b5
    • Instruction Fuzzy Hash: 66F05E10F0B34369FFA827A16A512751180DF447F0F084631DE2E866C1DFACAE428938

    Non-executed Functions

    Function 00007FF8A8C56670 Relevance: 310.6, APIs: 170, Strings: 7, Instructions: 861timethreadmemoryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: File$ConsoleSystemThread$NameTimeTimer$CreateVolume$QueryThreadpoolWaitable$CallbackDirectoryFindInformationMessagePointProcessWindow$CommCurrentEnumGlobalHeapLibraryMemoryMountNumberRegisterResourceVariableVirtual$AllocApplicationCloseCursorDefaultFlushFreeHandleInputParametersPathProcessorProfilingSizeUserWow64Write$ActiveAtomCacheCancelCharComputerConditionContinueConvertDebugDrawEnvironmentEventExitFirmwareFirstFullHighestHostnameInterlockedListLoadLocaleLockLogicalMailslotNextNodeNumaOpenOutputPolicyReadRecoverySecureShowSizeofStackTapeTransactedUnlockValidWalkZone$AcquireAliasesAsciiAttributesBackupBoostBufferBuffersChangeCheckClassCodeCompactCompareConfigContextCopyCountDataDeleteDeviceDialogDisableDispatchDuplicateDynamicEdgeEntryEscapeEventsExceptionExclusiveFatalFiberFocusFromFunctionGroupHandlerHelpInfoKeyboardLanguagesLayoutLocalLocalesMaskMembershipMenuModeModuleNamedNamesNeedNotificationObjectOfferOverlappedOwnedPackagedPagePhysicalPipePlacementPointerPopupsPositionPowerPreferredPrefetchPrevPriorityProfileProtectProtectedPushRaiseRangeRectRedirectionRemoveRequestRestartReturnsScrollShutdownSleepStateTabbedTerminateTextTimesTokenTranslateTypesUnregisterVectoredVersionWaitWakeWhenWindowsWorkinglstrcmpilstrlen
    • String ID: BMP Slideshow$G6lF24ngAInVNW3j6Pd51k$Mz7q79pQ2c5HD5D2vBO3$VUUU$WbLRl3PME67XVP7mxf48DtKg66Uw3$f34Y4wnwSktw1279fkh$xiJYc1EvPh3S79vS3Utgx6p
    • API String ID: 2164838011-3421674604
    • Opcode ID: 86151ba80330c1dc5b9256240fd199ac48431945eaf49b458f8ed06329951c6c
    • Instruction ID: d3b5c0c117a1ba4b9ccbd9f24eeeb5021b3f185f7fd6d6067b698884bb284060
    • Opcode Fuzzy Hash: 86151ba80330c1dc5b9256240fd199ac48431945eaf49b458f8ed06329951c6c
    • Instruction Fuzzy Hash: FF72E032F19A5293F768DF76B825A2F3262FF88784F418139CA5B46C54CF3DD4498A18
    Function 00007FF8A8C59790 Relevance: 163.1, APIs: 89, Strings: 4, Instructions: 365threadfiletimeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: FileProcess$Console$Comm$Info$DefaultFindNameSystem$CurrentDeleteEnumGroupHandleInformationInputLanguageLocaleThread$ContextCursorDialogFontHeapInitializeListLocalesMailslotMemoryOpenParamQueryQueueRemoveSuspendThreadpoolTimeTimerTransactedUserViewVirtualWindowWow64Write$AffinityAllocApplicationAtomAttributesAvailableAwareBarrierCapabilityCaptureChangeCharCheckClassComputerConditionConvertCopyCreateCriticalCurrencyDeferDirectoryEnterEscapeEventsExceptionExclusiveExemptionExitFatalFirmwareFirstFlushFormatFreeFunctionGlobalHandlerHistoryHostnameIndirectLangLastLatencyLocalLockLongMappingMaskMessageModuleNamedNamespaceNextNodeNotificationNotifyNumaNumberPathPipePointerPolicyPrefetchPriorityPrivateProcProfileProgressPropertiesProtectedPurgeRecoveryRectReleaseRequestResourceRestrictionResumeSectionSizeSpecificStackStartStateStringSynchronizationTimeoutsTokenTransmitTypeUnregisterValidateVariableVectoredVersionVolumeWakeupWindowsWorkingmouse_event
    • String ID: Q5fe1TM55l29hn6h$bEyVKZ74qyTfin218uBe4TPR3v$dM9l3vaH5EF2kgs5Nqv96JP$f7v2218KxcAGwrtbBvL1mrYh2Xl
    • API String ID: 1829468611-4238512339
    • Opcode ID: fe6c1b589c7bb5c159a9baf58782970cbc410b6271b50165f658d396973d683b
    • Instruction ID: b2d3d12ce849a642a0b0549a345f6b471f595c0412cc65298d34754877e40ab8
    • Opcode Fuzzy Hash: fe6c1b589c7bb5c159a9baf58782970cbc410b6271b50165f658d396973d683b
    • Instruction Fuzzy Hash: F6E16032F15A51A3F72CDBB6B826A2F3252EF88795F858439C91B4AC54CF3DD4098618
    Function 00007FF8A8C58CB0 Relevance: 50.9, APIs: 26, Strings: 3, Instructions: 177threadmemorytimeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: QueryThreadThreadpoolWait$Concurrency::cancel_current_taskFindLanguageLibraryLoad$AllocApplicationAtomCallbacksCancelCloseCodeConditionConsoleContextCreateCurrentCycleDebugDefaultDepthEnumExitFatalFileFirstFontHeapIdleInformationListLocalLocaleMountNamedOpenOutputPackagedPagesPipePointProcessProcessorRestartServerSizeSleepStreamStringSystemTimeTimerUnregisterUserVariableVersionVolumeWaitableWow64
    • String ID: 4cLXsAAxHCgrifkqUdPpgblnD$TPF4L667iYm1228cF7KWvxU$vWqroBWLUUJjYwALHVXWAgHKZsuK
    • API String ID: 498436797-2389750138
    • Opcode ID: d3e455d75b2208155bb367d6a2940af4093a23659e57bca3b68d7fd428bf8805
    • Instruction ID: 9f2ab0078076d87ca536396d5ba21f22b1c94db2d31522bfb5b9c93b10668165
    • Opcode Fuzzy Hash: d3e455d75b2208155bb367d6a2940af4093a23659e57bca3b68d7fd428bf8805
    • Instruction Fuzzy Hash: AB91A132E0AB8592E758DF71F81436A77A1FB88B94F448139D65E47A64CF3CE448CB18
    Function 00007FF8A8C57460 Relevance: 47.5, APIs: 21, Strings: 6, Instructions: 248windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: Cpp_errorObjectPaintThrow_std::_$CreateDeleteWindow$AcquireBeginBrowseClientCompatibleDrawExclusiveFolderFreeFromImageListLoadLockMessagePathPostProcQuitRectSelectTaskText
    • String ID: $%$BUTTON$No BMP files found. Select a folder.$Select Folder$Select a folder containing BMP files
    • API String ID: 3860849327-1198062606
    • Opcode ID: 2b3e9840d6650e9c75656e1e925a8b2253ca91f2b341b6150ca5c4e6a299fc8e
    • Instruction ID: b6fe17cafc33353089f2bd357b32b4d6c7e7b1ce1d8cc21b10759ff5c40fa692
    • Opcode Fuzzy Hash: 2b3e9840d6650e9c75656e1e925a8b2253ca91f2b341b6150ca5c4e6a299fc8e
    • Instruction Fuzzy Hash: C0C1BF31A0AB42A2FB589B25F9442B933A1FB54BC4F405135DA5D53BA4DF3CE588CB28
    Function 00007FF8A8C54B70 Relevance: 36.3, APIs: 24, Instructions: 270threadmemoryregistryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: FileProcessor$CallbackGlobalNameNodeNumaProcessThreadThreadpoolTransactedWrite$AllocApplicationClientCloseCompletionConsoleCountCtrlDeleteEntryFormatFreeFullGroupHandlerHeapInterlockedListLocaleMaskMaximumMinimumModesNamedNamespaceNotificationPathPipePrivatePushRecoveryRegisterResetSubmitTimeUnlockValueWatchWow64
    • String ID:
    • API String ID: 3178232475-0
    • Opcode ID: 002e26be9901d72d95d4afd575738d36e28aa986a91b4ed861b6f2e5c4ce0c5e
    • Instruction ID: c54f74a3be6a3111119b86e559b6309247b385a85c4da902c7f26e80dabc633f
    • Opcode Fuzzy Hash: 002e26be9901d72d95d4afd575738d36e28aa986a91b4ed861b6f2e5c4ce0c5e
    • Instruction Fuzzy Hash: 5DD13E33A19B809AE754DFB4E84029E77B5FF98344F10503AEA8993E69DF38D144CB14
    Function 00007FF8A8D00FE0 Relevance: 18.7, APIs: 6, Strings: 4, Instructions: 1226COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo$fegetenv
    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
    • API String ID: 1709182501-2761157908
    • Opcode ID: 5502821cb02f3232d844454d93d60e4e3ad56955a5411aad03f3746d87b8ef77
    • Instruction ID: 9576870368f7abe16fcb049254e6417bd636af1acf671e47305d49d303246178
    • Opcode Fuzzy Hash: 5502821cb02f3232d844454d93d60e4e3ad56955a5411aad03f3746d87b8ef77
    • Instruction Fuzzy Hash: CCB20272E1A2829BEB258F64D4407FD37B1FB443C8F405139DA6A57A84DB3CEA08CB54
    Function 00007FF8A8D0356C Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
    • String ID:
    • API String ID: 1617910340-0
    • Opcode ID: 595a0599e9388488acc00c24d363e3f4789783655409d460825e359ae9166827
    • Instruction ID: 959cd0ec3d67bbec28a742b54d590150f212fa33d8bd460b2cd780dfc21b1640
    • Opcode Fuzzy Hash: 595a0599e9388488acc00c24d363e3f4789783655409d460825e359ae9166827
    • Instruction Fuzzy Hash: 11C1DF33B29A4296EB54CFA9D4806AC3771EB48BE8F000235DA2E97795CF3CE559C314
    Function 00007FF8A8CE93B4 Relevance: 12.4, APIs: 4, Strings: 2, Instructions: 1888COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID: $
    • API String ID: 3215553584-227171996
    • Opcode ID: 28ff46445b86d14cea8d55faa840fbd5d6a2a6b6e39563a2438e0f7a2d81672e
    • Instruction ID: d59eb1ee51d0066373098839d354131d83ef2aec058f2253fe6cd73e1dc763a6
    • Opcode Fuzzy Hash: 28ff46445b86d14cea8d55faa840fbd5d6a2a6b6e39563a2438e0f7a2d81672e
    • Instruction Fuzzy Hash: 5F03D372A1A2819FE7B58F25D8407FA37A1FB547C8F005135EA0A57B84EB3DAA04CF54
    Function 00007FF8A8CFFD20 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
    • String ID: utf8
    • API String ID: 3069159798-905460609
    • Opcode ID: 5185bfc7f949f4a0afda578a41f5c7f051e2b56a12088d4a08134d593a52023a
    • Instruction ID: 7ca01a48655fbe3e3de249398622b0858a693a15cc5ac1b65d5f3e3a59ffccc4
    • Opcode Fuzzy Hash: 5185bfc7f949f4a0afda578a41f5c7f051e2b56a12088d4a08134d593a52023a
    • Instruction Fuzzy Hash: AE91BE32A1A742A2FBA49F21D5402B933A4EF44BC0F444131DA5D47786EFBCE955CB68
    Function 00007FF8A8D00768 Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF8A8CF1AE0: GetLastError.KERNEL32 ref: 00007FF8A8CF1AEF
      • Part of subcall function 00007FF8A8CF1AE0: FlsGetValue.KERNEL32(?,?,?,00007FF8A8CFE43F,?,?,?,00007FF8A8CF5B5C,?,?,?,00007FF8A8CE6AAF,?,?,00000000,00007FF8A8CFA467), ref: 00007FF8A8CF1B04
      • Part of subcall function 00007FF8A8CF1AE0: SetLastError.KERNEL32 ref: 00007FF8A8CF1B8F
      • Part of subcall function 00007FF8A8CF1AE0: FlsSetValue.KERNEL32(?,?,?,00007FF8A8CFE43F,?,?,?,00007FF8A8CF5B5C,?,?,?,00007FF8A8CE6AAF,?,?,00000000,00007FF8A8CFA467), ref: 00007FF8A8CF1B25
    • GetUserDefaultLCID.KERNEL32 ref: 00007FF8A8D008D8
      • Part of subcall function 00007FF8A8CF1AE0: FlsSetValue.KERNEL32(?,?,?,00007FF8A8CFE43F,?,?,?,00007FF8A8CF5B5C,?,?,?,00007FF8A8CE6AAF,?,?,00000000,00007FF8A8CFA467), ref: 00007FF8A8CF1B52
      • Part of subcall function 00007FF8A8CF1AE0: FlsSetValue.KERNEL32(?,?,?,00007FF8A8CFE43F,?,?,?,00007FF8A8CF5B5C,?,?,?,00007FF8A8CE6AAF,?,?,00000000,00007FF8A8CFA467), ref: 00007FF8A8CF1B63
      • Part of subcall function 00007FF8A8CF1AE0: FlsSetValue.KERNEL32(?,?,?,00007FF8A8CFE43F,?,?,?,00007FF8A8CF5B5C,?,?,?,00007FF8A8CE6AAF,?,?,00000000,00007FF8A8CFA467), ref: 00007FF8A8CF1B74
    • EnumSystemLocalesW.KERNEL32 ref: 00007FF8A8D008BF
    • ProcessCodePage.LIBCMT ref: 00007FF8A8D00902
    • IsValidCodePage.KERNEL32 ref: 00007FF8A8D00914
    • IsValidLocale.KERNEL32 ref: 00007FF8A8D0092A
    • GetLocaleInfoW.KERNEL32 ref: 00007FF8A8D00986
    • GetLocaleInfoW.KERNEL32 ref: 00007FF8A8D009A2
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
    • String ID:
    • API String ID: 2591520935-0
    • Opcode ID: 7bc437619194680884825a92ef677c774050891ba708a4dda540a684fd3cffdf
    • Instruction ID: 07445f8ae28522fb304de628b689254312503d38a785c370dca5950c557e8a0d
    • Opcode Fuzzy Hash: 7bc437619194680884825a92ef677c774050891ba708a4dda540a684fd3cffdf
    • Instruction Fuzzy Hash: 12714922F06642B9FB50AB61D4506BD23B4FF48794F444136CA2F53A95DF3CA848D7A8
    Function 00007FF8A8CDC808 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
    • String ID:
    • API String ID: 3140674995-0
    • Opcode ID: 7b6dbeb06b266829475df25d64cc8dc673208cbc9105d22d9ed9dbda130a2438
    • Instruction ID: 8ecf112701b0946467db5066dd1afeab7709898f2d17cf1325820d8557bd7d49
    • Opcode Fuzzy Hash: 7b6dbeb06b266829475df25d64cc8dc673208cbc9105d22d9ed9dbda130a2438
    • Instruction Fuzzy Hash: 01316372A0AB8196EB609F64E8407ED7364FB44784F44403ADA5E47B95DF3CD548CB24
    Function 00007FF8A8CF815C Relevance: 9.3, APIs: 6, Instructions: 335timeCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: _get_daylight$_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
    • String ID:
    • API String ID: 355007559-0
    • Opcode ID: 8cbdec1d5a3817648bf33ebdf08c89a2b32337d0953c26b341651ecc8acd9747
    • Instruction ID: 6445d6060e4a83beafff7024d9d0f96cc9c456b169317b19766d5fdfef2c4202
    • Opcode Fuzzy Hash: 8cbdec1d5a3817648bf33ebdf08c89a2b32337d0953c26b341651ecc8acd9747
    • Instruction Fuzzy Hash: C2D11132E0A342A6FBA4EF26D8401B92760FF847C4F408035EA1D47A85DF7CE855CB68
    Function 00007FF8A8CEBB2C Relevance: 9.2, APIs: 6, Instructions: 249COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
    • String ID:
    • API String ID: 1405656091-0
    • Opcode ID: e060553c97626a791207f45e908368a841f3eeece0a973a1796b139c9fd423bf
    • Instruction ID: c576c73b4539bc4f214840258e0af05d35562cca9cd0f00f50f4d980d798e186
    • Opcode Fuzzy Hash: e060553c97626a791207f45e908368a841f3eeece0a973a1796b139c9fd423bf
    • Instruction Fuzzy Hash: 8991C3B2B063465BEB988F25C9413B863A5EF547C8F049039DA0D4B78AFF3CE5518B54
    Function 00007FF8A8CEC8B4 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
    • String ID:
    • API String ID: 1239891234-0
    • Opcode ID: 684730d4d3bf0e60c83ebd02a2c8fb2c53df1cfe0b2fae214d3c2dc8cbe839fa
    • Instruction ID: 8d43acfea0461e02f9e2a72af6affc0f755ab3d03a2f8ebfb9ee6c91f46dfc6d
    • Opcode Fuzzy Hash: 684730d4d3bf0e60c83ebd02a2c8fb2c53df1cfe0b2fae214d3c2dc8cbe839fa
    • Instruction Fuzzy Hash: A231B632A19F8196DB60DF65E8403AE73A4FB88794F500136EA9D43B94EF3CD549CB14
    Function 00007FF8A8CF83D8 Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
    • String ID:
    • API String ID: 3458911817-0
    • Opcode ID: f03cdc704647ac725645fb3f1718b84e7aed6792d90581420eb2fddc3a3e25c4
    • Instruction ID: be99e30b78cf89fbdc5e702e241663306ce3be01840a1d59835aab2e580a3155
    • Opcode Fuzzy Hash: f03cdc704647ac725645fb3f1718b84e7aed6792d90581420eb2fddc3a3e25c4
    • Instruction Fuzzy Hash: CD51B032A1A742A6F750DF22E8815A96760FF487C4F404135EA2D43B95DF7CE914CB68
    Function 00007FF8A8CEE0CC Relevance: 5.5, APIs: 3, Instructions: 1005COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: _get_daylight$_invalid_parameter_noinfo
    • String ID:
    • API String ID: 1286766494-0
    • Opcode ID: c501242c5f6a29410816515b0676d6367d99fbc05009712adad9be0323137390
    • Instruction ID: 1644ebd1ee36da946b1477987f7c792543e9f4ddb46926ecd5c693b2ac4e9414
    • Opcode Fuzzy Hash: c501242c5f6a29410816515b0676d6367d99fbc05009712adad9be0323137390
    • Instruction Fuzzy Hash: 7D92E032A0A69297E7A4AF64D45417D37A1FB45BC8F048135EB8D07B98EF3DE510CB28
    Function 00007FF8A8D001E4 Relevance: 4.7, APIs: 3, Instructions: 167COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF8A8CF1AE0: GetLastError.KERNEL32 ref: 00007FF8A8CF1AEF
      • Part of subcall function 00007FF8A8CF1AE0: FlsGetValue.KERNEL32(?,?,?,00007FF8A8CFE43F,?,?,?,00007FF8A8CF5B5C,?,?,?,00007FF8A8CE6AAF,?,?,00000000,00007FF8A8CFA467), ref: 00007FF8A8CF1B04
      • Part of subcall function 00007FF8A8CF1AE0: SetLastError.KERNEL32 ref: 00007FF8A8CF1B8F
      • Part of subcall function 00007FF8A8CF1AE0: FlsSetValue.KERNEL32(?,?,?,00007FF8A8CFE43F,?,?,?,00007FF8A8CF5B5C,?,?,?,00007FF8A8CE6AAF,?,?,00000000,00007FF8A8CFA467), ref: 00007FF8A8CF1B25
    • GetLocaleInfoW.KERNEL32 ref: 00007FF8A8D00250
      • Part of subcall function 00007FF8A8CFBC58: _invalid_parameter_noinfo.LIBCMT ref: 00007FF8A8CFBC75
    • GetLocaleInfoW.KERNEL32 ref: 00007FF8A8D00299
      • Part of subcall function 00007FF8A8CFBC58: _invalid_parameter_noinfo.LIBCMT ref: 00007FF8A8CFBCCE
    • GetLocaleInfoW.KERNEL32 ref: 00007FF8A8D00361
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
    • String ID:
    • API String ID: 1791019856-0
    • Opcode ID: 2a074b193637746b2a924175c8c68c91679c68f46a3276774bbd3c8f7690af7c
    • Instruction ID: 22277fde2f0792b426befd1e449e644fdbd646670ded37af329d83ff5b88d430
    • Opcode Fuzzy Hash: 2a074b193637746b2a924175c8c68c91679c68f46a3276774bbd3c8f7690af7c
    • Instruction Fuzzy Hash: 9F616C32A0A642ABEB758F12E58027E73B5EB44780F408135C7AF93691DF3CE859C724
    Function 00007FF8A8CF51E8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID: GetLocaleInfoEx
    • API String ID: 2299586839-2904428671
    • Opcode ID: 4775fcb524229eccf5ffe241edde5ad36f7bfea064170ecc6aed43aa223e42b8
    • Instruction ID: 22cccb57f741d7767976b3ecde55c5d218c80c70c3754381e4df03553c61de33
    • Opcode Fuzzy Hash: 4775fcb524229eccf5ffe241edde5ad36f7bfea064170ecc6aed43aa223e42b8
    • Instruction Fuzzy Hash: AC018F31B09B81A5FB409B96B5001AAB260EB88BC0F584135DF6D03F6ACF3CD9458754
    Function 00007FF8A8CF8C24 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: ExceptionRaise_clrfp
    • String ID:
    • API String ID: 15204871-0
    • Opcode ID: a85413e553e0692fea20b52e32ea55e9665bfd45cf653735d4e2f35c9c6e83ed
    • Instruction ID: 333d05088fa4dfcb291a489eb394667f305793e997d31bca48ebdbf5f6fd917d
    • Opcode Fuzzy Hash: a85413e553e0692fea20b52e32ea55e9665bfd45cf653735d4e2f35c9c6e83ed
    • Instruction Fuzzy Hash: 59B17E77605B898BEB55CF29C84636C3BE0F784B88F158821DB5D83BA4CB79D861CB14
    Function 00007FF8A8C5E6A0 Relevance: 3.0, Strings: 2, Instructions: 490COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: %$+
    • API String ID: 0-2626897407
    • Opcode ID: 4c0247f3493d7a9fdd2fe63a29d6afdcf2dd147269b441624d13835e8ef1d953
    • Instruction ID: b745be6c7f023b6378e09c49ebb383b225be34be020784455df4f8bf5da98c46
    • Opcode Fuzzy Hash: 4c0247f3493d7a9fdd2fe63a29d6afdcf2dd147269b441624d13835e8ef1d953
    • Instruction Fuzzy Hash: 22124322B196D199FF699A24D8403BD2761EB24BD8F046231EE5E17BC9DF3CD481CB18
    Function 00007FF8A8C5F530 Relevance: 3.0, Strings: 2, Instructions: 488COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: %$+
    • API String ID: 0-2626897407
    • Opcode ID: cf59ab826d084b43bd7788ef0dd334466975caaf269a586ce05ad0b460b6ffa4
    • Instruction ID: 9df34642a1b71769ead9215eb957460bf8d8009031e449a987e062d8c29a74fe
    • Opcode Fuzzy Hash: cf59ab826d084b43bd7788ef0dd334466975caaf269a586ce05ad0b460b6ffa4
    • Instruction Fuzzy Hash: 68124512B29AD199FF688A24D8407BD2761EB64BD8F146231EE4D17BC8DF3CD481CB18
    Function 00007FF8A8CEF108 Relevance: 2.9, Strings: 2, Instructions: 358COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: a/p$am/pm
    • API String ID: 0-3206640213
    • Opcode ID: ea46ffb511eb4955aab9f52b5e9a86bc0184e4001112e0b81e6b1683c6b365f7
    • Instruction ID: 24623c61bd411933d66aaf8060dbc9c048273f5f2b4b2a6260f7158cefdc421a
    • Opcode Fuzzy Hash: ea46ffb511eb4955aab9f52b5e9a86bc0184e4001112e0b81e6b1683c6b365f7
    • Instruction Fuzzy Hash: 18E1E222E2B646A3E7E48F6495146BD23A0FF517C4F554172EA0D07A94FF3CEA41CB28
    Function 00007FF8A8CE5C58 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: $
    • API String ID: 0-227171996
    • Opcode ID: dd2e1978cdb7e1f67f3d738d384ae1111af1897aac1b75f32ed8819cfb70f531
    • Instruction ID: ee32d9966a6b196390ac2f07883b3facb8de419a16e41f4244f53d08addadb5f
    • Opcode Fuzzy Hash: dd2e1978cdb7e1f67f3d738d384ae1111af1897aac1b75f32ed8819cfb70f531
    • Instruction Fuzzy Hash: 8BE1D372A1A64293EBE88E25C15453D33A2FF45BC8F245235DA4E07794EF3DE841CB68
    Function 00007FF8A8CF6068 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: e+000$gfff
    • API String ID: 0-3030954782
    • Opcode ID: e4d2a309ff0ca11c04acd2c41cc1d49ee4c3f0fc51fa8d3622a85ae0d9ec4d58
    • Instruction ID: f7723eca8f0c1db0a75ec38565a81dbb414875cc21dfdecabf8b33b2a3c3cf72
    • Opcode Fuzzy Hash: e4d2a309ff0ca11c04acd2c41cc1d49ee4c3f0fc51fa8d3622a85ae0d9ec4d58
    • Instruction Fuzzy Hash: B8518832F193C156F7A48A35A801B697B91E744BD4F08D239CBA847AC6CFBDE8048B14
    Function 00007FF8A8CED53C Relevance: 1.9, APIs: 1, Instructions: 373COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: Info
    • String ID:
    • API String ID: 1807457897-0
    • Opcode ID: c06154fa8283fb0c97319ea7ebae98a78375d4841e6baea9508be7bc51c747fa
    • Instruction ID: fa19dc74313e9236b5fa574021c862ec937571fc513e8df7363662f056e127aa
    • Opcode Fuzzy Hash: c06154fa8283fb0c97319ea7ebae98a78375d4841e6baea9508be7bc51c747fa
    • Instruction Fuzzy Hash: A912BF22A09BC196E7A1CF3894453FD77A4FB59788F059235EB8C83692EF78E584C710
    Function 00007FF8A8CFE614 Relevance: 1.8, APIs: 1, Instructions: 337COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a4d52e207018258f5a341711b507a394ec96f86eb003c0e7181fbc1a9df6064d
    • Instruction ID: 410c92898eb81f172390eaa1439cd1ac8c83472ea4c1002c3221b93a5d2fdf4c
    • Opcode Fuzzy Hash: a4d52e207018258f5a341711b507a394ec96f86eb003c0e7181fbc1a9df6064d
    • Instruction Fuzzy Hash: 74E1AD32A09B8596F760DB61E4402EE27A0FB847C8F008632DF8D57B56EF78E645C714
    Function 00007FF8A8CFC1EC Relevance: 1.6, APIs: 1, Instructions: 149COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c6114cd53dacb15db055bfc4834d5182b5c9c0e19bb4525650130fae3ea11830
    • Instruction ID: c8d1f2ef7cb764ed8e12747deef7e11f80a09b9fce85e9d0e916dc8d60d86cec
    • Opcode Fuzzy Hash: c6114cd53dacb15db055bfc4834d5182b5c9c0e19bb4525650130fae3ea11830
    • Instruction Fuzzy Hash: 8F512622B09791A5FB608B72A8402BE7BA1FB447D4F144135EE5C67B85DF7CD801CB08
    Function 00007FF8A8D0042C Relevance: 1.6, APIs: 1, Instructions: 70COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF8A8CF1AE0: GetLastError.KERNEL32 ref: 00007FF8A8CF1AEF
      • Part of subcall function 00007FF8A8CF1AE0: FlsGetValue.KERNEL32(?,?,?,00007FF8A8CFE43F,?,?,?,00007FF8A8CF5B5C,?,?,?,00007FF8A8CE6AAF,?,?,00000000,00007FF8A8CFA467), ref: 00007FF8A8CF1B04
      • Part of subcall function 00007FF8A8CF1AE0: SetLastError.KERNEL32 ref: 00007FF8A8CF1B8F
      • Part of subcall function 00007FF8A8CF1AE0: FlsSetValue.KERNEL32(?,?,?,00007FF8A8CFE43F,?,?,?,00007FF8A8CF5B5C,?,?,?,00007FF8A8CE6AAF,?,?,00000000,00007FF8A8CFA467), ref: 00007FF8A8CF1B25
    • GetLocaleInfoW.KERNEL32 ref: 00007FF8A8D00494
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: ErrorLastValue$InfoLocale
    • String ID:
    • API String ID: 673564084-0
    • Opcode ID: 872d967dae844dc20b2a06a17924bf7a254046ba92372c593667198a0f009a37
    • Instruction ID: 940da624f1098edab64f6a07cb2b81ed13c037d766e8b26b4d729b820c1355da
    • Opcode Fuzzy Hash: 872d967dae844dc20b2a06a17924bf7a254046ba92372c593667198a0f009a37
    • Instruction Fuzzy Hash: 9D318632F0A68266EB64CB22D5413BE73A1FB487C4F408035DAAF87645DF3CE8558B14
    Function 00007FF8A8D0007C Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF8A8CF1AE0: GetLastError.KERNEL32 ref: 00007FF8A8CF1AEF
      • Part of subcall function 00007FF8A8CF1AE0: FlsGetValue.KERNEL32(?,?,?,00007FF8A8CFE43F,?,?,?,00007FF8A8CF5B5C,?,?,?,00007FF8A8CE6AAF,?,?,00000000,00007FF8A8CFA467), ref: 00007FF8A8CF1B04
      • Part of subcall function 00007FF8A8CF1AE0: SetLastError.KERNEL32 ref: 00007FF8A8CF1B8F
    • EnumSystemLocalesW.KERNEL32 ref: 00007FF8A8D0011A
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystemValue
    • String ID:
    • API String ID: 3029459697-0
    • Opcode ID: 29acebede4ffef52afcf4cb321a2c0fadb0bea7ec43c236148de1f497499bf3a
    • Instruction ID: 232eafdfae77053120a0b86ef417a246b24e2f133d68ffc3913edb949d3686fc
    • Opcode Fuzzy Hash: 29acebede4ffef52afcf4cb321a2c0fadb0bea7ec43c236148de1f497499bf3a
    • Instruction Fuzzy Hash: 2111D263E19645EAEB148F15D4406AD77B1EB80BE1F548135C66B433C0CB7CD9D5C750
    Function 00007FF8A8D00634 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF8A8CF1AE0: GetLastError.KERNEL32 ref: 00007FF8A8CF1AEF
      • Part of subcall function 00007FF8A8CF1AE0: FlsGetValue.KERNEL32(?,?,?,00007FF8A8CFE43F,?,?,?,00007FF8A8CF5B5C,?,?,?,00007FF8A8CE6AAF,?,?,00000000,00007FF8A8CFA467), ref: 00007FF8A8CF1B04
      • Part of subcall function 00007FF8A8CF1AE0: SetLastError.KERNEL32 ref: 00007FF8A8CF1B8F
    • GetLocaleInfoW.KERNEL32 ref: 00007FF8A8D0066B
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: ErrorLast$InfoLocaleValue
    • String ID:
    • API String ID: 3796814847-0
    • Opcode ID: fc316f5334a48822319b52b41a92732d6b32bcac2658ba858a3f08bdc4111b7b
    • Instruction ID: 497e0568eb02521153ac439e51ad9393e6777b982df2eadaa2c94d734ec92a48
    • Opcode Fuzzy Hash: fc316f5334a48822319b52b41a92732d6b32bcac2658ba858a3f08bdc4111b7b
    • Instruction Fuzzy Hash: CC115732F09652A3E774D721A040A7A22B2EB847E4F904232D67F076C0EF2EDC848754
    Function 00007FF8A8D0014C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF8A8CF1AE0: GetLastError.KERNEL32 ref: 00007FF8A8CF1AEF
      • Part of subcall function 00007FF8A8CF1AE0: FlsGetValue.KERNEL32(?,?,?,00007FF8A8CFE43F,?,?,?,00007FF8A8CF5B5C,?,?,?,00007FF8A8CE6AAF,?,?,00000000,00007FF8A8CFA467), ref: 00007FF8A8CF1B04
      • Part of subcall function 00007FF8A8CF1AE0: SetLastError.KERNEL32 ref: 00007FF8A8CF1B8F
    • EnumSystemLocalesW.KERNEL32 ref: 00007FF8A8D001CA
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystemValue
    • String ID:
    • API String ID: 3029459697-0
    • Opcode ID: ff3c5d8623afd77e1a4cc653ed07a0af70c0478e52368bcd111c3b0e784537ce
    • Instruction ID: 7e1d9e01425ef243b323c3d21d53834cda6d63d68ffdcd4b64f19b4989d518c0
    • Opcode Fuzzy Hash: ff3c5d8623afd77e1a4cc653ed07a0af70c0478e52368bcd111c3b0e784537ce
    • Instruction Fuzzy Hash: 2A01F562F09285E6E7504F65E8407B972B1EB40BE5F448232C67B876C5CF7C9C88C715
    Function 00007FF8A8CF4C50 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: EnumLocalesSystem
    • String ID:
    • API String ID: 2099609381-0
    • Opcode ID: 4d4cfdb44a8a05a12b68b6fb340a167b7715be251c9b9b0d81806b34e9d2018c
    • Instruction ID: 781ebc7d692867972c0f311efbac3b16abfacac8c8b550927526a450a7938f47
    • Opcode Fuzzy Hash: 4d4cfdb44a8a05a12b68b6fb340a167b7715be251c9b9b0d81806b34e9d2018c
    • Instruction Fuzzy Hash: AEF0AF72B09B41A3E744CB1AF8801A93365FB98BC0F548035DA5D83764DF3CD9A4C758
    Function 00007FF8A8CF5BD4 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: gfffffff
    • API String ID: 0-1523873471
    • Opcode ID: ddd10e14d676eb661ffe840562036d26f56b4c8ac47e7bd3126f509b4fb1b4d0
    • Instruction ID: 6a67c49158e4860ddc4b166f237982605d9c001dedc00b2e517e93224287016b
    • Opcode Fuzzy Hash: ddd10e14d676eb661ffe840562036d26f56b4c8ac47e7bd3126f509b4fb1b4d0
    • Instruction Fuzzy Hash: D3A14372B0A78697FB61CB25A1007AA7B91EB64BC4F048132DF8D47785EB7DD801CB14
    Function 00007FF8A8CE4EC0 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID: 0-3916222277
    • Opcode ID: e19a74d260b9e933013b91160c166006bd89bfcd802e199049d97720df723a01
    • Instruction ID: 6347e5d1c0531dfdeb0fb2042f53a45dce7376730efbfcf5bbffb9675c294f10
    • Opcode Fuzzy Hash: e19a74d260b9e933013b91160c166006bd89bfcd802e199049d97720df723a01
    • Instruction Fuzzy Hash: EDB1C07290AB859BE7A48F29D05027C3BA2F745F88F241135DB8D47399EF39D441CB68
    Function 00007FF8A8CFB410 Relevance: 1.4, APIs: 1, Instructions: 137COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: ErrorHeapLast$AllocFree_invalid_parameter_noinfo
    • String ID:
    • API String ID: 916656526-0
    • Opcode ID: 5b9c597c315e0bc86310b255111ac6f97584d0353bc0d81a98517ce5906018a0
    • Instruction ID: 74861ed13c665bcf91f6e0bfffcacb38714f75d398d32c5183a4d2a3cc1f01fd
    • Opcode Fuzzy Hash: 5b9c597c315e0bc86310b255111ac6f97584d0353bc0d81a98517ce5906018a0
    • Instruction Fuzzy Hash: E241D721B0B74362FBB09B2664517BAA680FF857C0F544535EE5D47787EF7CE8008A28
    Function 00007FF8A8CEB2E0 Relevance: .3, Instructions: 339COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: aec7d81a3673badfc3b512a10430379540f1816e81dafed119dde0860a61ae1c
    • Instruction ID: 9088c8e51a4beca58bea5d84e9e42564ac116ae4c4a726f6766d5a254b3a3700
    • Opcode Fuzzy Hash: aec7d81a3673badfc3b512a10430379540f1816e81dafed119dde0860a61ae1c
    • Instruction Fuzzy Hash: 46C12772B1A68A97E764CF19A18467AB791FB88BC4F048135DB4E53B45EB3CE800CF44
    Function 00007FF8A8CE5854 Relevance: .3, Instructions: 327COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 47f9abdac5d9394660c1f216980146e9eb387147062cc6b2479291192465023b
    • Instruction ID: 97cd9eae3dcbdefc1765daf0c56ef94b77a42ae2b58a12466e40c5d71a8a20a3
    • Opcode Fuzzy Hash: 47f9abdac5d9394660c1f216980146e9eb387147062cc6b2479291192465023b
    • Instruction Fuzzy Hash: DDD1E736A0A64297EBF88E25845027D27A2FF45BD8F145235CE0D076D5EF3DE842CB68
    Function 00007FF8A8CF24AC Relevance: .3, Instructions: 309COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
    • String ID:
    • API String ID: 4023145424-0
    • Opcode ID: 7d06fff86fec8375fb9180cba05cd0b54c00a7636e1e3f80c72b73243cfabdd4
    • Instruction ID: ccdc44850c636aee8de5f29cbf0943ad30e744b104aa65b01abb0868a9d4cf44
    • Opcode Fuzzy Hash: 7d06fff86fec8375fb9180cba05cd0b54c00a7636e1e3f80c72b73243cfabdd4
    • Instruction Fuzzy Hash: 7AC1E526B0A782A5FBA49B61D4103FA67A0FB947C8F404032DE8D47A95FF7CD945CB24
    Function 00007FF8A8CE8EA8 Relevance: .3, Instructions: 287COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4a67dccda736b8d7a74737c752d2f0cf811cc91ce89471d4ad652242d7e9c171
    • Instruction ID: a70b3f36fb695309802f81b9e60b040a11cac9deeb20fae22f63b4478deae014
    • Opcode Fuzzy Hash: 4a67dccda736b8d7a74737c752d2f0cf811cc91ce89471d4ad652242d7e9c171
    • Instruction Fuzzy Hash: BF915626B1A28667FFA88A29E4103B92690EF457C4F440139DD6E477C5EF3CE509DF28
    Function 00007FF8A8CFF790 Relevance: .3, Instructions: 271COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: ErrorLast$Value_invalid_parameter_noinfo
    • String ID:
    • API String ID: 1500699246-0
    • Opcode ID: ed5756fe37d18dcc250061784ae62606e21d142922d7f59a74f5bfde98b673f4
    • Instruction ID: 1001d3b3ae54c264b6b4d58870c6cc9d9d20aa44de57abd958c08d0100a70e09
    • Opcode Fuzzy Hash: ed5756fe37d18dcc250061784ae62606e21d142922d7f59a74f5bfde98b673f4
    • Instruction Fuzzy Hash: 84B1D832A29746A2F7A49F61D5116BA33A0FB44BC8F104131DA5D836C9DFBCED41CB64
    Function 00007FF8A8CF66E8 Relevance: .2, Instructions: 198COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 07fc90f5f732ab5cf2583a3679cdf1902ce566a2bf1ac7c11a5557ee1d7fcf56
    • Instruction ID: f668ab7130e669c0dc169381919d76ac85cd734ca4b67fd80ab5eaeed470d18f
    • Opcode Fuzzy Hash: 07fc90f5f732ab5cf2583a3679cdf1902ce566a2bf1ac7c11a5557ee1d7fcf56
    • Instruction Fuzzy Hash: E88101B2A0978156FBE4CF299040B7AAA90FB857D4F10423EDA8D47B89DF7DD9008F14
    Function 00007FF8A8CECE98 Relevance: .2, Instructions: 186COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID:
    • API String ID: 3215553584-0
    • Opcode ID: 3e7680663ae2bf0aeaa0f312c5ef2c7fef8a8b790176091a7d4421b9067490cf
    • Instruction ID: 998a339a617766c1ff665515e74af03705dc82b9e9e3f3f041ef019054515855
    • Opcode Fuzzy Hash: 3e7680663ae2bf0aeaa0f312c5ef2c7fef8a8b790176091a7d4421b9067490cf
    • Instruction Fuzzy Hash: D371C232616A1193EBA4CE29D49137D2760FB84BE8F148636EF6E87785DF38D441CB14
    Function 00007FF8A8D02ED0 Relevance: .2, Instructions: 183COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID:
    • API String ID: 3215553584-0
    • Opcode ID: f243985c36babbeee6c1e5c1671a5a38ecf64a511524ec0be75f8bb3f22f7aed
    • Instruction ID: 6c858d64589239dd0e42df3fc6f82a2222f8e59807d978e2896e70ac472bebce
    • Opcode Fuzzy Hash: f243985c36babbeee6c1e5c1671a5a38ecf64a511524ec0be75f8bb3f22f7aed
    • Instruction Fuzzy Hash: E8610932F0F28266FB698A69944077966A1EF447E0F144235DA3F837C5DF7DE9088728
    Function 00007FF8A8CE4414 Relevance: .1, Instructions: 146COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
    • Instruction ID: 8e4fd27ee854910ed8c28eebcc790e8235ce4fe335287c14bb6ab2208e601978
    • Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
    • Instruction Fuzzy Hash: 5C51A876B1AE559BE7A48B29C04423833A1FB44BA8F245131DE4D17B94EB3AE843CF54
    Function 00007FF8A8CE3BF4 Relevance: .1, Instructions: 146COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
    • Instruction ID: fe26e84076e866f749502f6a652bb4a17c79acb9f46fc2fea640c31bbad7f0ad
    • Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
    • Instruction Fuzzy Hash: C751AA76A2965197E7A48B39C04423937A0EB45FD8F284231CE8D077D4EB3AF953CB54
    Function 00007FF8A8CE4004 Relevance: .1, Instructions: 146COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
    • Instruction ID: 29601f4baf49dc72974fad11355b2fc88e3e9219d2bf50b2f26ff1f1a35d0df5
    • Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
    • Instruction Fuzzy Hash: 0951B976A19E519BEBA48B29D04023837A0FB58F98F244135CE4D17794EF3AED43CB94
    Function 00007FF8A8CE4210 Relevance: .1, Instructions: 145COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c13152d3c0e899f1d8cddaeb5d170b213aa300ddb1a30ae017dd591a5b86a8be
    • Instruction ID: 79ea3b930a4ff1688715d02f71d499811eb64bc1a7e9d6343cfd60e24871fdd4
    • Opcode Fuzzy Hash: c13152d3c0e899f1d8cddaeb5d170b213aa300ddb1a30ae017dd591a5b86a8be
    • Instruction Fuzzy Hash: BB518736A19E519BE7A48B29C04433C77A0FB49B98F254131CE4D57798EB3AE843CB94
    Function 00007FF8A8CE39F0 Relevance: .1, Instructions: 145COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e12e7c255ce155637cc1c594d063d6d5db3739567eb3a2ecc9f2d19ad292e395
    • Instruction ID: df66ec5d24539b700d1de857b0d480e88d9d5605130b82408924e161dae1ff47
    • Opcode Fuzzy Hash: e12e7c255ce155637cc1c594d063d6d5db3739567eb3a2ecc9f2d19ad292e395
    • Instruction Fuzzy Hash: E9518036A1A65197E7B48B39C44063C37A1EB84F98F288131CE4D57794EB3AF882CB54
    Function 00007FF8A8CE3E00 Relevance: .1, Instructions: 145COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 94732f3cefc08f3353ec1d41df61ecd9287c8128d91118fe05b88be5c63bb7a7
    • Instruction ID: 65309b36aa6ba4674bd873fd4d670adf1683a6a5a76cd16b0a13a260ddc40c01
    • Opcode Fuzzy Hash: 94732f3cefc08f3353ec1d41df61ecd9287c8128d91118fe05b88be5c63bb7a7
    • Instruction Fuzzy Hash: BF518E36A1AA5197E7A48B39C04423837B0EB85BD8F284131DE4D177A4EF3AFC42CB54
    Function 00007FF8A8CF0588 Relevance: .1, Instructions: 126COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: ErrorFreeHeapLast
    • String ID:
    • API String ID: 485612231-0
    • Opcode ID: d285a02781bf40c95abc172aad845dd2594d89ea415f45329436767b7273a7bb
    • Instruction ID: 2a954e07f2a4fc84655f3a244a1bd70ef135da6f438e1c8301b88b3adda78ec5
    • Opcode Fuzzy Hash: d285a02781bf40c95abc172aad845dd2594d89ea415f45329436767b7273a7bb
    • Instruction Fuzzy Hash: FE41AC22B15A55A2EB44CF6AD914169B3A1FB48FC0F499032EE0D87B58DF7CD9428704
    Function 00007FF8A8D05D60 Relevance: .0, Instructions: 32COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: dc844ce0a60eb80e12cbcfa62927cbd04d8fc10188f0cf28b09efb99ed32e0ea
    • Instruction ID: 30575d84155bbb23745e2c7498abcc05f36faf64b8a24ebb88a7dc58a6390b31
    • Opcode Fuzzy Hash: dc844ce0a60eb80e12cbcfa62927cbd04d8fc10188f0cf28b09efb99ed32e0ea
    • Instruction Fuzzy Hash: 6FF068B17192569FDBAC8F28E443A2977E0E7083C0F509039D59D83B04D73C90548F18
    Function 00007FF8A8D904F8 Relevance: .0, Instructions: 8COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 05106268d8889569692f273965825e3b6a94f89ef9adef59244523b5c2486aad
    • Instruction ID: 37852d1d1895298a0e9242aae39ec988704146e0d52cc70a91a008435d1dd4ef
    • Opcode Fuzzy Hash: 05106268d8889569692f273965825e3b6a94f89ef9adef59244523b5c2486aad
    • Instruction Fuzzy Hash: 64C08C87D0EE8355F1410088282226A16E0CF02AA0E0802348E3C435C29B0A1C0A0154
    Function 00007FF8A8D90DA0 Relevance: .0, Instructions: 7COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9a0b357dd2fc22f1178ac76708eceb1d598f92d560e178457ab0fdeb3fa5ddee
    • Instruction ID: e366ca0e8a63e93c4df8f752d7af7d8497b63d7d16dd55e217f1671eee9db5e4
    • Opcode Fuzzy Hash: 9a0b357dd2fc22f1178ac76708eceb1d598f92d560e178457ab0fdeb3fa5ddee
    • Instruction Fuzzy Hash: B7C04C47D09E9291F597009419153642785DF127B4E0842788D78079C65B196C074119
    Function 00007FF8A8D901C0 Relevance: .0, Instructions: 5COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0a0483bfe8203cdc507097bbbf5c2deace6d1237e1ca08ee2c2c29c2f5eee7e1
    • Instruction ID: 8abd15ebf129e0e2c41a3a58bd0bb2a6596a1f3e0fe9b7313eadbce9ee0625a2
    • Opcode Fuzzy Hash: 0a0483bfe8203cdc507097bbbf5c2deace6d1237e1ca08ee2c2c29c2f5eee7e1
    • Instruction Fuzzy Hash: E8B01217C1BD92F3E342451461401341740FF11980F040574C51C5B0831B08AC1B800C
    Function 00007FF8A8D903A8 Relevance: .0, Instructions: 1COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 103d6254a6d94bacc82e822885185f56c69cb799ec5124c0aa405e386975151b
    • Instruction ID: 33f440db8dcf76ed1806d7bd443262935e64228566635c654bb1f16f699d93a5
    • Opcode Fuzzy Hash: 103d6254a6d94bacc82e822885185f56c69cb799ec5124c0aa405e386975151b
    • Instruction Fuzzy Hash:
    Function 00007FF8A8C52D10 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 290windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: Window$CreateLongMessage$ObjectPostProcQuitSendStockText
    • String ID: 2$2$BUTTON$STATIC
    • API String ID: 2613234210-2439238762
    • Opcode ID: 9219920ad69d4b49e66e2dc67809d5cac3a8c6494cac8d3b17fd77651c4e6c35
    • Instruction ID: a831fe125342694c0cfe72d9342e0583fb3be654046ec7d4c15cf1e40ede99a2
    • Opcode Fuzzy Hash: 9219920ad69d4b49e66e2dc67809d5cac3a8c6494cac8d3b17fd77651c4e6c35
    • Instruction Fuzzy Hash: E9F18236A0AF42B5EB00DF64E8901B97BB0FB94388F504136DA9D93A64DF3CE159C718
    Function 00007FF8A8C52B90 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 77windowregistryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: Message$CreateWindow$BrushClassDispatchRegisterShowSolidTranslate
    • String ID: ---$rNXzopbtQUYLOXdQGmRCGjQ
    • API String ID: 1950154865-3696978436
    • Opcode ID: 009b02a6c5d3afd51c44db7bbc987ab48518e3a1341b40bd8d22f75391f10e8e
    • Instruction ID: a9860b348b5f3ec975f439ee2725b17917ecb6dc12b1e723b0b86ae2ee761da8
    • Opcode Fuzzy Hash: 009b02a6c5d3afd51c44db7bbc987ab48518e3a1341b40bd8d22f75391f10e8e
    • Instruction Fuzzy Hash: 62419232E19BC192E7608F20F8443AA73A4FB98784F519239DADC43A14EF3CD498C714
    Function 00007FF8A8C5DA10 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 209COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 459529453-1866435925
    • Opcode ID: 6ba7701d1d31b35c6b2d9668cabe9545bb17f0ba580381d99343dccb99043724
    • Instruction ID: c7112053c10892be21062a54ff44aa4dbaf21a78531082044f28802cd9a0e431
    • Opcode Fuzzy Hash: 6ba7701d1d31b35c6b2d9668cabe9545bb17f0ba580381d99343dccb99043724
    • Instruction Fuzzy Hash: 78919C2260AB82A2EF54DB15D0403BA7BA1FB90BC4F558136DB5D437A5DF3CE445CB18
    Function 00007FF8A8CE3278 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID: f$f$p$p$f
    • API String ID: 3215553584-1325933183
    • Opcode ID: bd88f8beba8490965af4e5e6ef91090dde9fa4eb1c224f68e899d4b857dae106
    • Instruction ID: ed97758c5b4cf0f15847b2f5f3cc96454911ade9608733389b1ab7f0b3c1beb2
    • Opcode Fuzzy Hash: bd88f8beba8490965af4e5e6ef91090dde9fa4eb1c224f68e899d4b857dae106
    • Instruction Fuzzy Hash: DC128562E0E143A7FBA05E35E054679B695FB407D4F8C4136E69946AC4EF3DF8408F28
    Function 00007FF8A8C69E30 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 143COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: std::_$Concurrency::cancel_current_taskLockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
    • String ID: bad locale name$false$true
    • API String ID: 461674175-1062449267
    • Opcode ID: ec133a3e27bb3aeb9d7bc48e0420baf463c803605851608ac16670e36e60c699
    • Instruction ID: f840533d75aef3146122e4b277d0b6f2ffdb52b6f4983281f7cecf8e6d7076bb
    • Opcode Fuzzy Hash: ec133a3e27bb3aeb9d7bc48e0420baf463c803605851608ac16670e36e60c699
    • Instruction Fuzzy Hash: 4A516C22B0BB41AAFB51DBB0D4502BC33B4EF44788F041035DA0D27A9ADF3CA51AD768
    Function 00007FF8A8C58FC0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 137windowregistryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: Message$Window$ClassCreateDispatchRegisterShowTranslate
    • String ID: Tic-Tac-Toe
    • API String ID: 4062082325-2776626656
    • Opcode ID: b8e468a7aeb67049550189006064394caf8ac1ea3d89a824fdf7737fa5eb7fa5
    • Instruction ID: 3aab7d621761c33d2161d127384e45829f920ad5202d7cfde0fe103eb8fdd6ad
    • Opcode Fuzzy Hash: b8e468a7aeb67049550189006064394caf8ac1ea3d89a824fdf7737fa5eb7fa5
    • Instruction Fuzzy Hash: 8A519E32A19B8192EB508F25F44436A73A0FB98BD4F659235EBAC43B54EF3CD494CB14
    Function 00007FF8A8C54FD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76windowregistryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: Message$Window$ClassCreateDispatchRegisterShowTranslate
    • String ID: DrdbuRKZAmRmVfqWqLhbpOqiam
    • API String ID: 4062082325-1758281807
    • Opcode ID: f07a5d31a11781177198bd0ea3bbd170b8d512878ca6e4a7bcbe5eec812a54a8
    • Instruction ID: 516152990bb86a404219ef4962176cde0b32eed8fc96bb1b522a40819d1e732a
    • Opcode Fuzzy Hash: f07a5d31a11781177198bd0ea3bbd170b8d512878ca6e4a7bcbe5eec812a54a8
    • Instruction Fuzzy Hash: 9E419432A18BD192E750CF25F4443AA77A4FB98784F519239DADC43A14DF7DD488CB14
    Function 00007FF8A8CDB58C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 21libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AddressProc$HandleModule
    • String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
    • API String ID: 667068680-1247241052
    • Opcode ID: f7c21701637f17b8e131574854bbcb6f546078e9ff80943e511c12995a62fc34
    • Instruction ID: b0d77a2ebb2c9d4c932cd7cb0738ab38dead631b2f72bf6d3f90b97c9f9ae9f3
    • Opcode Fuzzy Hash: f7c21701637f17b8e131574854bbcb6f546078e9ff80943e511c12995a62fc34
    • Instruction Fuzzy Hash: EEF06C65E0BE07A1EA049BA2BC4506533A5FB587D2F441035C96E47B24EF7CAA9D8328
    Function 00007FF8A8CDEB94 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
    • String ID: csm$csm$csm
    • API String ID: 849930591-393685449
    • Opcode ID: a57c5733f0297abdc43939f5b3925cf0713f31b437a1c0423a645d06577e659c
    • Instruction ID: 5afb06e9318c9ed1ccba177f72d5494b74ae93f4e797c06114aebb245e5e77c6
    • Opcode Fuzzy Hash: a57c5733f0297abdc43939f5b3925cf0713f31b437a1c0423a645d06577e659c
    • Instruction Fuzzy Hash: 46D1A232A09B81A6EBB0AB25D4413AD37A0FB457D8F100135EE4D57B95DF38E081CF64
    Function 00007FF8A8CF4CCC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AddressFreeLibraryProc
    • String ID: api-ms-$ext-ms-
    • API String ID: 3013587201-537541572
    • Opcode ID: 97fc623ba760c46ca8cbac2650774a2c1285e0fdb078f4b17f80943ff4186c07
    • Instruction ID: f6f1062729d4cdb1a3f3629d4bb343e29a13f66b5fd9e288b0e9dec2a6bfcf3d
    • Opcode Fuzzy Hash: 97fc623ba760c46ca8cbac2650774a2c1285e0fdb078f4b17f80943ff4186c07
    • Instruction Fuzzy Hash: 6141E421B1BB12A2FB95CB16A8045756391FF48BE0F498135DD2D87B84EF7CEC458B28
    Function 00007FF8A8CF0BB4 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID: f$p$p
    • API String ID: 3215553584-1995029353
    • Opcode ID: f700c26392ed159dd1e688922b48ff9606fb20e8ccb41c411375879c8e83c523
    • Instruction ID: f00bb7f39d228c141d5a79916740e664708c27c6d73dd561398ae6f987c0d5a4
    • Opcode Fuzzy Hash: f700c26392ed159dd1e688922b48ff9606fb20e8ccb41c411375879c8e83c523
    • Instruction Fuzzy Hash: 2612C761E0E343A6FBA59B15E0546B97261FB40BD0F848136E6C9476C4DFBCED808F28
    Function 00007FF8A8CF984C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID:
    • API String ID: 3215553584-0
    • Opcode ID: 1192117584a6658d556f2f61e862d1f137a2a8fb5a17f6bcb4e618e1be8af7d8
    • Instruction ID: d7c3b862c74cd9c235bf07c4cb081a04d4433350f0b2fa2ff2273f545ccf6400
    • Opcode Fuzzy Hash: 1192117584a6658d556f2f61e862d1f137a2a8fb5a17f6bcb4e618e1be8af7d8
    • Instruction Fuzzy Hash: 13C1A032A0E78662FBA19B1594402B97BA4EB91BC0F154131DA4F07791DFBCEC4DCB29
    Function 00007FF8A8C55140 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 164COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: LineMovePixelText
    • String ID: Select item!$VUUU
    • API String ID: 535896401-3701233967
    • Opcode ID: d1ea6d91110bc69d0d03b4030b8fdd93cc7612b3507bf5482a221e1f80c60c81
    • Instruction ID: 373ec24b49e45b1c80a7c4802055729fa6d8323819d724698c21c19727cdba9a
    • Opcode Fuzzy Hash: d1ea6d91110bc69d0d03b4030b8fdd93cc7612b3507bf5482a221e1f80c60c81
    • Instruction Fuzzy Hash: D951B172B16642ABE754CF28EC455387BA2FB94791F088235D91C837A4DF3CF4498B28
    Function 00007FF8A8C51D60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: std::_$Lockit$GetctypeGetwctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
    • String ID: bad locale name
    • API String ID: 1386471777-1405518554
    • Opcode ID: 876c5c07f0dfddca757201a259639ad27c12e0dbe48766269de41d92c025202d
    • Instruction ID: adb01c0918f1445a286b561c22a2d81c98438d1e1a07ba16bce9908205051f4a
    • Opcode Fuzzy Hash: 876c5c07f0dfddca757201a259639ad27c12e0dbe48766269de41d92c025202d
    • Instruction Fuzzy Hash: 08519C22B4AB419AFB54DBB0D4502BC33B0EF54788F045136DE8E27A66DF38D656C728
    Function 00007FF8A8CE14BC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: Library$Load$AddressErrorFreeLastProc
    • String ID: api-ms-
    • API String ID: 2559590344-2084034818
    • Opcode ID: 10c6b30a03ab51869d9be21378d837f0c6a4f64022869857aae0d9f58c520df7
    • Instruction ID: ec6f091bf78c6521ff0ff61bf11c5e76c1498a75a575eeaafee84937c9643b61
    • Opcode Fuzzy Hash: 10c6b30a03ab51869d9be21378d837f0c6a4f64022869857aae0d9f58c520df7
    • Instruction Fuzzy Hash: FF31D021B1BA46B2EF959B02A40053923D4FF44BE2F490536ED6E47B80FF3CE5548B28
    Function 00007FF8A8CF1AE0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32 ref: 00007FF8A8CF1AEF
    • FlsGetValue.KERNEL32(?,?,?,00007FF8A8CFE43F,?,?,?,00007FF8A8CF5B5C,?,?,?,00007FF8A8CE6AAF,?,?,00000000,00007FF8A8CFA467), ref: 00007FF8A8CF1B04
    • FlsSetValue.KERNEL32(?,?,?,00007FF8A8CFE43F,?,?,?,00007FF8A8CF5B5C,?,?,?,00007FF8A8CE6AAF,?,?,00000000,00007FF8A8CFA467), ref: 00007FF8A8CF1B25
    • FlsSetValue.KERNEL32(?,?,?,00007FF8A8CFE43F,?,?,?,00007FF8A8CF5B5C,?,?,?,00007FF8A8CE6AAF,?,?,00000000,00007FF8A8CFA467), ref: 00007FF8A8CF1B52
    • FlsSetValue.KERNEL32(?,?,?,00007FF8A8CFE43F,?,?,?,00007FF8A8CF5B5C,?,?,?,00007FF8A8CE6AAF,?,?,00000000,00007FF8A8CFA467), ref: 00007FF8A8CF1B63
    • FlsSetValue.KERNEL32(?,?,?,00007FF8A8CFE43F,?,?,?,00007FF8A8CF5B5C,?,?,?,00007FF8A8CE6AAF,?,?,00000000,00007FF8A8CFA467), ref: 00007FF8A8CF1B74
    • SetLastError.KERNEL32 ref: 00007FF8A8CF1B8F
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: Value$ErrorLast
    • String ID:
    • API String ID: 2506987500-0
    • Opcode ID: 857dd6ae468bbad93605dc4e0b8a01766e9b5b4d7da6d8a56f835f8e635d7030
    • Instruction ID: 680c4f9f642870c9dfdbaa44bed3550051bb9da75d34703b3ea9300cb4708aa7
    • Opcode Fuzzy Hash: 857dd6ae468bbad93605dc4e0b8a01766e9b5b4d7da6d8a56f835f8e635d7030
    • Instruction Fuzzy Hash: 7E219F20F0F342A6FB9A673196410796166DF447F0F544736E97E07AD6EFACBC018A28
    Function 00007FF8A8D04A24 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
    • String ID: CONOUT$
    • API String ID: 3230265001-3130406586
    • Opcode ID: d0030d8caad587eca28f4323b702c28a29e3187b2076268a7bbbdcca48d4a3cd
    • Instruction ID: 7277770a1451d2b003b9551ef837cbb8292f1e75d68c8e38b11740eec9682edc
    • Opcode Fuzzy Hash: d0030d8caad587eca28f4323b702c28a29e3187b2076268a7bbbdcca48d4a3cd
    • Instruction Fuzzy Hash: 8A11B932B19E4196E7909B52F84432976B0FB88FE4F044234D96E47B94CF3CD9488758
    Function 00007FF8A8CDB704 Relevance: 9.2, APIs: 6, Instructions: 206COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: ByteCharMultiStringWide
    • String ID:
    • API String ID: 2829165498-0
    • Opcode ID: 870b1588ad4967475c3f73698e0ee68dc3e35d41cde4b4cfffca67e3f3620e85
    • Instruction ID: d63aa325557b71824d7791954e86c7b34480a260599cac7d3463f8a6b10c5fef
    • Opcode Fuzzy Hash: 870b1588ad4967475c3f73698e0ee68dc3e35d41cde4b4cfffca67e3f3620e85
    • Instruction Fuzzy Hash: 4A818E72A0AB8196FBA09F25E44027972E5FF44BE8F144235EA5D47BD9DF3CD4048B28
    Function 00007FF8A8CE898C Relevance: 9.2, APIs: 6, Instructions: 161COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID:
    • API String ID: 3215553584-0
    • Opcode ID: 1d41c85ea17e635d4c795f0af5410a9ffd725cbed65f85ec54d0f9917ccebbcb
    • Instruction ID: 291697a51f0a97664d42cdfe531f4185a9817455fad5a1b76a1671d24f3c2efd
    • Opcode Fuzzy Hash: 1d41c85ea17e635d4c795f0af5410a9ffd725cbed65f85ec54d0f9917ccebbcb
    • Instruction Fuzzy Hash: BA617062D0A61692EBB1AF25D45027D32A0EF40BE4F448231DABD073D5FF3CA551CB29
    Function 00007FF8A8CDBA00 Relevance: 9.1, APIs: 6, Instructions: 94threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AcquireExclusiveLock$CurrentThreadsys_get_time
    • String ID:
    • API String ID: 184115430-0
    • Opcode ID: ac6f951a1fba4e0acb35111ae286a32a8ebdbbfc77d014690f5aa6a9856d0c18
    • Instruction ID: e4f2d11790cc08aaef929f7dd6b5b9db6300d8a5a6780484726a222a32d44a5e
    • Opcode Fuzzy Hash: ac6f951a1fba4e0acb35111ae286a32a8ebdbbfc77d014690f5aa6a9856d0c18
    • Instruction Fuzzy Hash: BF411C32E1AA46A6F7B4AF11E44067973A0FB14BC4F408035DA4D43A9AEF3DE855CF24
    Function 00007FF8A8C64AD0 Relevance: 9.1, APIs: 6, Instructions: 80COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
    • String ID:
    • API String ID: 2081738530-0
    • Opcode ID: 688c1808ff0813fcdb04ec916fba38c536cc7cb958f7b77c7c2438a94edd0190
    • Instruction ID: 7a958e630e7593617104a8d140f9f603032c1693403d2e999716b58308a53ff0
    • Opcode Fuzzy Hash: 688c1808ff0813fcdb04ec916fba38c536cc7cb958f7b77c7c2438a94edd0190
    • Instruction Fuzzy Hash: 1C31B521A0BA42A5EB95AB56E44427A7361FB94BE0F0C1131DE6D07396EF3CE445CB28
    Function 00007FF8A8C64160 Relevance: 9.1, APIs: 6, Instructions: 80COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
    • String ID:
    • API String ID: 2081738530-0
    • Opcode ID: 3589646cad12e8db90866b881a590efe36a4514bec863cf5c4dae8f86537ad5c
    • Instruction ID: 7d20a71b358fcfa62780bd3fbd409d958519bbcc2da1781d570e37dac43eb4c1
    • Opcode Fuzzy Hash: 3589646cad12e8db90866b881a590efe36a4514bec863cf5c4dae8f86537ad5c
    • Instruction Fuzzy Hash: CB31E721A0BA42B4EB95AB56E8401797760FB54BE4F181132DE6D073A5EF3CF445CB28
    Function 00007FF8A8C64270 Relevance: 9.1, APIs: 6, Instructions: 80COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
    • String ID:
    • API String ID: 2081738530-0
    • Opcode ID: a5b7a5b960e510b87638f50d6f5ec5cc860555bdcd8df0e5c854d4617218ea30
    • Instruction ID: 1cb53e840ec8958db7b6fdf9a9fb0342bfd17a848e66a37da11c51354e402237
    • Opcode Fuzzy Hash: a5b7a5b960e510b87638f50d6f5ec5cc860555bdcd8df0e5c854d4617218ea30
    • Instruction Fuzzy Hash: 7B318122A0AA42A1EB55AB56E4401B97361FB54BE0F081132DE5D076E5EF3CE446CB28
    Function 00007FF8A8C65250 Relevance: 9.1, APIs: 6, Instructions: 80COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
    • String ID:
    • API String ID: 2081738530-0
    • Opcode ID: cc78591e807420e7f80e0d6a8a1650df190cfc765cfd21404d7f062303ed0b3b
    • Instruction ID: 9048525ec19a06a155341f2a76599168f0d8affdc697cbf576850ce339c40e04
    • Opcode Fuzzy Hash: cc78591e807420e7f80e0d6a8a1650df190cfc765cfd21404d7f062303ed0b3b
    • Instruction Fuzzy Hash: E331C422B0BA42A1EB55AF16E4401B96360FF54BE0F681232DE5D072E5DF7CF445CB28
    Function 00007FF8A8C65830 Relevance: 9.1, APIs: 6, Instructions: 80COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_$Lockit::~_$Concurrency::cancel_current_taskFacet_GetctypeLocinfo::_Locinfo_ctorRegister
    • String ID:
    • API String ID: 4099083548-0
    • Opcode ID: a3b1ea730c27047820d97ba934118c9530d28576287d458e2a275888589a76c4
    • Instruction ID: 76bf95bf291a760eba6865069d5399d707c74232fd6293947ea4637b8aa73695
    • Opcode Fuzzy Hash: a3b1ea730c27047820d97ba934118c9530d28576287d458e2a275888589a76c4
    • Instruction Fuzzy Hash: 7531E422A0BB02A4EF55AB16E4001B96360FF54BE0F581132EE6D07795DF3CE446CB28
    Function 00007FF8A8CDF064 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
    • String ID: csm$csm$csm
    • API String ID: 3523768491-393685449
    • Opcode ID: cd998ecf83787344d6d57b2e8e34777b70312e09df4cd28f488d01d51a409032
    • Instruction ID: 6216dc0d3eb37d62fa9999cbee60ba1db5fc867aaf3f00057e87f66978883f0b
    • Opcode Fuzzy Hash: cd998ecf83787344d6d57b2e8e34777b70312e09df4cd28f488d01d51a409032
    • Instruction Fuzzy Hash: 2EE1B1339197829AE7A0AF74E4803AD37A0FB45788F144235EE8D57696DF38E485CF24
    Function 00007FF8A8CF1C58 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32 ref: 00007FF8A8CF1C67
    • FlsSetValue.KERNEL32(?,?,0000F171EEE597FD,00007FF8A8CE78F5,?,?,?,?,00007FF8A8CFBBD2,?,?,00000000,00007FF8A8CFDA37,?,?,?), ref: 00007FF8A8CF1C9D
    • FlsSetValue.KERNEL32(?,?,0000F171EEE597FD,00007FF8A8CE78F5,?,?,?,?,00007FF8A8CFBBD2,?,?,00000000,00007FF8A8CFDA37,?,?,?), ref: 00007FF8A8CF1CCA
    • FlsSetValue.KERNEL32(?,?,0000F171EEE597FD,00007FF8A8CE78F5,?,?,?,?,00007FF8A8CFBBD2,?,?,00000000,00007FF8A8CFDA37,?,?,?), ref: 00007FF8A8CF1CDB
    • FlsSetValue.KERNEL32(?,?,0000F171EEE597FD,00007FF8A8CE78F5,?,?,?,?,00007FF8A8CFBBD2,?,?,00000000,00007FF8A8CFDA37,?,?,?), ref: 00007FF8A8CF1CEC
    • SetLastError.KERNEL32 ref: 00007FF8A8CF1D07
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: Value$ErrorLast
    • String ID:
    • API String ID: 2506987500-0
    • Opcode ID: ccff1b6e7af4efc1ff6f0fb53b064a59784b2e3ef3385a4342d3d0536dd7ee7b
    • Instruction ID: 687e688bd1e4580c1165e1aae41b3c8318db0abcbe0f6313c4b82142442d8c0c
    • Opcode Fuzzy Hash: ccff1b6e7af4efc1ff6f0fb53b064a59784b2e3ef3385a4342d3d0536dd7ee7b
    • Instruction Fuzzy Hash: 67116D20A0E74266FB9A6731965107D6162DF447F0F444735E97E076C6DFACBC418A28
    Function 00007FF8A8C51A50 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
    • String ID: bad locale name
    • API String ID: 2967684691-1405518554
    • Opcode ID: 8ebb51b68edc8fbfb6b107f62c8b71a3969884543b0da0cdd1b56512695ae9ee
    • Instruction ID: c1f24ae4ed64772f3de59413cbff201958c13a6767898ef104ff7128918d7abc
    • Opcode Fuzzy Hash: 8ebb51b68edc8fbfb6b107f62c8b71a3969884543b0da0cdd1b56512695ae9ee
    • Instruction Fuzzy Hash: 22415C22B4AB41AAFB54DBA0D4502BC33B4EF50788F044135DE8E27A66DF38D616D768
    Function 00007FF8A8CEFBF4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: d99bd8ee00ff6105bcf3b501a447d1bf755b703062cac04a2c2c1c2cf8808a5e
    • Instruction ID: fdc28c72f0c685c1921d6d6c231950e5fb5a79a160d57cf0f315330c42165355
    • Opcode Fuzzy Hash: d99bd8ee00ff6105bcf3b501a447d1bf755b703062cac04a2c2c1c2cf8808a5e
    • Instruction Fuzzy Hash: D0F0C221A1AB02A2EB608B60E4443393320FF857E1F540335CA7E479F4DF2CD44C8728
    Function 00007FF8A8CDE464 Relevance: 7.8, APIs: 5, Instructions: 290COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: AdjustPointer
    • String ID:
    • API String ID: 1740715915-0
    • Opcode ID: 3b14401f1d24da845fc12eb2abcdb345bc54c939596358003427015d7317b9f3
    • Instruction ID: 7994b98a5cdd794f4df39a16a79e156cb3ef29094efdfbffe17e2f1a5a95930f
    • Opcode Fuzzy Hash: 3b14401f1d24da845fc12eb2abcdb345bc54c939596358003427015d7317b9f3
    • Instruction Fuzzy Hash: C3B18022E0BA86A2EBF5FB1594402796794EF44BC4F498435DE4D07B85EF2CF4428F68
    Function 00007FF8A8CF8908 Relevance: 7.7, APIs: 5, Instructions: 196COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: _set_statfp
    • String ID:
    • API String ID: 1156100317-0
    • Opcode ID: 3fbc25800faecc33b30323bbbeef3cb7006ba87b90b1465ce141c88b9fd7e87d
    • Instruction ID: 720e10faf136a0bfa8e176a36e3f0e5751a346755e8b80740405ecbf4bf98c3b
    • Opcode Fuzzy Hash: 3fbc25800faecc33b30323bbbeef3cb7006ba87b90b1465ce141c88b9fd7e87d
    • Instruction Fuzzy Hash: 7581291290AB4A65F7B28B34A80037AB750FF453D4F048331EE5E265D5DF7CAE958E28
    Function 00007FF8A8CE2260 Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
    • String ID:
    • API String ID: 2067211477-0
    • Opcode ID: 47e31c65f1bbc7e141b058c85602d38e5bb3013e088a575c3e328602d13bcfc7
    • Instruction ID: 4fc769a328bb9b4f8b6079aa63c2d18cbe6eaa681831e52129eb6fc67252acd6
    • Opcode Fuzzy Hash: 47e31c65f1bbc7e141b058c85602d38e5bb3013e088a575c3e328602d13bcfc7
    • Instruction Fuzzy Hash: 17214126A0AB4196EF95DB56A410179B3A4FF88BD0F044531EE5D43B55FF3CE4448E28
    Function 00007FF8A8D05B4C Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: _set_statfp
    • String ID:
    • API String ID: 1156100317-0
    • Opcode ID: e65ba792651367d839098e214d5891407b2dde01c0b567b7a4e043ebbfca8b6f
    • Instruction ID: d6f091cea409879738b985b222e3d31c0017af36ca6d5a20013d5c79f1ee1ada
    • Opcode Fuzzy Hash: e65ba792651367d839098e214d5891407b2dde01c0b567b7a4e043ebbfca8b6f
    • Instruction Fuzzy Hash: FD11B222E4EA0365FBA41A28D5423751171EF543F0F180E34ED7FA72D69F6CB8488539
    Function 00007FF8A8CF1D20 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • FlsGetValue.KERNEL32(?,?,?,00007FF8A8CEC843,?,?,00000000,00007FF8A8CECADE,?,?,?,?,?,00007FF8A8CECA6A), ref: 00007FF8A8CF1D3F
    • FlsSetValue.KERNEL32(?,?,?,00007FF8A8CEC843,?,?,00000000,00007FF8A8CECADE,?,?,?,?,?,00007FF8A8CECA6A), ref: 00007FF8A8CF1D5E
    • FlsSetValue.KERNEL32(?,?,?,00007FF8A8CEC843,?,?,00000000,00007FF8A8CECADE,?,?,?,?,?,00007FF8A8CECA6A), ref: 00007FF8A8CF1D86
    • FlsSetValue.KERNEL32(?,?,?,00007FF8A8CEC843,?,?,00000000,00007FF8A8CECADE,?,?,?,?,?,00007FF8A8CECA6A), ref: 00007FF8A8CF1D97
    • FlsSetValue.KERNEL32(?,?,?,00007FF8A8CEC843,?,?,00000000,00007FF8A8CECADE,?,?,?,?,?,00007FF8A8CECA6A), ref: 00007FF8A8CF1DA8
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: Value
    • String ID:
    • API String ID: 3702945584-0
    • Opcode ID: 7dbb3450b63eae9e27429199406e35bbd369d1fd85ac0d7a54b61cb6c5435d82
    • Instruction ID: 1e8b02eef67bed8e43c633992b799725f86d3eefaa58874bf59cf594a6d7de5b
    • Opcode Fuzzy Hash: 7dbb3450b63eae9e27429199406e35bbd369d1fd85ac0d7a54b61cb6c5435d82
    • Instruction Fuzzy Hash: 1E116D20A0B30266FB9AA72196411B951A1DF443E0F448736E97E076D6DFACFC418A28
    Function 00007FF8A8CF1BB4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF8A8CFE43F,?,?,?,00007FF8A8CF5B5C,?,?,?,00007FF8A8CE6AAF), ref: 00007FF8A8CF1BC5
    • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF8A8CFE43F,?,?,?,00007FF8A8CF5B5C,?,?,?,00007FF8A8CE6AAF), ref: 00007FF8A8CF1BE4
    • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF8A8CFE43F,?,?,?,00007FF8A8CF5B5C,?,?,?,00007FF8A8CE6AAF), ref: 00007FF8A8CF1C0C
    • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF8A8CFE43F,?,?,?,00007FF8A8CF5B5C,?,?,?,00007FF8A8CE6AAF), ref: 00007FF8A8CF1C1D
    • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF8A8CFE43F,?,?,?,00007FF8A8CF5B5C,?,?,?,00007FF8A8CE6AAF), ref: 00007FF8A8CF1C2E
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: Value
    • String ID:
    • API String ID: 3702945584-0
    • Opcode ID: d0660a0f1034e5c86db3906b6a092c01fdd9d6a5f6b3de40c20e28e757d1fe1f
    • Instruction ID: ddc69c8dd9e3dd08b3e830cf962a2e5fd32e4f4937444a7a7bd224ce3712b213
    • Opcode Fuzzy Hash: d0660a0f1034e5c86db3906b6a092c01fdd9d6a5f6b3de40c20e28e757d1fe1f
    • Instruction Fuzzy Hash: E811E520A0F30766FBE9A63259121B91151DF453F0F594736E97E4B2C2EFADBC418A2C
    Function 00007FF8A8CFAE58 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID: UTF-16LEUNICODE$UTF-8$ccs
    • API String ID: 3215553584-1196891531
    • Opcode ID: 915845266b07278843d14476af8accf3a9242bfd544fa4c4f06cdabb18268ce0
    • Instruction ID: c5320c8342b037515baee50915e2c43407dc42cfc234b43d9db4a12ff4d1a13e
    • Opcode Fuzzy Hash: 915845266b07278843d14476af8accf3a9242bfd544fa4c4f06cdabb18268ce0
    • Instruction Fuzzy Hash: 3781E5B2E0A702A6F7F44F25D10027876A0EF11BC8F558035DA1E67686DFADEC059F29
    Function 00007FF8A8CFAB94 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 214COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID: UTF-16LEUNICODE$UTF-8$ccs
    • API String ID: 3215553584-1196891531
    • Opcode ID: 2900accc17767b47004165791334c8c2656d1002d31517106a608ccfcd86b884
    • Instruction ID: 1b3121cbb634548893c6ae7660b24374af7c4838dfc78d820a7d12276827329f
    • Opcode Fuzzy Hash: 2900accc17767b47004165791334c8c2656d1002d31517106a608ccfcd86b884
    • Instruction Fuzzy Hash: 6F81B031D0E342AAF7E54E288250339ABA4DF11FCCF659035CA4E476D5CBADAC418F29
    Function 00007FF8A8C6B8E0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
    • String ID: false$true
    • API String ID: 1173176844-2658103896
    • Opcode ID: 93f98cbde27453fada105594979917a3211b580dba95642924c6bae39e66bc6d
    • Instruction ID: fdfe5a1bb50654e9d474359c8bc6572556b1eaeb80991db4833282464bc41bd7
    • Opcode Fuzzy Hash: 93f98cbde27453fada105594979917a3211b580dba95642924c6bae39e66bc6d
    • Instruction Fuzzy Hash: DF817C22A1AB55A5E7509F31D8402ED33A8FF58788F541136EE4C43BAAEF38D516C718
    Function 00007FF8A8CDF7D8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: CallEncodePointerTranslator
    • String ID: MOC$RCC
    • API String ID: 3544855599-2084237596
    • Opcode ID: b569d3447db880a9fe842ec23b1e0017c379c2e3bf5baa866ffdb1942574f170
    • Instruction ID: e6621c35215b9c3afeb21fcff9e96a716fbd1d610993d1fc9aec5747a6414e38
    • Opcode Fuzzy Hash: b569d3447db880a9fe842ec23b1e0017c379c2e3bf5baa866ffdb1942574f170
    • Instruction Fuzzy Hash: 5E91E173A19781AAE7A0DF64E8803AC7BA0FB447C8F14412AEA8D17B55DF38D195CF04
    Function 00007FF8A8CDDE48 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
    • String ID: csm
    • API String ID: 2395640692-1018135373
    • Opcode ID: 33afe38945a20955fdf8ef0afdadbf6120213d1ec7f2dd44b80bd66a7a658075
    • Instruction ID: 0555d54e6ddf9a9056feca81e4b157f48e6edca8bdbcfe21e0745f9ad0689224
    • Opcode Fuzzy Hash: 33afe38945a20955fdf8ef0afdadbf6120213d1ec7f2dd44b80bd66a7a658075
    • Instruction Fuzzy Hash: CB51AF32B1A602ABDBA4AB15E444B7D7B91EB44BC8F108131EA5A47788DF7CE841CF14
    Function 00007FF8A8CDFD58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
    • String ID: csm$csm
    • API String ID: 3896166516-3733052814
    • Opcode ID: e53e02d4da1b8fcc3022176caf5c8005b0018bb1709bd2ab25dd314c1dc5ebf3
    • Instruction ID: aab1798d2b729496898242a28f5800a657b0c4de2ecb6f47f5233298af5ea921
    • Opcode Fuzzy Hash: e53e02d4da1b8fcc3022176caf5c8005b0018bb1709bd2ab25dd314c1dc5ebf3
    • Instruction Fuzzy Hash: 28517032929782AAEBB4AF2194443687790FB55BC8F184135DA5C47BC5CF3CE451CF19
    Function 00007FF8A8CDF568 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: CallEncodePointerTranslator
    • String ID: MOC$RCC
    • API String ID: 3544855599-2084237596
    • Opcode ID: f75104c90d0880faa7d239f8150f8767fd6504d0dc0a65f26f40e7659882db18
    • Instruction ID: feafbd44736ec3ce74da63aad2a28dfc94672cbc9f2733d0b0e8a3e91c484541
    • Opcode Fuzzy Hash: f75104c90d0880faa7d239f8150f8767fd6504d0dc0a65f26f40e7659882db18
    • Instruction Fuzzy Hash: B7616A32919B85A2E7B0AB15E4403AAB7A0FB85BD4F044225EB9C07B95DF7CE194CF14
    Function 00007FF8A8C6A1D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
    • String ID: bad locale name
    • API String ID: 2775327233-1405518554
    • Opcode ID: 90bb29b19f397d9574f0422178b49b5a055f2b7fb69bd66d1a188d5b10bdb34e
    • Instruction ID: 2629e062a92ade4ca91d33ce83216d9cffbc9f1711d42740a21c53c11af2b695
    • Opcode Fuzzy Hash: 90bb29b19f397d9574f0422178b49b5a055f2b7fb69bd66d1a188d5b10bdb34e
    • Instruction Fuzzy Hash: 19417A22B4BB41E9EB90DFB0D4906BC33A4EF44B88F044434DA4D27A66DF38D525E728
    Function 00007FF8A8C6A350 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
    • String ID: bad locale name
    • API String ID: 2775327233-1405518554
    • Opcode ID: d601af003ee976f260a2b2d557ae2174df99f675f084f16e0664ce349a18a30b
    • Instruction ID: cfa111a785eacc70abdbdb135aa967ef081418a575c5d826fdfaa4e862e61950
    • Opcode Fuzzy Hash: d601af003ee976f260a2b2d557ae2174df99f675f084f16e0664ce349a18a30b
    • Instruction Fuzzy Hash: 1F415A22B0BB41E9EB94DFB1D4902BC33A4EF44B88F045434DA4D27A66DF38D525E768
    Function 00007FF8A8C6A050 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
    • String ID: bad locale name
    • API String ID: 2775327233-1405518554
    • Opcode ID: f1ec80df25ccc63fe603c551e41d73eda9f5ca246c7d53f20b1d5e60af5acbc3
    • Instruction ID: 385709a77e4a4f08ba81397ce26e9cdc725a824d2395386573610374426001a1
    • Opcode Fuzzy Hash: f1ec80df25ccc63fe603c551e41d73eda9f5ca246c7d53f20b1d5e60af5acbc3
    • Instruction Fuzzy Hash: 02415A22B0BB41E9EB94DFB0D4902BC33A4EF44B88F045435DA4D27A66DF38D525E728
    Function 00007FF8A8C69CA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
    • String ID: bad locale name
    • API String ID: 2775327233-1405518554
    • Opcode ID: d676d1a5f5036a4a2775917c1260807092c8d58341c7f08af7e6cb3ce0174704
    • Instruction ID: dcb2c23a733d7f0101d0f7ac62ab78c90b6d3f14ad429b4030d2de9537da05fd
    • Opcode Fuzzy Hash: d676d1a5f5036a4a2775917c1260807092c8d58341c7f08af7e6cb3ce0174704
    • Instruction Fuzzy Hash: 46414932A0BB41A9EB94DFB1D4902AC33A4EF44788F045035DA4D27A66DF3CD52AD728
    Function 00007FF8A8C61A00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 93COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: Concurrency::cancel_current_task
    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 118556049-1866435925
    • Opcode ID: 6b2779f00f5e25c7f30cf7af6de196890ae05e5683497b11bf4ccc516a514937
    • Instruction ID: 625e63cc6b1170b1cbd4a328a1dca1e26102e22c4152f6a1529d59ff62405e48
    • Opcode Fuzzy Hash: 6b2779f00f5e25c7f30cf7af6de196890ae05e5683497b11bf4ccc516a514937
    • Instruction Fuzzy Hash: D2311272B0B785A1EFA4CB16D14423D6355EB44BE0F545A32DEAD03BC9EF2CE0818714
    Function 00007FF8A8CF3ACC Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: FileWrite$ConsoleErrorLastOutput
    • String ID:
    • API String ID: 2718003287-0
    • Opcode ID: a5ef64d0232171f952b5a704d49ee53f3497461c8923af6af9ff956ffe655c1d
    • Instruction ID: 0c5c5021ea334e4d5578192c03a1a12cc8d904ffbfd3198bed102b0a7a011189
    • Opcode Fuzzy Hash: a5ef64d0232171f952b5a704d49ee53f3497461c8923af6af9ff956ffe655c1d
    • Instruction Fuzzy Hash: 01D1EE32B1AB81AAE755CF79D4402AC37B1EB447D8F004225CE5D97B99DF78D806CB14
    Function 00007FF8A8CF448C Relevance: 6.2, APIs: 4, Instructions: 219COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: ConsoleErrorLastMode
    • String ID:
    • API String ID: 953036326-0
    • Opcode ID: bd01d13477098bd5ac74e21c00505615c7d739b28bd11513b9567d680d8de41e
    • Instruction ID: af598b6873cbf3c77750a8bc828865c022867b0cabe531d42d2820e37f5e758b
    • Opcode Fuzzy Hash: bd01d13477098bd5ac74e21c00505615c7d739b28bd11513b9567d680d8de41e
    • Instruction Fuzzy Hash: 8E91E372E1A751A5F790DF6594402BC3BA0FB45BC8F148139DE0E67A84DF78D886CB28
    Function 00007FF8A8CE8820 Relevance: 6.1, APIs: 4, Instructions: 96COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID:
    • API String ID: 3215553584-0
    • Opcode ID: 24b4278172c0219c8071cb17fb1a9a43067f6a09c9cad2252f519b3e21e04990
    • Instruction ID: bf863539877917f374a784e469b0fd85fad92e86b4e5d892299a762ddaca95e5
    • Opcode Fuzzy Hash: 24b4278172c0219c8071cb17fb1a9a43067f6a09c9cad2252f519b3e21e04990
    • Instruction Fuzzy Hash: 60412E32D06A1292DBA16F25D45137932A0EF44FE0F458231DAAD077D4EF7CA5A1C72A
    Function 00007FF8A8CDC950 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
    • String ID:
    • API String ID: 2933794660-0
    • Opcode ID: f2cae15fbd5af55931b139ea01a2e06b06bc98229346be4766c181da96eb2c65
    • Instruction ID: 838dcaa90a67510775cc6ef2190a7f7b13248cd9a8c5ebdada5e0e3c32487ebd
    • Opcode Fuzzy Hash: f2cae15fbd5af55931b139ea01a2e06b06bc98229346be4766c181da96eb2c65
    • Instruction Fuzzy Hash: C7114822B16F059AEB009FA0E8542A833B4FB19798F040E31EA2D83BA4DF7CD5588350
    Function 00007FF8A8CDFF90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: __except_validate_context_record
    • String ID: csm$csm
    • API String ID: 1467352782-3733052814
    • Opcode ID: 04f05a41276eec4d6e2b0d995fadd8cbd3f911915ceab19830bd5b51da4ac79b
    • Instruction ID: cd3efc2381464ea654de2ab8102115379c83bc1b0d0a7b6430262f8e3ae35ae8
    • Opcode Fuzzy Hash: 04f05a41276eec4d6e2b0d995fadd8cbd3f911915ceab19830bd5b51da4ac79b
    • Instruction Fuzzy Hash: 0D71A13290A682E7DBA48F25D48077C7BA0FB45BC4F148135DE8C4BA99DB3CD491CB98
    Function 00007FF8A8CF8078 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: _get_daylight$_invalid_parameter_noinfo
    • String ID: ?
    • API String ID: 1286766494-1684325040
    • Opcode ID: 434ebc68563ae50297f718e842d597c87f847a56d49ba87040952414ad21e6ea
    • Instruction ID: b9459ffd7dd992bdfe3913d3f47228030ed9a2e2bbdd7a9b64ae12b1c90b2e93
    • Opcode Fuzzy Hash: 434ebc68563ae50297f718e842d597c87f847a56d49ba87040952414ad21e6ea
    • Instruction Fuzzy Hash: 1B415B12A1E38266FBA48725E80137A6650EF80BE4F108235EF5C07AD5DF7CD951CF14
    Function 00007FF8A8CE0628 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: CreateFrameInfo__except_validate_context_record
    • String ID: csm
    • API String ID: 2558813199-1018135373
    • Opcode ID: 82f6d9a556e8a4db2300196d5a2a1be1af8ad0f9d735eeaf5ee8ac932018ec2a
    • Instruction ID: 1c987f950bfa4363dd245dea28312e3e9361d2a5df223ca89e57dd3f0ded035b
    • Opcode Fuzzy Hash: 82f6d9a556e8a4db2300196d5a2a1be1af8ad0f9d735eeaf5ee8ac932018ec2a
    • Instruction Fuzzy Hash: 36515B36A1A741A7E7B0AB15B04026D7BA4F789BD0F000538EB8D07B56DF38E060CF58
    Function 00007FF8A8CF4164 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: ErrorFileLastWrite
    • String ID: U
    • API String ID: 442123175-4171548499
    • Opcode ID: 88f442af35c73a129e95aed70c42ea028d0ef0076ab66f28b504ac9d3be4b8cb
    • Instruction ID: 0bb3d83d759a134fac2f0e7d62261ff0bf5e075029227d592c5752b254a5c9ec
    • Opcode Fuzzy Hash: 88f442af35c73a129e95aed70c42ea028d0ef0076ab66f28b504ac9d3be4b8cb
    • Instruction Fuzzy Hash: 2C41B322B19B41A1EB609F65E4443BA67A0FB987D4F448031EE4D87758DF7CD845CB14
    Function 00007FF8A8CDDD08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2141513147.00007FF8A8C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A8C50000, based on PE: true
    • Associated: 00000000.00000002.2141497620.00007FF8A8C50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141571106.00007FF8A8D09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141586991.00007FF8A8D0A000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141663002.00007FF8A8D82000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2141677472.00007FF8A8D88000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff8a8c50000_loaddll64.jbxd
    Similarity
    • API ID: ExceptionFileHeaderRaise
    • String ID: csm
    • API String ID: 2573137834-1018135373
    • Opcode ID: fa3be1fed57cd062b70dc961ffe1b58c03bbefaec70538359738cc5712d8f966
    • Instruction ID: 97c58e012959e6d302307b81684ef65032fe13f3890f59587b121c99653a6cf4
    • Opcode Fuzzy Hash: fa3be1fed57cd062b70dc961ffe1b58c03bbefaec70538359738cc5712d8f966
    • Instruction Fuzzy Hash: B8115B32A09B8092EB619B25F4002697BE4FB88BC4F584234EBCD07B68DF3CC951CB14