Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
conhost[1].exe

Overview

General Information

Sample name:conhost[1].exe
Analysis ID:1417362
MD5:7417006ac4f38dbe0efd36647c3ebae4
SHA1:4c7e2524a6d7cd99be807b7bfa544517cfd594d4
SHA256:c43cf46192da061dd6169e55aac4d2d08a6c33c039a7dac0d88aa897661cbc87
Infos:

Detection

Score:9
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to modify clipboard data
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

  • System is w10x64
  • conhost[1].exe (PID: 6884 cmdline: "C:\Users\user\Desktop\conhost[1].exe" MD5: 7417006AC4F38DBE0EFD36647C3EBAE4)
    • cmd.exe (PID: 6948 cmdline: C:\Windows\system32\cmd.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: conhost[1].exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: conhost.pdbUGP source: conhost[1].exe
Source: Binary string: conhost.pdb source: conhost[1].exe
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E08C0390 OpenClipboard,EnableScrollBar,0_2_00007FF7E08C0390
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E08C0360 SetClipboardData,0_2_00007FF7E08C0360
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E087532C GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00007FF7E087532C
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E08C0370 GetClipboardData,0_2_00007FF7E08C0370
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E086E17C _Init_thread_footer,NtOpenFile,NtOpenFile,0_2_00007FF7E086E17C
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E07FA4A0 GetWindowLongPtrW,NtdllDefWindowProc_W,SetWindowLongPtrW,0_2_00007FF7E07FA4A0
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E07FA540 EnterCriticalSection,NtdllDefWindowProc_W,LeaveCriticalSection,GetWindowRect,IsRectEmpty,GetWindowLongW,SetDlgItemTextW,SetWindowPos,IsIconic,MonitorFromRect,SetWindowPos,FreeLibrary,NtdllDefWindowProc_W,GetSystemMetrics,SetActiveWindow,SendMessageTimeoutW,NotifyWinEvent,0_2_00007FF7E07FA540
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E07FA43C WideCharToMultiByte,NtdllDefWindowProc_W,0_2_00007FF7E07FA43C
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E086E9E0 GetLastError,FreeLibrary,memset,NtdllDefWindowProc_W,RegisterClassW,CreateWindowExW,GetLastError,0_2_00007FF7E086E9E0
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E08771C8 RtlCreateUnicodeString,AlpcInitializeMessageAttribute,NtAlpcConnectPort,AlpcGetMessageAttribute,AlpcGetMessageAttribute,NtAlpcQueryInformationMessage,memset,0_2_00007FF7E08771C8
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E08094D4 NtQueryVolumeInformationFile,0_2_00007FF7E08094D4
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E0877A68 NtAlpcSendWaitReceivePort,0_2_00007FF7E0877A68
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E08024C0: memset,DeviceIoControl,_Init_thread_footer,default_delete,0_2_00007FF7E08024C0
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E08001E00_2_00007FF7E08001E0
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E086A2D40_2_00007FF7E086A2D4
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E07FA5400_2_00007FF7E07FA540
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E07F48900_2_00007FF7E07F4890
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E07F38400_2_00007FF7E07F3840
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E07F40300_2_00007FF7E07F4030
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E088A1980_2_00007FF7E088A198
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E08625E00_2_00007FF7E08625E0
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E08745540_2_00007FF7E0874554
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E088A9100_2_00007FF7E088A910
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E08449640_2_00007FF7E0844964
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E084EB400_2_00007FF7E084EB40
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E082ACA80_2_00007FF7E082ACA8
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E087EC6C0_2_00007FF7E087EC6C
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E0874DE80_2_00007FF7E0874DE8
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E088AD800_2_00007FF7E088AD80
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E07FCFA00_2_00007FF7E07FCFA0
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E08012500_2_00007FF7E0801250
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E081728C0_2_00007FF7E081728C
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E084D5C40_2_00007FF7E084D5C4
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E08835440_2_00007FF7E0883544
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E07FF6900_2_00007FF7E07FF690
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E087D7C40_2_00007FF7E087D7C4
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E07FD7F00_2_00007FF7E07FD7F0
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E08017800_2_00007FF7E0801780
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E08099600_2_00007FF7E0809960
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E086FAF00_2_00007FF7E086FAF0
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E07FFCB00_2_00007FF7E07FFCB0
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E0843FE00_2_00007FF7E0843FE0
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E0875F300_2_00007FF7E0875F30
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E084E0F80_2_00007FF7E084E0F8
Source: C:\Users\user\Desktop\conhost[1].exeCode function: String function: 00007FF7E07F9A04 appears 387 times
Source: C:\Users\user\Desktop\conhost[1].exeCode function: String function: 00007FF7E08296D4 appears 68 times
Source: C:\Users\user\Desktop\conhost[1].exeCode function: String function: 00007FF7E082CFCC appears 159 times
Source: C:\Users\user\Desktop\conhost[1].exeCode function: String function: 00007FF7E082D614 appears 148 times
Source: C:\Users\user\Desktop\conhost[1].exeCode function: String function: 00007FF7E08132F8 appears 175 times
Source: C:\Users\user\Desktop\conhost[1].exeCode function: String function: 00007FF7E080F780 appears 54 times
Source: C:\Users\user\Desktop\conhost[1].exeCode function: String function: 00007FF7E07F61E4 appears 141 times
Source: conhost[1].exeBinary or memory string: OriginalFilename vs conhost[1].exe
Source: conhost[1].exe, 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCONHOST.EXEj% vs conhost[1].exe
Source: conhost[1].exe, 00000000.00000000.1596244904.00007FF7E08C1000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCONHOST.EXEj% vs conhost[1].exe
Source: conhost[1].exeBinary or memory string: OriginalFilenameCONHOST.EXEj% vs conhost[1].exe
Source: C:\Users\user\Desktop\conhost[1].exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\conhost[1].exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\conhost[1].exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\conhost[1].exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\conhost[1].exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\conhost[1].exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\conhost[1].exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\conhost[1].exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\conhost[1].exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\conhost[1].exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\conhost[1].exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
Source: conhost[1].exeBinary string: \Device\ConDrv\Serveronecore\windows\core\console\open\src\server\winntcontrol.cpponecore\windows\core\console\open\src\interactivity\base\servicelocator.cpponecore\windows\core\console\open\src\interactivity\base\hostsignalinputthread.cppHost Signal Handler Threadonecore\windows\core\console\open\src\interactivity\win32\uiatextrange.cpponecore\windows\core\console\open\src\interactivity\win32\accessibilitynotifier.cpponecore\windows\core\console\open\src\interactivity\win32\windowmetrics.cpponecore\windows\core\console\open\src\interactivity\win32\systemconfigurationprovider.cpponecore\windows\core\console\open\src\interactivity\win32\window.cpponecore\windows\core\console\open\src\interactivity\win32\windowio.cpponecore\windows\core\console\open\src\interactivity\win32\icon.cpponecore\windows\core\console\open\src\interactivity\win32\windowuiaprovider.cpponecore\windows\core\console\open\src\interactivity\win32\windowproc.cpponecore\windows\core\console\open\src\interactivity\win32\clipboard.cpponecore\windows\core\console\open\src\interactivity\win32\screeninfouiaprovider.cpponecore\windows\core\console\open\src\types\viewport.cpponecore\windows\core\console\open\src\types\convert.cpponecore\windows\core\console\open\src\types\utils.cpp
Source: classification engineClassification label: clean9.winEXE@3/0@0/0
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E080C444 CoInitializeEx,CoCreateInstance,CoCreateInstance,0_2_00007FF7E080C444
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E0849608 FindResourceExW,LoadResource,LockResource,memmove,0_2_00007FF7E0849608
Source: C:\Users\user\Desktop\conhost[1].exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6884:120:WilError_03
Source: conhost[1].exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\conhost[1].exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: conhost[1].exeString found in binary or memory: <!--StartFragment -->
Source: conhost[1].exeString found in binary or memory: <!--StartFragment -->
Source: conhost[1].exeString found in binary or memory: Software\Microsoft\Windows\CurrentVersionPutInputInBuffer: EventsWritten != 1, 1 expectedInvalid EventType: 0x%xonecore\windows\core\console\open\src\host\misc.cpponecore\windows\core\console\open\src\host\output.cppinvalid array<T, N> subscript onecore\windows\core\console\open\src\host\convarea.cppInvalid screen buffer size (0x%x, 0x%x) onecore\windows\core\console\open\src\host\_output.cpponecore\windows\core\console\open\src\host\utils.cppStartEndUnknownTextUnit_CharacterTextUnit_FormatTextUnit_WordTextUnit_LineTextUnit_ParagraphTextUnit_PageTextUnit_DocumentUIA_AutomationFocusChangedEventIdNavigateDirection_FirstChildNavigateDirection_LastChildNavigateDirection_NextSiblingNavigateDirection_PreviousSiblingonecore\windows\core\console\open\src\host\registry.cpponecore\windows\core\console\open\src\host\ntprivapi.cppNtOpenProcessNtQueryInformationProcessNtCloseWriteCharsLegacy failed %xWriteCharsLegacy failed 0x%xonecore\windows\core\console\open\src\host\renderdata.cpponecore\windows\core\console\open\src\host\utf8towidecharparser.cpponecore\windows\core\console\open\src\host\conimeinfo.cpp"" invalid stoi argumentstoi argument out of rangeonecore\windows\core\console\open\src\host\commandnumberpopup.cpponecore\windows\core\console\open\src\host\commandlistpopup.cpp onecore\windows\core\console\open\src\host\exemain.cppConhostV1.dllConsoleCreateIoThreadonecore\windows\core\console\open\src\buffer\out\cursor.cpponecore\windows\core\console\open\src\buffer\out\textbuffer.cpp&lt;&gt;&amp;</TITLE></HEAD><BODY><!DOCTYPE><HTML><HEAD><TITLE><!--StartFragment --><DIV STYLE="display:inline-block;white-space:pre;background-color:;font-family:'',monospace;font-size:pt;padding:px;"><BR></SPAN><SPAN STYLE="color:</DIV><!--EndFragment --></BODY></HTML>Version:0.9
Source: unknownProcess created: C:\Users\user\Desktop\conhost[1].exe "C:\Users\user\Desktop\conhost[1].exe"
Source: C:\Users\user\Desktop\conhost[1].exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Users\user\Desktop\conhost[1].exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
Source: C:\Users\user\Desktop\conhost[1].exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{529A9E6B-6587-4F23-AB9E-9C7D683E3C50}\InProcServer32Jump to behavior
Source: conhost[1].exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: conhost[1].exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: conhost[1].exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: conhost[1].exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: conhost[1].exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: conhost[1].exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: conhost[1].exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: conhost[1].exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: conhost[1].exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: conhost.pdbUGP source: conhost[1].exe
Source: Binary string: conhost.pdb source: conhost[1].exe
Source: conhost[1].exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: conhost[1].exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: conhost[1].exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: conhost[1].exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: conhost[1].exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: conhost[1].exeStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E07FA540 EnterCriticalSection,NtdllDefWindowProc_W,LeaveCriticalSection,GetWindowRect,IsRectEmpty,GetWindowLongW,SetDlgItemTextW,SetWindowPos,IsIconic,MonitorFromRect,SetWindowPos,FreeLibrary,NtdllDefWindowProc_W,GetSystemMetrics,SetActiveWindow,SendMessageTimeoutW,NotifyWinEvent,0_2_00007FF7E07FA540
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E07F8448 IsIconic,0_2_00007FF7E07F8448
Source: C:\Users\user\Desktop\conhost[1].exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-51297
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\conhost[1].exeLast function: Thread delayed
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E080CBF0 DelayLoadFailureHook,LdrResolveDelayLoadedAPI,0_2_00007FF7E080CBF0
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E07F9B68 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,0_2_00007FF7E07F9B68
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E0807F10 RegOpenKeyW,RegEnumValueW,GetProcessHeap,HeapAlloc,RegCloseKey,GetProcessHeap,HeapFree,0_2_00007FF7E0807F10
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E08103A0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7E08103A0
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E0810598 SetUnhandledExceptionFilter,0_2_00007FF7E0810598
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E080F7A8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7E080F7A8
Source: C:\Users\user\Desktop\conhost[1].exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
Source: C:\Users\user\Desktop\conhost[1].exeCode function: 0_2_00007FF7E081023C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7E081023C

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		11
Process Injection		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory2
Security Software Discovery		Remote Desktop Protocol3
Clipboard Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS2
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1417362 Sample: conhost[1].exe Startdate: 29/03/2024 Architecture: WINDOWS Score: 9 5 conhost[1].exe 2->5         started        process3 7 cmd.exe 1 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
conhost[1].exe0%VirustotalBrowse
conhost[1].exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1417362
Start date and time:2024-03-29 04:22:14 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 2s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:conhost[1].exe
Detection:CLEAN
Classification:clean9.winEXE@3/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 72
  • Number of non-executed functions: 234
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):6.386413783874579
TrID:
  • Win64 Executable GUI (202006/5) 86.49%
  • Win 9x/ME Control Panel applet (15529/13) 6.65%
  • Win64 Executable (generic) (12005/4) 5.14%
  • Generic Win/DOS Executable (2004/3) 0.86%
  • DOS Executable Generic (2002/1) 0.86%
File name:conhost[1].exe
File size:867'328 bytes
MD5:7417006ac4f38dbe0efd36647c3ebae4
SHA1:4c7e2524a6d7cd99be807b7bfa544517cfd594d4
SHA256:c43cf46192da061dd6169e55aac4d2d08a6c33c039a7dac0d88aa897661cbc87
SHA512:eab3ed2a86b8f1e7126c18b18be5af8917aac3831a3ad60d9f529bd3dd658e1f75d99df2784e7a857c1db7023f4e5bdd489565de9ca99ab7f613f1a0e2d85eaf
SSDEEP:12288:Q+YOjiKiYObiKaoHY0VXb6DVaivm5z6guM77d8Y4ndUtO9FDbWt:Q+bWQsiho4mctguS76Yi9FHK
TLSH:71056C1EA6AC01E5D07EC17DC583CA2AF6B13C25037597CF01A0866E6F27BE95E3A750
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?]T.^3..^3..^3..&...^3..57..^3..50..^3..^2..[3..52..^3..5>.z^3..56..^3..5...^3..5...^3..51..^3.Rich.^3.........PE..d....6./...

File Icon

Icon Hash:a43a7ac70101a5a0

Static PE Info

General

Entrypoint:0x14001f750
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0x2FE436DC [Sun Jun 18 14:23:24 1995 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:0f64302d3280de299f4c51a78746f606

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F6BF87E4098h
dec eax
add esp, 28h
jmp 00007F6BF87E3423h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [000A2AF1h]
jne 00007F6BF87E35C5h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007F6BF87E35B5h
ret
dec eax
ror ecx, 10h
jmp 00007F6BF87E3624h
int3
int3
int3
int3
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
call dword ptr [0007F7B1h]
mov ecx, 00000001h
mov dword ptr [000A31BEh], eax
call 00007F6BF87E417Eh
xor ecx, ecx
call dword ptr [0007F7E1h]
dec eax
mov ecx, ebx
call dword ptr [0007F7D0h]
cmp dword ptr [000A31A1h], 00000000h
jne 00007F6BF87E35BCh
mov ecx, 00000001h
call 00007F6BF87E415Ah
call dword ptr [0007F9E7h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [0007FA1Bh]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 00000000h

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xbd5a80x410.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0xd10000x86a0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0xc60000x9780.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xda0000xda0.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0xa42600x70.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x9e1900x28.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x9d8f00x118.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x9ef200xa60.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xbb9600x6c0.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x9a1100x9a200588b2a2d085d94144c118e4cb7c1eaa3False0.5159782415855637data6.321080305133317IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x9c0000x24a2e0x24c00e78f73923a09ab0d82b2a189e644dbe8False0.40723984906462585data5.670522802031959IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xc10000x48c00x1400d3b82b8c888dcccd330ac5f5c51f7682False0.2419921875data3.2355515818086236IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0xc60000x97800x980077080da1b3195a06bac061fb4d132dd8False0.5125925164473685data6.014363156387493IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat0xd00000x6080x800110846e2e1631ae75d74b370ea6335ccFalse0.22607421875data2.4846620841217035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0xd10000x86a00x88002d3696c9b9844c1d1aa277f6cd6b3323False0.2858455882352941data4.389595174659561IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xda0000xda00xe0077e7de05e8028492609a15f1395cbea6False0.365234375data5.413625264843202IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
MUI0xd95c80xd8dataEnglishUnited States0.5416666666666666
RT_ICON0xd19b00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.21097560975609755
RT_ICON0xd20180x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.2647849462365591
RT_ICON0xd23000x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.3783783783783784
RT_ICON0xd24280xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.11567164179104478
RT_ICON0xd32d00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.18592057761732853
RT_ICON0xd3b780x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.08236994219653179
RT_ICON0xd40e00x169ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.968048359240069
RT_ICON0xd57800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.06130705394190871
RT_ICON0xd7d280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.1177298311444653
RT_ICON0xd8dd00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.09308510638297872
RT_GROUP_ICON0xd92380x92dataEnglishUnited States0.636986301369863
RT_VERSION0xd16200x38cdataEnglishUnited States0.4592511013215859
RT_MANIFEST0xd13800x29dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5246636771300448
RT_MANIFEST0xd92d00x2f4XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.47883597883597884

Imports

DLLImport
msvcp_win.dll?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?width@ios_base@std@@QEBA_JXZ, ?width@ios_base@std@@QEAA_J_J@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?good@ios_base@std@@QEBA_NXZ, ?uncaught_exception@std@@YA_NXZ, ?flags@ios_base@std@@QEBAHXZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z, ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?_Xlength_error@std@@YAXPEBD@Z, ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ, ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z, ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z, ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z, ?_Xout_of_range@std@@YAXPEBD@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z, ?tellp@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ?setf@ios_base@std@@QEAAHHH@Z, ?setf@ios_base@std@@QEAAHH@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@F@Z, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ?_Xbad_function_call@std@@YAXXZ, ?_Xinvalid_argument@std@@YAXPEBD@Z, ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z, _Mtx_destroy_in_situ, _Mtx_unlock, ?_Throw_C_error@std@@YAXH@Z, _Mtx_lock, _Mtx_init_in_situ, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
api-ms-win-crt-time-l1-1-0.dll_time64
api-ms-win-crt-runtime-l1-1-0.dll_register_thread_local_exe_atexit_callback, _initterm, _c_exit, _initterm_e
api-ms-win-crt-private-l1-1-0.dll_o__get_wide_winmain_command_line, _o__initialize_onexit_table, _o__initialize_wide_environment, _o__invalid_parameter_noinfo, _o__invalid_parameter_noinfo_noreturn, _o__itoa_s, _o__purecall, _o__register_onexit_function, _o__seh_filter_exe, _o__set_app_type, _o__set_fmode, _o__set_new_mode, memmove, _o__wcsicmp, _o__wcsnicmp, _o_calloc, _o_exit, _o_floor, _o_free, _o_iswdigit, _o_iswspace, _o_malloc, _o_roundf, _o_sqrt, _o_terminate, _o_towlower, _o_towupper, _o_wcscpy_s, _o_wcstol, _o_wcstoul, __C_specific_handler, __CxxFrameHandler3, _CxxThrowException, _o__exit, _o__errno, _o__crt_atexit, _o__configure_wide_argv, _o__configthreadlocale, _o__cexit, _o__callnewh, _o___stdio_common_vswprintf_s, _o___stdio_common_vswprintf, _o___stdio_common_vsprintf_s, _o___stdio_common_vsprintf, _o___stdio_common_vsnwprintf_s, _o___stdio_common_vsnprintf_s, _o___std_exception_destroy, _o___std_exception_copy, _o___p__commode, __std_terminate, __CxxFrameHandler4, memcmp, memcpy, wcschr
api-ms-win-crt-string-l1-1-0.dllwcsncmp, wcsnlen, memset, wcscmp
api-ms-win-core-libraryloader-l1-2-0.dllLockResource, LoadResource, GetProcAddress, FindResourceExW, LoadLibraryExW, LoadStringW, GetModuleHandleW, FreeLibrary, GetModuleFileNameW, GetModuleFileNameA, GetModuleHandleExW
api-ms-win-core-synch-l1-1-0.dllResetEvent, CreateEventW, InitializeCriticalSectionAndSpinCount, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, WaitForSingleObject, AcquireSRWLockShared, LeaveCriticalSection, TryEnterCriticalSection, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, WaitForSingleObjectEx, OpenSemaphoreW, ReleaseSemaphore, InitializeCriticalSectionEx, CreateSemaphoreExW, CreateMutexExW, SetEvent, CreateEventExW, ReleaseMutex, ReleaseSRWLockShared
api-ms-win-core-heap-l1-1-0.dllGetProcessHeap, HeapAlloc, HeapFree
api-ms-win-core-errorhandling-l1-1-0.dllUnhandledExceptionFilter, SetUnhandledExceptionFilter, GetLastError, SetLastError
api-ms-win-core-processthreads-l1-1-0.dllGetProcessTimes, DeleteProcThreadAttributeList, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, GetStartupInfoW, GetCurrentProcess, CreateProcessW, GetCurrentThread, GetCurrentThreadId, OpenProcessToken, CreateThread, ExitThread, SetProcessShutdownParameters, GetCurrentProcessId, TerminateProcess, ExitProcess
api-ms-win-core-localization-l1-2-0.dllFormatMessageW, GetOEMCP, GetCPInfo, GetUserDefaultLocaleName, IsValidCodePage, GetACP
api-ms-win-core-debug-l1-1-0.dllOutputDebugStringW, IsDebuggerPresent, OutputDebugStringA, DebugBreak
api-ms-win-core-handle-l1-1-0.dllDuplicateHandle, CloseHandle
api-ms-win-core-threadpool-legacy-l1-1-0.dllCreateTimerQueueTimer, CreateTimerQueue, DeleteTimerQueueEx, DeleteTimerQueueTimer
api-ms-win-core-file-l1-1-0.dllReadFile, WriteFile
api-ms-win-core-sidebyside-l1-1-0.dllCreateActCtxW
api-ms-win-core-processenvironment-l1-1-0.dllSearchPathW, GetCommandLineW, SetEnvironmentVariableW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, GetStdHandle
api-ms-win-core-registry-l1-1-0.dllRegOpenKeyExW, RegEnumValueW, RegCloseKey, RegGetValueW, RegQueryValueExW, RegOpenCurrentUser
api-ms-win-core-string-l1-1-0.dllMultiByteToWideChar, WideCharToMultiByte, CompareStringOrdinal, GetStringTypeW
api-ms-win-core-threadpool-l1-2-0.dllCloseThreadpoolTimer, WaitForThreadpoolTimerCallbacks, CreateThreadpoolTimer, SetThreadpoolTimer
api-ms-win-core-sysinfo-l1-1-0.dllGetSystemTimeAsFileTime, GetWindowsDirectoryW, GetSystemDirectoryW
api-ms-win-eventing-provider-l1-1-0.dllEventUnregister, EventWriteTransfer, EventRegister, EventSetInformation, EventActivityIdControl
api-ms-win-core-psapi-l1-1-0.dllQueryFullProcessImageNameW
api-ms-win-core-shlwapi-legacy-l1-1-0.dllPathIsSameRootW, PathFileExistsW, PathFindFileNameW
api-ms-win-shcore-obsolete-l1-1-0.dllCommandLineToArgvW
api-ms-win-core-heap-l2-1-0.dllLocalFree, GlobalAlloc, GlobalFree
ntdll.dllRtlFreeHeap, RtlAllocateHeap, RtlQueryPackageClaims, NtQueryVolumeInformationFile, CsrClientCallServer, NtAlpcSendWaitReceivePort, RtlCreateUnicodeString, NtAlpcQueryInformationMessage, NtAlpcConnectPort, AlpcInitializeMessageAttribute, AlpcGetMessageAttribute
api-ms-win-core-rtlsupport-l1-1-0.dllRtlLookupFunctionEntry, RtlCaptureContext, RtlVirtualUnwind
api-ms-win-core-processthreads-l1-1-1.dllOpenProcess, IsProcessorFeaturePresent
api-ms-win-core-profile-l1-1-0.dllQueryPerformanceCounter
api-ms-win-core-interlocked-l1-1-0.dllInitializeSListHead
api-ms-win-core-com-l1-1-0.dllCoUninitialize, CoTaskMemFree, CoInitializeEx, IIDFromString, CoCreateInstance
api-ms-win-core-registry-l2-1-0.dllRegCreateKeyW, RegOpenKeyW
api-ms-win-core-synch-l1-2-0.dllSleep, SignalObjectAndWait
api-ms-win-core-io-l1-1-0.dllDeviceIoControl
api-ms-win-core-namedpipe-l1-1-0.dllCreatePipe
api-ms-win-core-processthreads-l1-1-3.dllSetThreadDescription
api-ms-win-core-libraryloader-l1-2-1.dllLoadLibraryW
api-ms-win-core-heap-obsolete-l1-1-0.dllGlobalLock, GlobalUnlock, GlobalSize
api-ms-win-core-io-l1-1-1.dllCancelSynchronousIo
api-ms-win-core-util-l1-1-0.dllBeep
api-ms-win-core-apiquery-l1-1-0.dllApiSetQueryApiSetPresence
api-ms-win-security-base-l1-1-0.dllGetSidSubAuthority, GetTokenInformation, GetSidSubAuthorityCount
api-ms-win-core-path-l1-1-0.dllPathCchRemoveExtension
api-ms-win-shell-shellcom-l1-1-0.dllSHCoCreateInstance
api-ms-win-core-sysinfo-l1-2-0.dllVerSetConditionMask
api-ms-win-core-kernel32-legacy-l1-1-1.dllVerifyVersionInfoW
api-ms-win-core-largeinteger-l1-1-0.dllMulDiv
api-ms-win-core-delayload-l1-1-1.dllResolveDelayLoadedAPI
api-ms-win-core-delayload-l1-1-0.dllDelayLoadFailureHook
api-ms-win-crt-math-l1-1-0.dllceilf

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:04:22:57
Start date:29/03/2024
Path:C:\Users\user\Desktop\conhost[1].exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\conhost[1].exe"
Imagebase:0x7ff7e07f0000
File size:867'328 bytes
MD5 hash:7417006AC4F38DBE0EFD36647C3EBAE4
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

General

Target ID:1
Start time:04:22:57
Start date:29/03/2024
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\cmd.exe
Imagebase:0x7ff7f42f0000
File size:289'792 bytes
MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:6.4%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:17.8%
    Total number of Nodes:2000
    Total number of Limit Nodes:63
    execution_graph 49150 7ff7e07fa4a0 49151 7ff7e07fa4c4 GetWindowLongPtrW 49150->49151 49152 7ff7e07fa522 SetWindowLongPtrW 49150->49152 49153 7ff7e07fa4dd 49151->49153 49154 7ff7e07fa509 NtdllDefWindowProc_W 49151->49154 49152->49151 49157 7ff7e07fa540 EnterCriticalSection 49153->49157 49156 7ff7e07fa4f3 49154->49156 49158 7ff7e07fa5c5 49157->49158 49159 7ff7e081d786 49158->49159 49160 7ff7e07fa5dc 49158->49160 49161 7ff7e07fa639 49158->49161 49162 7ff7e081d78b 49159->49162 49163 7ff7e081d795 NtdllDefWindowProc_W 49159->49163 49168 7ff7e07fa5e9 49160->49168 49169 7ff7e07fa678 49160->49169 49166 7ff7e081da4a 49161->49166 49167 7ff7e07fa63f 49161->49167 49504 7ff7e0840e8c 75 API calls 49162->49504 49165 7ff7e081d790 49163->49165 49174 7ff7e0802bcc 109 API calls 49165->49174 49180 7ff7e081db58 49166->49180 49181 7ff7e081da68 49166->49181 49327 7ff7e07fa5fd 49166->49327 49184 7ff7e07fa651 49167->49184 49185 7ff7e07fa6f8 49167->49185 49167->49327 49170 7ff7e07fa5f5 49168->49170 49171 7ff7e07fa928 49168->49171 49172 7ff7e07fa67e 49169->49172 49173 7ff7e081dbf2 49169->49173 49439 7ff7e07fc350 49170->49439 49182 7ff7e07fa934 49171->49182 49183 7ff7e07fa9da 49171->49183 49172->49166 49177 7ff7e07fa68a 49172->49177 49550 7ff7e0874314 135 API calls Concurrency::wait 49173->49550 49178 7ff7e081dd44 49174->49178 49176 7ff7e081d836 49519 7ff7e07f3c20 LoadLibraryExW 49176->49519 49193 7ff7e07fa696 49177->49193 49194 7ff7e081db40 49177->49194 49178->49156 49188 7ff7e081db6e 49180->49188 49189 7ff7e081db61 49180->49189 49533 7ff7e08027d4 49181->49533 49191 7ff7e07fa940 49182->49191 49192 7ff7e07faaac 49182->49192 49335 7ff7e0804e6c 49183->49335 49210 7ff7e07fa662 49184->49210 49211 7ff7e07fa73c 49184->49211 49184->49327 49197 7ff7e07fa704 49185->49197 49198 7ff7e081d9f4 49185->49198 49186 7ff7e07fa60d 49460 7ff7e07fba40 109 API calls Concurrency::wait 49186->49460 49187 7ff7e07fa77a LeaveCriticalSection 49187->49327 49206 7ff7e081db77 49188->49206 49207 7ff7e081db82 49188->49207 49544 7ff7e08752bc 321 API calls 49189->49544 49208 7ff7e081dc3a 49191->49208 49209 7ff7e07fa94c 49191->49209 49203 7ff7e0805964 80 API calls 49192->49203 49213 7ff7e081db28 49193->49213 49214 7ff7e07fa6a2 49193->49214 49543 7ff7e0872d00 119 API calls 49194->49543 49217 7ff7e081d9ae 49197->49217 49218 7ff7e07fa718 49197->49218 49197->49327 49200 7ff7e081da02 49198->49200 49198->49327 49199 7ff7e0805964 80 API calls 49199->49327 49220 7ff7e0802bcc 109 API calls 49200->49220 49223 7ff7e07faac2 49203->49223 49205 7ff7e081da6d 49537 7ff7e08294e0 104 API calls 49205->49537 49545 7ff7e0875768 156 API calls _Init_thread_footer 49206->49545 49228 7ff7e081db8b 49207->49228 49229 7ff7e081db96 49207->49229 49577 7ff7e07f6b4c 49208->49577 49226 7ff7e081dc2a 49209->49226 49227 7ff7e07fa958 49209->49227 49470 7ff7e07f14a0 92 API calls 49210->49470 49221 7ff7e07fa745 49211->49221 49222 7ff7e07fa7e7 49211->49222 49542 7ff7e08731b0 122 API calls 49213->49542 49233 7ff7e07fa6af 49214->49233 49234 7ff7e081db11 49214->49234 49217->49327 49532 7ff7e0873884 412 API calls 49217->49532 49484 7ff7e07f2828 412 API calls Concurrency::wait 49218->49484 49247 7ff7e081da07 SetActiveWindow SendMessageTimeoutW 49220->49247 49248 7ff7e07fa74e 49221->49248 49249 7ff7e07fa98d 49221->49249 49252 7ff7e07fa7f1 GetWindowRect IsRectEmpty 49222->49252 49222->49327 49280 7ff7e081dd4c 49223->49280 49281 7ff7e07faad1 SetWindowPos 49223->49281 49576 7ff7e08734a0 275 API calls Concurrency::wait 49226->49576 49239 7ff7e07fa964 49227->49239 49240 7ff7e081d93b 49227->49240 49546 7ff7e082bb48 79 API calls 49228->49546 49242 7ff7e081dba4 49229->49242 49547 7ff7e0875ec4 109 API calls 49229->49547 49243 7ff7e07fa6bc 49233->49243 49244 7ff7e081daf4 49233->49244 49540 7ff7e083f36c 115 API calls 49234->49540 49257 7ff7e07fa970 49239->49257 49258 7ff7e081dc1d 49239->49258 49259 7ff7e0802bcc 109 API calls 49240->49259 49261 7ff7e081dbb2 49242->49261 49262 7ff7e081dbc5 49242->49262 49274 7ff7e07fa9aa 49243->49274 49295 7ff7e081da87 49243->49295 49243->49327 49244->49327 49539 7ff7e083f36c 115 API calls 49244->49539 49245 7ff7e07faa39 49265 7ff7e0804e04 95 API calls 49245->49265 49328 7ff7e07fa612 49247->49328 49485 7ff7e07f4b70 49248->49485 49290 7ff7e0803730 72 API calls 49249->49290 49249->49327 49268 7ff7e07fa898 GetWindowLongW 49252->49268 49307 7ff7e07fa857 49252->49307 49255 7ff7e080415c 81 API calls 49255->49327 49301 7ff7e081dc00 NotifyWinEvent 49257->49301 49257->49327 49551 7ff7e0807d70 49258->49551 49259->49328 49275 7ff7e08027d4 21 API calls 49261->49275 49276 7ff7e081dbce 49262->49276 49262->49327 49263 7ff7e07fa6d0 NtdllDefWindowProc_W 49263->49327 49277 7ff7e07faa61 SetDlgItemTextW 49265->49277 49271 7ff7e07fa8b6 49268->49271 49268->49327 49269 7ff7e081db16 49541 7ff7e08743ec 108 API calls 49269->49541 49270 7ff7e081d86d 49272 7ff7e081d877 FreeLibrary 49270->49272 49273 7ff7e081d884 49270->49273 49287 7ff7e07f54f4 75 API calls 49271->49287 49272->49273 49531 7ff7e082ec10 78 API calls 49273->49531 49496 7ff7e080cc34 365 API calls 49274->49496 49292 7ff7e081dbb7 49275->49292 49549 7ff7e0874de8 337 API calls 2 library calls 49276->49549 49378 7ff7e07f9100 49277->49378 49278 7ff7e07fa753 49493 7ff7e07f83b4 GetProcAddress GetProcAddress 49278->49493 49613 7ff7e0872ee0 17 API calls 49280->49613 49281->49327 49282 7ff7e07fab18 IsIconic 49282->49327 49286 7ff7e07f61e4 54 API calls 49286->49270 49297 7ff7e07fa8bb 49287->49297 49300 7ff7e081d8ad NtdllDefWindowProc_W 49290->49300 49548 7ff7e0829850 128 API calls 49292->49548 49311 7ff7e0803730 72 API calls 49295->49311 49295->49327 49297->49327 49495 7ff7e08069cc 15 API calls Concurrency::wait 49297->49495 49309 7ff7e081d8d7 49300->49309 49300->49327 49301->49327 49305 7ff7e07fa75e 49305->49327 49494 7ff7e07f8448 295 API calls Concurrency::wait 49305->49494 49307->49268 49307->49327 49308 7ff7e081d8a2 49308->49156 49318 7ff7e0802bcc 109 API calls 49309->49318 49310 7ff7e07fa775 49310->49327 49311->49327 49315 7ff7e081dc81 49585 7ff7e0802450 49315->49585 49323 7ff7e081d8f1 GetSystemMetrics 49318->49323 49323->49328 49325 7ff7e07fa9ba 49325->49327 49538 7ff7e082bd38 104 API calls 49325->49538 49327->49159 49327->49176 49327->49186 49327->49187 49327->49199 49327->49255 49327->49263 49327->49282 49327->49328 49329 7ff7e080706c 116 API calls 49327->49329 49382 7ff7e080db9c 49327->49382 49394 7ff7e0805964 49327->49394 49426 7ff7e080dc48 49327->49426 49433 7ff7e080c338 49327->49433 49471 7ff7e0802bcc 49327->49471 49497 7ff7e080670c 81 API calls 49327->49497 49498 7ff7e080dcac 49327->49498 49505 7ff7e0803730 49327->49505 49513 7ff7e084aa50 24 API calls 49327->49513 49514 7ff7e0840e8c 75 API calls 49327->49514 49515 7ff7e07f61e4 49327->49515 49518 7ff7e08740b4 92 API calls 49327->49518 49461 7ff7e080f780 49328->49461 49329->49327 49331 7ff7e081dcee 49592 7ff7e08065f8 49331->49592 49336 7ff7e07faa11 49335->49336 49337 7ff7e0804e97 49335->49337 49372 7ff7e0804e04 49336->49372 49337->49336 49338 7ff7e0804f73 49337->49338 49339 7ff7e0804ec9 49337->49339 49361 7ff7e08220b2 49337->49361 49637 7ff7e082b798 ?_Xlength_error@std@@YAXPEBD 49338->49637 49344 7ff7e0804f1b 49339->49344 49345 7ff7e0822064 49339->49345 49340 7ff7e08220cc memmove 49639 7ff7e080ba40 55 API calls Concurrency::details::SchedulerBase::GetBitSet 49340->49639 49347 7ff7e0804f2a 49344->49347 49614 7ff7e080fd8c 49344->49614 49346 7ff7e080fd8c 21 API calls 49345->49346 49352 7ff7e0822074 _o__invalid_parameter_noinfo_noreturn 49346->49352 49349 7ff7e0822097 memmove 49347->49349 49350 7ff7e0804f4a memmove 49347->49350 49638 7ff7e080ba40 55 API calls Concurrency::details::SchedulerBase::GetBitSet 49349->49638 49350->49336 49352->49349 49361->49336 49361->49340 49373 7ff7e082204a 49372->49373 49374 7ff7e0804e2a memmove 49372->49374 49644 7ff7e08308e8 94 API calls Concurrency::details::SchedulerBase::GetBitSet 49373->49644 49374->49245 49377 7ff7e082205d 49379 7ff7e07f9113 49378->49379 49380 7ff7e07f912b 49378->49380 49379->49327 49645 7ff7e080ba40 55 API calls Concurrency::details::SchedulerBase::GetBitSet 49380->49645 49383 7ff7e082704a 49382->49383 49384 7ff7e080dbc4 BeginPaint 49382->49384 49646 7ff7e07f9a04 54 API calls Concurrency::wait 49383->49646 49384->49383 49385 7ff7e080dbe1 EndPaint 49384->49385 49388 7ff7e0827077 49385->49388 49389 7ff7e080dc26 49385->49389 49647 7ff7e082ebe8 54 API calls 49388->49647 49391 7ff7e080f780 Concurrency::wait 9 API calls 49389->49391 49393 7ff7e080dc38 49391->49393 49392 7ff7e0827097 49393->49327 49395 7ff7e07f4b70 75 API calls 49394->49395 49396 7ff7e080596f 49395->49396 49648 7ff7e0804c60 49396->49648 49398 7ff7e0805977 49656 7ff7e080d9b0 SystemParametersInfoW 49398->49656 49399 7ff7e080598a 49400 7ff7e0804c60 75 API calls 49399->49400 49401 7ff7e0805995 49400->49401 49657 7ff7e0805a30 49401->49657 49403 7ff7e08059c2 49404 7ff7e0805a30 3 API calls 49403->49404 49405 7ff7e08059dd 49404->49405 49406 7ff7e0804c60 75 API calls 49405->49406 49407 7ff7e08059e9 49406->49407 49665 7ff7e08112a3 49407->49665 49427 7ff7e080dcac 56 API calls 49426->49427 49428 7ff7e080dc56 49427->49428 49429 7ff7e080dc9c 49428->49429 49430 7ff7e080dc5c CreateTimerQueueTimer 49428->49430 49429->49327 49430->49429 49431 7ff7e082709e 49430->49431 49674 7ff7e082ebe8 54 API calls 49431->49674 49434 7ff7e080c354 49433->49434 49438 7ff7e080c410 49433->49438 49434->49438 49675 7ff7e08109b4 49434->49675 49438->49327 49440 7ff7e07fc514 49439->49440 49441 7ff7e07fc378 49439->49441 49440->49327 49442 7ff7e07fc503 49441->49442 49443 7ff7e081e864 ?_Xout_of_range@std@@YAXPEBD 49441->49443 49445 7ff7e07fc399 49441->49445 49774 7ff7e080bdc0 49442->49774 49444 7ff7e081e878 49443->49444 49445->49444 49712 7ff7e0800180 49445->49712 49447 7ff7e07fc3fa 49448 7ff7e0800180 99 API calls 49447->49448 49449 7ff7e07fc406 49448->49449 49450 7ff7e07fc449 49449->49450 49750 7ff7e0811a4c 49449->49750 49753 7ff7e0811a3a 49449->49753 49756 7ff7e0811a04 49449->49756 49759 7ff7e0811967 49449->49759 49762 7ff7e0811a28 49449->49762 49765 7ff7e0811a16 49449->49765 49768 7ff7e08119f2 49449->49768 49450->49444 49771 7ff7e080b6d0 SetScrollInfo 49450->49771 49460->49328 49462 7ff7e080f78a 49461->49462 49463 7ff7e07fa625 49462->49463 49464 7ff7e080f810 IsProcessorFeaturePresent 49462->49464 49463->49156 49465 7ff7e080f828 49464->49465 49853 7ff7e080fa1c RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 49465->49853 49467 7ff7e080f83b 49854 7ff7e080f7a8 5 API calls Concurrency::wait 49467->49854 49470->49327 49472 7ff7e0802bf5 LeaveCriticalSection 49471->49472 49473 7ff7e0802be7 49471->49473 49481 7ff7e0802c08 49472->49481 49473->49472 49855 7ff7e0869cc4 101 API calls Concurrency::details::SchedulerBase::GetBitSet 49473->49855 49475 7ff7e082126e 49475->49472 49476 7ff7e0821284 49475->49476 49477 7ff7e08212b3 LeaveCriticalSection 49476->49477 49856 7ff7e08132f8 54 API calls Concurrency::wait 49476->49856 49479 7ff7e08212da 49477->49479 49479->49481 49483 7ff7e0821353 CloseHandle 49479->49483 49857 7ff7e0804204 49479->49857 49480 7ff7e08212b2 49480->49477 49481->49327 49483->49479 49484->49327 49486 7ff7e07f4b7e 49485->49486 49487 7ff7e07f4b8b 49485->49487 49486->49278 49487->49486 49489 7ff7e081bbcb 49487->49489 49889 7ff7e080758c 21 API calls default_delete 49487->49889 49490 7ff7e081bbcf 49489->49490 49890 7ff7e080ed58 54 API calls 49489->49890 49490->49278 49492 7ff7e081bbf4 49492->49278 49493->49305 49494->49310 49495->49327 49496->49325 49497->49327 49499 7ff7e080dcc2 DeleteTimerQueueTimer 49498->49499 49501 7ff7e080dcbb 49498->49501 49500 7ff7e08270ba GetLastError 49499->49500 49499->49501 49500->49501 49502 7ff7e08270d1 49500->49502 49501->49327 49891 7ff7e082ebe8 54 API calls 49502->49891 49506 7ff7e0803750 49505->49506 49507 7ff7e080375d 49505->49507 49506->49327 49892 7ff7e0810000 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 49507->49892 49513->49327 49893 7ff7e07f9a3c 49515->49893 49518->49327 49520 7ff7e07f3c65 49519->49520 49521 7ff7e081b570 GetLastError FreeLibrary SetLastError 49519->49521 49522 7ff7e07f3b50 49520->49522 49523 7ff7e07f3b6e 49522->49523 49524 7ff7e07f3ba6 49522->49524 49523->49524 49525 7ff7e07f3b7b GetProcAddress 49523->49525 49529 7ff7e07f3bae 49524->49529 49988 7ff7e08750cc SystemParametersInfoW 49524->49988 49525->49524 49526 7ff7e07f3b9f 49525->49526 49526->49524 49530 7ff7e07f3c08 49529->49530 49989 7ff7e07f9a04 54 API calls Concurrency::wait 49529->49989 49530->49270 49530->49286 49531->49308 49532->49327 49534 7ff7e08027ea 49533->49534 49536 7ff7e08027e4 49533->49536 49535 7ff7e080fd8c 21 API calls 49534->49535 49535->49536 49536->49205 49537->49327 49538->49327 49539->49327 49540->49269 49542->49327 49543->49327 49544->49327 49545->49327 49546->49327 49547->49242 49548->49327 49549->49310 49550->49327 49552 7ff7e0822912 49551->49552 49553 7ff7e0807db8 49551->49553 49993 7ff7e0808200 RegOpenCurrentUser 49552->49993 49990 7ff7e08086c4 RegQueryValueExW 49553->49990 49556 7ff7e0807de1 49557 7ff7e0807e28 49556->49557 49558 7ff7e08086c4 RegQueryValueExW 49556->49558 49559 7ff7e080f780 Concurrency::wait 9 API calls 49557->49559 49561 7ff7e0807e1b 49558->49561 49560 7ff7e0807e34 49559->49560 49560->49327 49562 7ff7e0807e1f 49561->49562 49563 7ff7e08086c4 RegQueryValueExW 49561->49563 49562->49557 49564 7ff7e08229db RegCloseKey RegCloseKey 49562->49564 49565 7ff7e0807e83 49563->49565 49564->49557 49566 7ff7e0822951 49565->49566 49567 7ff7e0807e8b 49565->49567 50007 7ff7e0830db8 90 API calls 49566->50007 49569 7ff7e0807ee6 memmove 49567->49569 49992 7ff7e0809838 56 API calls Concurrency::details::SchedulerBase::GetBitSet 49567->49992 49569->49562 49572 7ff7e08229cc 49574 7ff7e07f9100 55 API calls 49572->49574 49573 7ff7e0822966 49573->49572 50008 7ff7e0840cf8 93 API calls 49573->50008 49574->49562 49576->49327 50009 7ff7e07f6b80 49577->50009 49580 7ff7e07f6068 49581 7ff7e07f6b80 13 API calls 49580->49581 49582 7ff7e07f6083 49581->49582 50027 7ff7e07f6b10 49582->50027 50030 7ff7e0802114 49585->50030 49587 7ff7e080246c 49588 7ff7e0800180 99 API calls 49587->49588 49589 7ff7e0802475 49588->49589 49590 7ff7e0800180 99 API calls 49589->49590 49591 7ff7e0802483 49590->49591 49591->49331 49593 7ff7e0822630 GetWindowLongW GetWindowLongW 49592->49593 49594 7ff7e080667b 49592->49594 49597 7ff7e0822663 49593->49597 49595 7ff7e07f54f4 75 API calls 49594->49595 49596 7ff7e0806680 49595->49596 49598 7ff7e07f4b70 75 API calls 49596->49598 49599 7ff7e07f4b70 75 API calls 49597->49599 49600 7ff7e0806685 49598->49600 49601 7ff7e0822668 49599->49601 50038 7ff7e0806b8c 49600->50038 49603 7ff7e0805a30 3 API calls 49601->49603 49605 7ff7e0822678 49603->49605 49606 7ff7e08066a7 49607 7ff7e08066c6 49606->49607 49608 7ff7e07f4b70 75 API calls 49606->49608 49609 7ff7e080f780 Concurrency::wait 9 API calls 49607->49609 49610 7ff7e08066b6 49608->49610 49612 7ff7e08066ee 49609->49612 49611 7ff7e0805a30 3 API calls 49610->49611 49611->49607 49612->49165 49615 7ff7e080fda6 _o_malloc 49614->49615 49616 7ff7e080fd97 49615->49616 49617 7ff7e080fdb0 49615->49617 49616->49615 49618 7ff7e080fdb6 49616->49618 49617->49347 49619 7ff7e080fdbc 49618->49619 49620 7ff7e080fdc1 49618->49620 49640 7ff7e0810964 _CxxThrowException std::bad_alloc::bad_alloc 49619->49640 49622 7ff7e080fdc7 InitializeCriticalSectionAndSpinCount GetModuleHandleW 49620->49622 49623 7ff7e080fe2c GetProcAddress GetProcAddress GetProcAddress 49622->49623 49624 7ff7e080fe12 GetModuleHandleW 49622->49624 49626 7ff7e080feeb CreateEventW 49623->49626 49627 7ff7e080fe6d 49623->49627 49624->49623 49625 7ff7e080ff16 49624->49625 49643 7ff7e08103a0 9 API calls Concurrency::wait 49625->49643 49626->49625 49630 7ff7e080fe77 49626->49630 49627->49626 49627->49630 49629 7ff7e080ff21 DeleteCriticalSection 49631 7ff7e080ff4d CloseHandle 49629->49631 49632 7ff7e080ff53 49629->49632 49641 7ff7e080fb24 10 API calls __scrt_acquire_startup_lock 49630->49641 49631->49632 49632->49347 49634 7ff7e080fec7 49635 7ff7e080fecc 49634->49635 49642 7ff7e08103a0 9 API calls Concurrency::wait 49634->49642 49635->49347 49641->49634 49642->49625 49643->49629 49644->49377 49646->49388 49647->49392 49649 7ff7e0804c6e 49648->49649 49653 7ff7e0804c7b 49648->49653 49649->49398 49651 7ff7e0822007 49652 7ff7e082200b 49651->49652 49670 7ff7e080ed58 54 API calls 49651->49670 49652->49398 49653->49649 49653->49651 49669 7ff7e080758c 21 API calls default_delete 49653->49669 49655 7ff7e0822030 49655->49398 49656->49399 49658 7ff7e0805a54 49657->49658 49659 7ff7e08224ee GetSystemMetrics 49657->49659 49660 7ff7e0805a88 GetProcAddress 49658->49660 49663 7ff7e0805a5d 49658->49663 49659->49403 49661 7ff7e0805ac5 49660->49661 49662 7ff7e0805aa7 GetProcAddress 49660->49662 49661->49659 49661->49663 49662->49661 49663->49659 49664 7ff7e0805a6d 49663->49664 49664->49403 49666 7ff7e08112af 49665->49666 49671 7ff7e080cbf0 LdrResolveDelayLoadedAPI 49666->49671 49668 7ff7e08112ee 49669->49651 49670->49655 49671->49668 49674->49429 49676 7ff7e080fd8c 21 API calls 49675->49676 49677 7ff7e080c36e 49676->49677 49677->49438 49678 7ff7e080c444 49677->49678 49679 7ff7e080c48c CoInitializeEx 49678->49679 49680 7ff7e0826304 49678->49680 49679->49680 49681 7ff7e080c4a8 49679->49681 49704 7ff7e087c494 CoUninitialize 49680->49704 49683 7ff7e080c4be CoCreateInstance 49681->49683 49685 7ff7e0826316 49681->49685 49683->49680 49684 7ff7e080c4ed 49683->49684 49684->49680 49684->49685 49690 7ff7e080c59a 49684->49690 49705 7ff7e087c494 CoUninitialize 49685->49705 49687 7ff7e0826362 49706 7ff7e087c494 CoUninitialize 49687->49706 49688 7ff7e0826370 49707 7ff7e087c494 CoUninitialize 49688->49707 49690->49688 49693 7ff7e080c608 CoCreateInstance 49690->49693 49691 7ff7e082637e 49693->49687 49694 7ff7e080c63f 49693->49694 49694->49687 49700 7ff7e080c820 49694->49700 49697 7ff7e080c797 49698 7ff7e080f780 Concurrency::wait 9 API calls 49697->49698 49699 7ff7e080c7cc 49698->49699 49699->49438 49701 7ff7e080c82b 49700->49701 49703 7ff7e080c69c 49700->49703 49701->49703 49708 7ff7e080c86c 49701->49708 49703->49685 49703->49697 49704->49685 49705->49687 49706->49688 49707->49691 49709 7ff7e080c88c 49708->49709 49711 7ff7e080c894 49708->49711 49710 7ff7e080fd8c 21 API calls 49709->49710 49710->49711 49711->49703 49713 7ff7e0800191 49712->49713 49714 7ff7e081f974 _o_terminate 49712->49714 49715 7ff7e080019a 49713->49715 49716 7ff7e081f995 _o_terminate 49713->49716 49714->49716 49715->49447 49746 7ff7e0800330 49716->49746 49717 7ff7e081fb8e ?_Xout_of_range@std@@YAXPEBD 49718 7ff7e081fba2 49717->49718 49805 7ff7e082d614 54 API calls Concurrency::wait 49718->49805 49719 7ff7e081fa62 49802 7ff7e085af30 99 API calls 49719->49802 49722 7ff7e081fbb9 49806 7ff7e082d614 54 API calls Concurrency::wait 49722->49806 49724 7ff7e081fbd1 49725 7ff7e081fbd2 _o_terminate 49724->49725 49726 7ff7e081fbf1 _o_terminate 49725->49726 49728 7ff7e081fc16 _o_terminate 49726->49728 49727 7ff7e08002ac 49727->49447 49731 7ff7e081fc3b _o_terminate 49728->49731 49729 7ff7e081fa79 ?_Xout_of_range@std@@YAXPEBD 49732 7ff7e081fb64 49729->49732 49733 7ff7e081fc5a ?_Xout_of_range@std@@YAXPEBD 49731->49733 49803 7ff7e082d614 54 API calls Concurrency::wait 49732->49803 49737 7ff7e081fc6e ?_Xout_of_range@std@@YAXPEBD 49733->49737 49740 7ff7e081fc82 _o_terminate 49737->49740 49738 7ff7e081fb78 49804 7ff7e082d614 54 API calls Concurrency::wait 49738->49804 49741 7ff7e081fca2 49740->49741 49741->49447 49743 7ff7e081fb8d 49743->49717 49744 7ff7e0800180 88 API calls 49744->49746 49746->49717 49746->49718 49746->49719 49746->49722 49746->49725 49746->49726 49746->49727 49746->49728 49746->49729 49746->49731 49746->49732 49746->49733 49746->49737 49746->49738 49746->49740 49746->49744 49778 7ff7e0801d3c 49746->49778 49784 7ff7e0801c70 49746->49784 49797 7ff7e0800af0 99 API calls 2 library calls 49746->49797 49798 7ff7e0800ce0 78 API calls Concurrency::details::SchedulerBase::GetBitSet 49746->49798 49799 7ff7e0802178 54 API calls 49746->49799 49800 7ff7e080b4d4 55 API calls Concurrency::details::SchedulerBase::GetBitSet 49746->49800 49801 7ff7e0801bf8 55 API calls Concurrency::details::SchedulerBase::GetBitSet 49746->49801 49751 7ff7e0811973 49750->49751 49846 7ff7e080cbf0 LdrResolveDelayLoadedAPI 49751->49846 49755 7ff7e0811973 49753->49755 49847 7ff7e080cbf0 LdrResolveDelayLoadedAPI 49755->49847 49758 7ff7e0811973 49756->49758 49848 7ff7e080cbf0 LdrResolveDelayLoadedAPI 49758->49848 49760 7ff7e0811973 49759->49760 49849 7ff7e080cbf0 LdrResolveDelayLoadedAPI 49760->49849 49764 7ff7e0811973 49762->49764 49850 7ff7e080cbf0 LdrResolveDelayLoadedAPI 49764->49850 49767 7ff7e0811973 49765->49767 49851 7ff7e080cbf0 LdrResolveDelayLoadedAPI 49767->49851 49769 7ff7e0811973 49768->49769 49769->49768 49852 7ff7e080cbf0 LdrResolveDelayLoadedAPI 49769->49852 49772 7ff7e080f780 Concurrency::wait 9 API calls 49771->49772 49773 7ff7e080b745 49772->49773 49773->49442 49775 7ff7e080bdf7 49774->49775 49776 7ff7e080bdd0 NotifyWinEvent 49774->49776 49775->49440 49776->49775 49779 7ff7e0801d75 49778->49779 49807 7ff7e080add0 49779->49807 49782 7ff7e0820c27 49782->49746 49787 7ff7e0801c7f 49784->49787 49785 7ff7e0820bf0 49844 7ff7e082d614 54 API calls Concurrency::wait 49785->49844 49787->49746 49787->49785 49788 7ff7e0820bd3 49787->49788 49791 7ff7e0820bb6 49787->49791 49793 7ff7e0801cfd 49787->49793 49841 7ff7e082d614 54 API calls Concurrency::wait 49787->49841 49843 7ff7e082d614 54 API calls Concurrency::wait 49788->49843 49790 7ff7e0820c0d 49845 7ff7e07f9a04 54 API calls Concurrency::wait 49790->49845 49842 7ff7e082d614 54 API calls Concurrency::wait 49791->49842 49793->49746 49796 7ff7e0820c27 49796->49746 49797->49746 49798->49746 49799->49746 49800->49746 49801->49746 49802->49729 49803->49738 49804->49743 49805->49722 49806->49724 49808 7ff7e080ae92 49807->49808 49827 7ff7e080adf8 49807->49827 49809 7ff7e0825965 49808->49809 49812 7ff7e080aea2 49808->49812 49835 7ff7e07f9a04 54 API calls Concurrency::wait 49809->49835 49811 7ff7e080aeae 49817 7ff7e08259a7 49811->49817 49819 7ff7e080aeba 49811->49819 49812->49811 49814 7ff7e0825981 49812->49814 49813 7ff7e0801deb 49813->49746 49832 7ff7e07f9a04 54 API calls Concurrency::wait 49813->49832 49836 7ff7e07f9a04 54 API calls Concurrency::wait 49814->49836 49815 7ff7e0825920 49833 7ff7e07f9a04 54 API calls Concurrency::wait 49815->49833 49837 7ff7e07f9a04 54 API calls Concurrency::wait 49817->49837 49819->49813 49822 7ff7e08259cd 49819->49822 49823 7ff7e080aef0 SetLastError SetWindowLongW 49819->49823 49821 7ff7e0825944 49834 7ff7e07f9a04 54 API calls Concurrency::wait 49821->49834 49838 7ff7e07f9a04 54 API calls Concurrency::wait 49822->49838 49823->49813 49826 7ff7e080af1d GetLastError 49823->49826 49826->49813 49828 7ff7e080af2d 49826->49828 49827->49808 49827->49815 49839 7ff7e07f60e8 54 API calls 49828->49839 49830 7ff7e0825a13 49830->49813 49840 7ff7e07f9a04 54 API calls Concurrency::wait 49830->49840 49832->49782 49833->49821 49834->49813 49835->49814 49836->49817 49837->49822 49838->49828 49839->49830 49840->49813 49841->49791 49842->49788 49843->49785 49844->49790 49845->49796 49846->49751 49847->49755 49848->49758 49849->49760 49850->49764 49851->49767 49852->49769 49853->49467 49855->49475 49856->49480 49858 7ff7e080421f 49857->49858 49863 7ff7e0804212 49857->49863 49860 7ff7e0804230 49858->49860 49883 7ff7e080758c 21 API calls default_delete 49858->49883 49861 7ff7e0804253 49860->49861 49865 7ff7e080cea0 49860->49865 49861->49863 49884 7ff7e080ed58 54 API calls 49861->49884 49863->49479 49885 7ff7e080cafc LoadLibraryW 49865->49885 49868 7ff7e080cece 49873 7ff7e0826a9b 49868->49873 49874 7ff7e080cee1 49868->49874 49869 7ff7e0826a56 GetLastError 49870 7ff7e0826a67 49869->49870 49875 7ff7e0826a76 49869->49875 49871 7ff7e080cafc LoadLibraryW 49870->49871 49871->49875 49872 7ff7e0826a80 FreeLibrary 49872->49868 49877 7ff7e080fd8c 21 API calls 49873->49877 49887 7ff7e080cfbc 22 API calls 49874->49887 49875->49868 49875->49872 49879 7ff7e0826ab4 49877->49879 49878 7ff7e080ceeb 49878->49879 49880 7ff7e080cf04 49878->49880 49888 7ff7e086e800 FreeLibrary 49879->49888 49880->49861 49882 7ff7e0826ad5 default_delete 49880->49882 49883->49860 49884->49863 49886 7ff7e080cb22 49885->49886 49886->49868 49886->49869 49887->49878 49888->49882 49889->49489 49890->49492 49891->49501 49896 7ff7e07f9a8c 49893->49896 49902 7ff7e07f9a99 Concurrency::wait 49896->49902 49898 7ff7e07f9b39 49899 7ff7e080f780 Concurrency::wait 9 API calls 49898->49899 49900 7ff7e07f620d 49899->49900 49900->49327 49902->49898 49903 7ff7e07f9b68 49902->49903 49916 7ff7e08289dc memset Concurrency::wait 49902->49916 49905 7ff7e07f9bcf Concurrency::wait 49903->49905 49906 7ff7e07f9bc5 Concurrency::wait 49903->49906 49904 7ff7e07f9a3c Concurrency::wait 51 API calls 49904->49905 49907 7ff7e07f9c0e GetCurrentThreadId 49905->49907 49914 7ff7e07f9d10 Concurrency::wait 49905->49914 49906->49904 49906->49905 49908 7ff7e07f9c7a 49907->49908 49907->49914 49909 7ff7e07f9ca7 49908->49909 49917 7ff7e080b570 49908->49917 49910 7ff7e07f9d06 49909->49910 49911 7ff7e07f9cf2 IsDebuggerPresent 49909->49911 49909->49914 49912 7ff7e081d241 OutputDebugStringW 49910->49912 49910->49914 49926 7ff7e0827890 11 API calls Concurrency::wait 49910->49926 49911->49910 49912->49914 49914->49902 49927 7ff7e080b5dc 49917->49927 49920 7ff7e080b5bc 49920->49909 49921 7ff7e080b594 49921->49920 49932 7ff7e080925c 49921->49932 49925 7ff7e0825c3d 49926->49912 49928 7ff7e080b610 GetCurrentThreadId 49927->49928 49930 7ff7e080b641 49927->49930 49928->49930 49929 7ff7e080b57e GetCurrentThreadId 49929->49920 49929->49921 49930->49929 49939 7ff7e0827b38 _o__errno _o__invalid_parameter_noinfo memmove memset _o__errno 49930->49939 49933 7ff7e0809271 49932->49933 49934 7ff7e0809287 49932->49934 49940 7ff7e0809304 49933->49940 49934->49920 49938 7ff7e0828720 11 API calls 49934->49938 49938->49925 49939->49929 49941 7ff7e0809276 49940->49941 49942 7ff7e0809334 49940->49942 49941->49934 49944 7ff7e08092a8 GetCurrentThreadId 49941->49944 49945 7ff7e08090b8 GetCurrentProcessId 49942->49945 49944->49934 49973 7ff7e0808780 49945->49973 49947 7ff7e080911c CreateMutexW 49975 7ff7e0807d28 49947->49975 49950 7ff7e0809159 49980 7ff7e0809200 54 API calls 49950->49980 49951 7ff7e0822e24 49984 7ff7e0827b04 54 API calls 49951->49984 49954 7ff7e0809168 49981 7ff7e0808ed0 54 API calls Concurrency::details::SchedulerBase::GetBitSet 49954->49981 49955 7ff7e0822e29 49985 7ff7e07f9a04 54 API calls Concurrency::wait 49955->49985 49957 7ff7e080917e 49957->49955 49958 7ff7e0809188 49957->49958 49960 7ff7e0822e4c 49958->49960 49982 7ff7e0808db0 54 API calls 2 library calls 49958->49982 49986 7ff7e07f9a04 54 API calls Concurrency::wait 49960->49986 49962 7ff7e08091a8 49962->49960 49965 7ff7e08091b2 49962->49965 49964 7ff7e08091c8 49966 7ff7e0822e7e 49964->49966 49968 7ff7e08091d2 49964->49968 49965->49964 49983 7ff7e080e134 54 API calls 49965->49983 49987 7ff7e08277ac 54 API calls 49966->49987 49969 7ff7e080f780 Concurrency::wait 9 API calls 49968->49969 49971 7ff7e08091e3 49969->49971 49971->49941 49972 7ff7e0822e8c 49974 7ff7e08087b1 Concurrency::wait 49973->49974 49974->49947 49976 7ff7e08228e8 GetLastError 49975->49976 49977 7ff7e0807d4e 49975->49977 49978 7ff7e08277ac 52 API calls 49976->49978 49977->49950 49977->49951 49979 7ff7e08228fe SetLastError 49978->49979 49980->49954 49981->49957 49982->49962 49983->49964 49984->49955 49985->49960 49986->49966 49987->49972 49988->49529 49989->49530 49991 7ff7e0808704 49990->49991 49991->49556 49994 7ff7e080824e 49993->49994 49995 7ff7e0822aef 49994->49995 49996 7ff7e0822a52 GetLastError RegCloseKey SetLastError 49994->49996 49997 7ff7e0808263 RegOpenKeyW 49994->49997 49998 7ff7e0808284 49996->49998 49997->49998 49999 7ff7e0822ab7 RegCreateKeyW 49998->49999 50000 7ff7e0822a8c GetLastError RegCloseKey SetLastError 49998->50000 50001 7ff7e0808290 49998->50001 49999->50001 50002 7ff7e0822ae1 49999->50002 50000->49999 50001->49995 50003 7ff7e08082b7 50001->50003 50004 7ff7e08082d2 RegCloseKey 50001->50004 50002->50001 50005 7ff7e08082e7 RegCloseKey 50003->50005 50006 7ff7e08082bc 50003->50006 50004->50003 50005->50006 50006->49556 50007->49573 50008->49573 50010 7ff7e07f6ba4 _o_wcscpy_s 50009->50010 50011 7ff7e07f6bb8 50009->50011 50010->50011 50014 7ff7e07f6bd0 50011->50014 50023 7ff7e07f8314 50014->50023 50017 7ff7e07f6c1e 50019 7ff7e080f780 Concurrency::wait 9 API calls 50017->50019 50018 7ff7e07f6bfe wcsncmp 50018->50017 50021 7ff7e07f6c35 50018->50021 50020 7ff7e07f6b70 50019->50020 50020->49580 50021->50017 50022 7ff7e07f6c5a _o_wcscpy_s 50021->50022 50022->50017 50024 7ff7e07f6bf0 50023->50024 50025 7ff7e07f8321 50023->50025 50024->50017 50024->50018 50025->50024 50026 7ff7e07f832f wcsnlen 50025->50026 50026->50024 50028 7ff7e07f8314 wcsnlen 50027->50028 50029 7ff7e07f6095 50028->50029 50029->49315 50031 7ff7e081af4c ?_Xout_of_range@std@@YAXPEBD 50030->50031 50035 7ff7e0802122 50030->50035 50032 7ff7e081af60 50031->50032 50037 7ff7e08132f8 54 API calls Concurrency::wait 50032->50037 50034 7ff7e081af76 DestroyCursor 50034->49587 50035->49587 50037->50034 50039 7ff7e08226e8 AdjustWindowRectEx 50038->50039 50040 7ff7e0806bb1 50038->50040 50041 7ff7e0806bba 50040->50041 50042 7ff7e0806bf9 GetProcAddress 50040->50042 50041->50039 50045 7ff7e080669e 50041->50045 50043 7ff7e0806c1f 50042->50043 50044 7ff7e08226c4 GetProcAddress 50042->50044 50043->50041 50044->50039 50045->49597 50045->49606 50051 7ff7e08110f0 50052 7ff7e0811071 50051->50052 50052->50051 50054 7ff7e080cbf0 LdrResolveDelayLoadedAPI 50052->50054 50054->50052 50080 7ff7e080b760 50081 7ff7e080b769 50080->50081 50082 7ff7e0825cf6 50080->50082 50083 7ff7e080b801 50081->50083 50084 7ff7e080b783 WaitForSingleObject WaitForSingleObject ResetEvent 50081->50084 50092 7ff7e07fb352 50084->50092 50085 7ff7e080b7ca 50086 7ff7e0825cfe 50085->50086 50087 7ff7e080b7d2 SetEvent 50085->50087 50089 7ff7e07f61e4 54 API calls 50086->50089 50087->50083 50088 7ff7e080b7e9 SleepEx 50087->50088 50088->50083 50088->50084 50090 7ff7e0825d17 50089->50090 50094 7ff7e07fb386 50092->50094 50093 7ff7e07fb396 50093->50085 50094->50093 50095 7ff7e081e19d 50094->50095 50096 7ff7e081e17f 50094->50096 50105 7ff7e07fb410 50094->50105 50145 7ff7e0864b8c 54 API calls 50095->50145 50101 7ff7e07f61e4 54 API calls 50096->50101 50099 7ff7e081e1cb 50146 7ff7e08132f8 54 API calls Concurrency::wait 50099->50146 50101->50095 50102 7ff7e081e1dd 50147 7ff7e07f9a04 54 API calls Concurrency::wait 50102->50147 50104 7ff7e081e1f6 50104->50085 50106 7ff7e081e1cc 50105->50106 50107 7ff7e07fb450 50105->50107 50249 7ff7e08132f8 54 API calls Concurrency::wait 50106->50249 50148 7ff7e07fbd00 50107->50148 50109 7ff7e081e1dd 50250 7ff7e07f9a04 54 API calls Concurrency::wait 50109->50250 50113 7ff7e081e1f6 50113->50094 50115 7ff7e080f780 Concurrency::wait 9 API calls 50118 7ff7e07fb6b7 50115->50118 50116 7ff7e07fb6a4 50116->50115 50117 7ff7e07fb492 50117->50116 50119 7ff7e081e1fc 50117->50119 50143 7ff7e080add0 57 API calls 50117->50143 50118->50094 50251 7ff7e07f9a04 54 API calls Concurrency::wait 50119->50251 50120 7ff7e07fb56c 50120->50119 50121 7ff7e07fb576 50120->50121 50139 7ff7e07fb669 50121->50139 50167 7ff7e080b400 50121->50167 50126 7ff7e07fb5b8 50215 7ff7e07fad28 50126->50215 50127 7ff7e07fb69b 50127->50116 50129 7ff7e07f61e4 54 API calls 50127->50129 50129->50116 50136 7ff7e081e233 50252 7ff7e080ba84 55 API calls Concurrency::details::SchedulerBase::GetBitSet 50136->50252 50138 7ff7e07fb63c 50138->50139 50140 7ff7e07f61e4 54 API calls 50138->50140 50139->50127 50253 7ff7e07f9a04 54 API calls Concurrency::wait 50139->50253 50140->50139 50143->50120 50145->50099 50146->50102 50147->50104 50150 7ff7e07fbd35 50148->50150 50149 7ff7e07fb477 50155 7ff7e07f8a50 50149->50155 50150->50149 50151 7ff7e07f61e4 54 API calls 50150->50151 50152 7ff7e081e5c3 50150->50152 50151->50152 50153 7ff7e07f61e4 54 API calls 50152->50153 50154 7ff7e081e5e2 50153->50154 50156 7ff7e07f8a6b 50155->50156 50166 7ff7e07f8abc 50155->50166 50157 7ff7e07f8a71 IsWindowVisible 50156->50157 50156->50166 50158 7ff7e07f8a81 50157->50158 50158->50166 50254 7ff7e07f8af4 GetClientRect 50158->50254 50161 7ff7e07f8a9f GetDC 50163 7ff7e081c7c2 50161->50163 50161->50166 50162 7ff7e081c7a2 50279 7ff7e07f9a04 54 API calls Concurrency::wait 50162->50279 50280 7ff7e07f9a04 54 API calls Concurrency::wait 50163->50280 50166->50109 50166->50117 50168 7ff7e080b413 50167->50168 50169 7ff7e07fb5a2 50167->50169 50170 7ff7e0825bb2 50168->50170 50171 7ff7e080b431 FillRect 50168->50171 50169->50139 50179 7ff7e08001e0 50169->50179 50286 7ff7e07f9a04 54 API calls Concurrency::wait 50170->50286 50172 7ff7e0825bf2 50171->50172 50173 7ff7e080b454 DeleteObject 50171->50173 50176 7ff7e07f61e4 54 API calls 50172->50176 50173->50169 50175 7ff7e0825bd0 50287 7ff7e07f9a04 54 API calls Concurrency::wait 50175->50287 50178 7ff7e0825c0e 50176->50178 50180 7ff7e0800228 50179->50180 50181 7ff7e0801c70 54 API calls 50180->50181 50212 7ff7e080026f 50181->50212 50182 7ff7e08002ac 50182->50126 50183 7ff7e0801c70 54 API calls 50183->50212 50184 7ff7e081fc82 _o_terminate 50185 7ff7e081fca2 50184->50185 50185->50126 50186 7ff7e081fc6e ?_Xout_of_range@std@@YAXPEBD 50186->50184 50187 7ff7e081fc5a ?_Xout_of_range@std@@YAXPEBD 50187->50186 50188 7ff7e081fc3b _o_terminate 50188->50187 50189 7ff7e081fc16 _o_terminate 50189->50188 50190 7ff7e081fb8e ?_Xout_of_range@std@@YAXPEBD 50192 7ff7e081fba2 50190->50192 50191 7ff7e081fbf1 _o_terminate 50191->50189 50296 7ff7e082d614 54 API calls Concurrency::wait 50192->50296 50193 7ff7e081fa62 50293 7ff7e085af30 99 API calls 50193->50293 50195 7ff7e081fbd2 _o_terminate 50195->50191 50197 7ff7e081fbb9 50297 7ff7e082d614 54 API calls Concurrency::wait 50197->50297 50199 7ff7e081fbd1 50199->50195 50200 7ff7e081fa79 ?_Xout_of_range@std@@YAXPEBD 50202 7ff7e081fb64 50200->50202 50294 7ff7e082d614 54 API calls Concurrency::wait 50202->50294 50205 7ff7e081fb78 50295 7ff7e082d614 54 API calls Concurrency::wait 50205->50295 50206 7ff7e0801d3c 57 API calls 50206->50212 50208 7ff7e081fb8d 50208->50190 50209 7ff7e0800180 99 API calls 50209->50212 50212->50182 50212->50183 50212->50184 50212->50186 50212->50187 50212->50188 50212->50189 50212->50190 50212->50191 50212->50192 50212->50193 50212->50195 50212->50197 50212->50200 50212->50202 50212->50205 50212->50206 50212->50209 50288 7ff7e0800af0 99 API calls 2 library calls 50212->50288 50289 7ff7e0800ce0 78 API calls Concurrency::details::SchedulerBase::GetBitSet 50212->50289 50290 7ff7e0802178 54 API calls 50212->50290 50291 7ff7e080b4d4 55 API calls Concurrency::details::SchedulerBase::GetBitSet 50212->50291 50292 7ff7e0801bf8 55 API calls Concurrency::details::SchedulerBase::GetBitSet 50212->50292 50216 7ff7e07fad58 50215->50216 50217 7ff7e07fad6f 50216->50217 50298 7ff7e08654c4 123 API calls 50216->50298 50218 7ff7e07fad78 50217->50218 50299 7ff7e080ba40 55 API calls Concurrency::details::SchedulerBase::GetBitSet 50217->50299 50222 7ff7e07fad98 50218->50222 50223 7ff7e07fadc3 50222->50223 50300 7ff7e07fae2c 50223->50300 50225 7ff7e07fae0d 50226 7ff7e07fae16 50225->50226 50305 7ff7e080ba40 55 API calls Concurrency::details::SchedulerBase::GetBitSet 50225->50305 50231 7ff7e07faec0 50226->50231 50229 7ff7e07fade0 50229->50225 50230 7ff7e07f61e4 54 API calls 50229->50230 50230->50229 50235 7ff7e07faefa 50231->50235 50232 7ff7e07fafe4 50233 7ff7e080f780 Concurrency::wait 9 API calls 50232->50233 50234 7ff7e07faff0 50233->50234 50239 7ff7e0806d00 50234->50239 50235->50232 50307 7ff7e080a9f0 50235->50307 50237 7ff7e07f61e4 54 API calls 50237->50232 50240 7ff7e0806d2f 50239->50240 50244 7ff7e07fb60f 50240->50244 50417 7ff7e080e070 PostMessageW 50240->50417 50241 7ff7e0806d83 50242 7ff7e0822708 50241->50242 50243 7ff7e0806d8e 50241->50243 50424 7ff7e07f9a04 54 API calls Concurrency::wait 50242->50424 50243->50244 50418 7ff7e08051f4 50243->50418 50244->50136 50244->50138 50246 7ff7e0822721 50249->50109 50250->50113 50251->50139 50252->50139 50253->50127 50255 7ff7e081c7e8 50254->50255 50256 7ff7e07f8b39 50254->50256 50281 7ff7e07f9a04 54 API calls Concurrency::wait 50255->50281 50257 7ff7e07f8b88 GetDC 50256->50257 50258 7ff7e07f8b63 50256->50258 50257->50255 50260 7ff7e07f8ba5 50257->50260 50261 7ff7e080f780 Concurrency::wait 9 API calls 50258->50261 50263 7ff7e07f8c27 50260->50263 50264 7ff7e07f8bb1 50260->50264 50262 7ff7e07f8a95 50261->50262 50262->50161 50262->50162 50265 7ff7e081c811 50263->50265 50268 7ff7e07f8c61 50263->50268 50269 7ff7e081c821 50263->50269 50264->50265 50270 7ff7e07f8bf3 DeleteObject DeleteDC 50264->50270 50285 7ff7e07f9a04 54 API calls Concurrency::wait 50265->50285 50267 7ff7e081c8ed 50272 7ff7e081c843 50268->50272 50277 7ff7e081c846 50268->50277 50278 7ff7e07f8d0c DeleteObject DeleteDC 50268->50278 50282 7ff7e07f9a04 54 API calls Concurrency::wait 50269->50282 50270->50258 50273 7ff7e081c879 DeleteDC 50272->50273 50275 7ff7e081c86c DeleteObject 50272->50275 50284 7ff7e07f9a04 54 API calls Concurrency::wait 50272->50284 50273->50272 50275->50273 50283 7ff7e07f9a04 54 API calls Concurrency::wait 50277->50283 50278->50255 50279->50166 50280->50166 50281->50265 50282->50272 50283->50272 50284->50272 50285->50267 50286->50175 50287->50169 50288->50212 50289->50212 50290->50212 50291->50212 50292->50212 50293->50200 50294->50205 50295->50208 50296->50197 50297->50199 50298->50216 50303 7ff7e07fae60 50300->50303 50301 7ff7e07faea8 50301->50229 50303->50301 50306 7ff7e080ba40 55 API calls Concurrency::details::SchedulerBase::GetBitSet 50303->50306 50308 7ff7e080aa2a 50307->50308 50370 7ff7e080aba8 50307->50370 50389 7ff7e080abf4 50308->50389 50311 7ff7e080f780 Concurrency::wait 9 API calls 50314 7ff7e07fafdc 50311->50314 50312 7ff7e080aa38 50315 7ff7e082588a 50312->50315 50317 7ff7e080aa59 50312->50317 50313 7ff7e0825342 50316 7ff7e07f61e4 54 API calls 50313->50316 50314->50232 50314->50237 50415 7ff7e07f9a04 54 API calls Concurrency::wait 50315->50415 50318 7ff7e082535a 50316->50318 50320 7ff7e080aa7e 50317->50320 50321 7ff7e0825864 50317->50321 50394 7ff7e07f9a04 54 API calls Concurrency::wait 50318->50394 50322 7ff7e080aa9c 50320->50322 50323 7ff7e082583e 50320->50323 50414 7ff7e07f9a04 54 API calls Concurrency::wait 50321->50414 50325 7ff7e0825818 50322->50325 50326 7ff7e080aab8 50322->50326 50413 7ff7e07f9a04 54 API calls Concurrency::wait 50323->50413 50412 7ff7e07f9a04 54 API calls Concurrency::wait 50325->50412 50330 7ff7e080aace 50326->50330 50331 7ff7e08257f2 50326->50331 50330->50318 50333 7ff7e080aadc 50330->50333 50411 7ff7e07f9a04 54 API calls Concurrency::wait 50331->50411 50334 7ff7e082539d 50333->50334 50335 7ff7e080aafe 50333->50335 50336 7ff7e08256ab 50334->50336 50337 7ff7e08253a6 50334->50337 50341 7ff7e080ab13 MulDiv 50335->50341 50368 7ff7e08256fb 50335->50368 50338 7ff7e08256d0 50336->50338 50343 7ff7e080ab3e 50336->50343 50339 7ff7e08253af 50337->50339 50340 7ff7e0825664 50337->50340 50407 7ff7e07f9a04 54 API calls Concurrency::wait 50338->50407 50339->50343 50347 7ff7e082563e 50339->50347 50348 7ff7e0825402 50339->50348 50339->50370 50342 7ff7e0825680 50340->50342 50340->50343 50341->50343 50345 7ff7e08257cc 50341->50345 50406 7ff7e07f9a04 54 API calls Concurrency::wait 50342->50406 50388 7ff7e080ab4f 50343->50388 50393 7ff7e080acbc 93 API calls Concurrency::details::SchedulerBase::GetBitSet 50343->50393 50410 7ff7e07f9a04 54 API calls Concurrency::wait 50345->50410 50405 7ff7e07f9a04 54 API calls Concurrency::wait 50347->50405 50352 7ff7e0825618 50348->50352 50353 7ff7e0825418 50348->50353 50404 7ff7e07f9a04 54 API calls Concurrency::wait 50352->50404 50354 7ff7e082542b 50353->50354 50355 7ff7e08255f2 50353->50355 50359 7ff7e08255cc 50354->50359 50360 7ff7e0825442 50354->50360 50403 7ff7e07f9a04 54 API calls Concurrency::wait 50355->50403 50357 7ff7e080ab65 50358 7ff7e080ab78 InvertRect 50357->50358 50357->50370 50358->50357 50364 7ff7e08257a6 50358->50364 50402 7ff7e07f9a04 54 API calls Concurrency::wait 50359->50402 50365 7ff7e0825459 50360->50365 50366 7ff7e08255a6 50360->50366 50361 7ff7e0825764 DeleteObject 50369 7ff7e0825780 50361->50369 50362 7ff7e0825735 FillRect 50362->50368 50362->50369 50409 7ff7e07f9a04 54 API calls Concurrency::wait 50364->50409 50372 7ff7e0825580 50365->50372 50373 7ff7e0825470 50365->50373 50401 7ff7e07f9a04 54 API calls Concurrency::wait 50366->50401 50368->50361 50368->50362 50408 7ff7e07f9a04 54 API calls Concurrency::wait 50369->50408 50370->50311 50388->50357 50388->50368 50390 7ff7e080ac2e 50389->50390 50392 7ff7e080aa2f 50389->50392 50390->50392 50416 7ff7e07f9a04 54 API calls Concurrency::wait 50390->50416 50392->50312 50392->50313 50393->50388 50394->50370 50401->50370 50402->50370 50403->50370 50404->50370 50405->50370 50406->50370 50407->50370 50408->50370 50409->50370 50410->50370 50411->50370 50412->50370 50413->50370 50414->50370 50415->50370 50416->50392 50417->50241 50419 7ff7e0805243 50418->50419 50420 7ff7e080520c memmove 50418->50420 50425 7ff7e0805694 90 API calls Concurrency::details::SchedulerBase::GetBitSet 50419->50425 50423 7ff7e0805232 50420->50423 50423->50244 50424->50246 50425->50423 50449 7ff7e0801102 50452 7ff7e0803c54 50449->50452 50453 7ff7e0803730 72 API calls 50452->50453 50454 7ff7e0803c84 EnterCriticalSection 50453->50454 50498 7ff7e07f6c80 memset _o_wcscpy_s memset 50454->50498 50459 7ff7e0803f6a 50460 7ff7e0802bcc 109 API calls 50459->50460 50462 7ff7e0803f3c 50460->50462 50465 7ff7e080f780 Concurrency::wait 9 API calls 50462->50465 50466 7ff7e080110c 50465->50466 50467 7ff7e0803f40 50467->50459 50737 7ff7e0802c24 54 API calls Concurrency::wait 50467->50737 50468 7ff7e0803d85 50603 7ff7e0802784 50468->50603 50469 7ff7e0803d17 50469->50467 50469->50468 50471 7ff7e0804204 80 API calls 50469->50471 50474 7ff7e0803d4f 50471->50474 50473 7ff7e0803f4d 50738 7ff7e07f8fa8 99 API calls Concurrency::wait 50473->50738 50474->50468 50480 7ff7e07f61e4 54 API calls 50474->50480 50475 7ff7e0803d8a 50477 7ff7e0803db3 50475->50477 50610 7ff7e07f4468 50475->50610 50477->50467 50655 7ff7e0804264 memset 50477->50655 50480->50468 50481 7ff7e0803df9 50700 7ff7e080415c 50481->50700 50485 7ff7e0803e36 50485->50467 50486 7ff7e0803fc0 331 API calls 50485->50486 50499 7ff7e07f6dab 50498->50499 50500 7ff7e081c384 _o_terminate 50498->50500 50501 7ff7e081c391 _o_terminate 50499->50501 50502 7ff7e07f6dbb 50499->50502 50500->50501 50503 7ff7e081c39e 50501->50503 50739 7ff7e07f6fe0 50502->50739 51148 7ff7e082d614 54 API calls Concurrency::wait 50503->51148 50506 7ff7e07f6dd3 51129 7ff7e07f6e08 50506->51129 50507 7ff7e081c3ba 51149 7ff7e082d614 54 API calls Concurrency::wait 50507->51149 50511 7ff7e081c3d7 51150 7ff7e082d614 54 API calls Concurrency::wait 50511->51150 50513 7ff7e081c3f4 51151 7ff7e082d614 54 API calls Concurrency::wait 50513->51151 50515 7ff7e081c412 _o_terminate 50517 7ff7e081c420 _o_terminate 50515->50517 50518 7ff7e081c42e GetLastError DeleteObject SetLastError 50517->50518 50519 7ff7e081c45a 50518->50519 50519->50519 50520 7ff7e08044d8 memset 51177 7ff7e0804788 50520->51177 50522 7ff7e080f780 Concurrency::wait 9 API calls 50523 7ff7e0803cc8 50522->50523 50523->50459 50525 7ff7e081728c 50523->50525 50526 7ff7e08176b9 50525->50526 50529 7ff7e08172d3 50525->50529 50527 7ff7e080f780 Concurrency::wait 9 API calls 50526->50527 50528 7ff7e0803ced 50527->50528 50575 7ff7e0803b30 50528->50575 50529->50526 51180 7ff7e07f471c 50529->51180 50532 7ff7e08173bc CoInitializeEx 50533 7ff7e08176e7 50532->50533 50534 7ff7e08173dc 50532->50534 51191 7ff7e082d614 54 API calls Concurrency::wait 50533->51191 50537 7ff7e08173f0 CoCreateInstance 50534->50537 50536 7ff7e0817348 50536->50532 51184 7ff7e07f10bc 10 API calls Concurrency::wait 50536->51184 50538 7ff7e08176fb 50537->50538 50540 7ff7e081742d CreatePipe 50537->50540 51192 7ff7e082d614 54 API calls Concurrency::wait 50538->51192 50542 7ff7e0817710 50540->50542 50543 7ff7e08174c3 GetCurrentProcess GetCurrentProcess GetCurrentProcess DuplicateHandle 50540->50543 50541 7ff7e08173bb 50541->50532 51193 7ff7e082ec60 54 API calls 50542->51193 50545 7ff7e081752e 50543->50545 50546 7ff7e0817722 50543->50546 51185 7ff7e0817894 GetLastError CloseHandle SetLastError 50545->51185 51194 7ff7e082ec60 54 API calls 50546->51194 50550 7ff7e081754b 50551 7ff7e0817734 50550->50551 50554 7ff7e0817597 50550->50554 51195 7ff7e082d614 54 API calls Concurrency::wait 50551->51195 50553 7ff7e0817749 51196 7ff7e082d614 54 API calls Concurrency::wait 50553->51196 51186 7ff7e08381c8 GetLastError CloseHandle SetLastError 50554->51186 50557 7ff7e08175a5 51187 7ff7e0817894 GetLastError CloseHandle SetLastError 50557->51187 50558 7ff7e081775e 50560 7ff7e08175b1 50561 7ff7e0807d28 54 API calls 50560->50561 50562 7ff7e08175bf 50561->50562 50563 7ff7e080fd8c 21 API calls 50562->50563 50564 7ff7e08175c9 50563->50564 51188 7ff7e0817bf0 55 API calls Concurrency::details::SchedulerBase::GetBitSet 50564->51188 50566 7ff7e08175db 51189 7ff7e0817c8c 59 API calls 50566->51189 50568 7ff7e08175ec 50568->50553 50571 7ff7e08175fc 50568->50571 50569 7ff7e0817689 50570 7ff7e0802bcc 109 API calls 50569->50570 50572 7ff7e081768e 50570->50572 50571->50569 51190 7ff7e0809654 EventWriteTransfer 50571->51190 50574 7ff7e0817698 WaitForSingleObject ExitProcess 50572->50574 51207 7ff7e07f8f28 GetCurrentThreadId 50575->51207 50577 7ff7e0803b5c 50578 7ff7e0821d5a 50577->50578 50580 7ff7e0803b6e 50577->50580 51242 7ff7e08132f8 54 API calls Concurrency::wait 50578->51242 50581 7ff7e080fd8c 21 API calls 50580->50581 50582 7ff7e0803bd7 50580->50582 50583 7ff7e0803b8c 50581->50583 50582->50469 51208 7ff7e08039d4 50583->51208 50586 7ff7e0803bbe 51223 7ff7e080390c 50586->51223 50587 7ff7e0821d94 ?_Xlength_error@std@@YAXPEBD 50588 7ff7e0821daa 50587->50588 50590 7ff7e07f9100 55 API calls 50588->50590 50591 7ff7e0821db3 50590->50591 50592 7ff7e07f9100 55 API calls 50591->50592 50596 7ff7e0804018 50591->50596 50592->50596 50593 7ff7e0821dfd 51243 7ff7e0869bcc 54 API calls 50593->51243 50595 7ff7e0821e07 51244 7ff7e084deac 331 API calls 2 library calls 50595->51244 50596->50593 50599 7ff7e0804058 50596->50599 50598 7ff7e0821e11 50598->50469 50600 7ff7e0804096 50599->50600 51245 7ff7e084deac 331 API calls 2 library calls 50599->51245 50600->50469 50602 7ff7e0821e1d 50604 7ff7e0802792 50603->50604 50605 7ff7e080279f 50603->50605 50604->50475 50606 7ff7e08027af 50605->50606 51324 7ff7e080758c 21 API calls default_delete 50605->51324 50606->50604 51325 7ff7e080ed58 54 API calls 50606->51325 50609 7ff7e08211c2 50609->50475 50611 7ff7e0803730 72 API calls 50610->50611 50612 7ff7e07f4480 50611->50612 51326 7ff7e07f4bc0 50612->51326 50656 7ff7e08042bf 50655->50656 50657 7ff7e08043a4 50656->50657 50669 7ff7e08042d3 50656->50669 50658 7ff7e08043ba 50657->50658 50670 7ff7e080431f 50657->50670 50659 7ff7e08051f4 90 API calls 50658->50659 50661 7ff7e08043f8 50659->50661 50660 7ff7e0804338 50662 7ff7e0804341 50660->50662 50663 7ff7e0804497 50660->50663 50664 7ff7e080448f 50660->50664 51707 7ff7e0806ec0 _o_terminate _o_terminate default_delete 50661->51707 50666 7ff7e0804351 50662->50666 50667 7ff7e0821e71 _CxxThrowException 50662->50667 51712 7ff7e0805760 55 API calls 50663->51712 50664->50481 51705 7ff7e0804bb4 91 API calls 50666->51705 50673 7ff7e08044c8 50667->50673 50669->50670 50675 7ff7e0804306 50669->50675 50676 7ff7e0821e66 50669->50676 50670->50660 50670->50664 51710 7ff7e0804a44 90 API calls 50670->51710 50671 7ff7e0804411 51708 7ff7e0804bb4 91 API calls 50671->51708 50685 7ff7e080f780 Concurrency::wait 9 API calls 50673->50685 50674 7ff7e08044a1 50679 7ff7e08051f4 90 API calls 50674->50679 51703 7ff7e0804a44 90 API calls 50675->51703 51713 7ff7e08359f8 91 API calls 50676->51713 50679->50673 50682 7ff7e0821e6b 50682->50667 50683 7ff7e0804422 50687 7ff7e07f9100 55 API calls 50683->50687 50684 7ff7e080430b 51704 7ff7e07f88a0 55 API calls Concurrency::details::SchedulerBase::GetBitSet 50684->51704 50690 7ff7e080476c 50685->50690 50686 7ff7e0804472 51711 7ff7e07f88a0 55 API calls Concurrency::details::SchedulerBase::GetBitSet 50686->51711 50692 7ff7e080442e 50687->50692 50688 7ff7e0804378 50694 7ff7e080f780 Concurrency::wait 9 API calls 50688->50694 50690->50481 51709 7ff7e0807414 55 API calls Concurrency::details::SchedulerBase::GetBitSet 50692->51709 50693 7ff7e07f9100 55 API calls 50696 7ff7e080436e 50693->50696 50697 7ff7e0804387 50694->50697 51706 7ff7e0807414 55 API calls Concurrency::details::SchedulerBase::GetBitSet 50696->51706 50697->50481 50698 7ff7e080435b 50698->50688 50698->50693 50703 7ff7e0804179 50700->50703 50701 7ff7e08041d0 GetCurrentProcess 50702 7ff7e0804110 50701->50702 50704 7ff7e0804204 80 API calls 50702->50704 50703->50701 50705 7ff7e0804204 80 API calls 50703->50705 51714 7ff7e080ed58 54 API calls 50703->51714 50706 7ff7e0804126 50704->50706 50705->50703 50707 7ff7e0803e12 50706->50707 51715 7ff7e080ed58 54 API calls 50706->51715 50711 7ff7e0803fc0 50707->50711 50710 7ff7e0821e3f 50712 7ff7e080fd8c 21 API calls 50711->50712 50713 7ff7e0803fef 50712->50713 50714 7ff7e080fd8c 21 API calls 50713->50714 50716 7ff7e0804018 50713->50716 50721 7ff7e08040bd 50714->50721 50715 7ff7e0821dfd 51716 7ff7e0869bcc 54 API calls 50715->51716 50716->50715 50719 7ff7e0804058 50716->50719 50718 7ff7e0821e07 51717 7ff7e084deac 331 API calls 2 library calls 50718->51717 50725 7ff7e0804096 50719->50725 51718 7ff7e084deac 331 API calls 2 library calls 50719->51718 50720 7ff7e07f9100 55 API calls 50720->50716 50721->50716 50724 7ff7e07f9100 55 API calls 50721->50724 50726 7ff7e0821db3 50721->50726 50723 7ff7e0821e11 50723->50485 50724->50726 50725->50485 50726->50716 50726->50720 50728 7ff7e0821e1d 50737->50473 50738->50459 50746 7ff7e07f6ff8 50739->50746 51128 7ff7e07f82cf 50739->51128 50741 7ff7e081c413 _o_terminate 50743 7ff7e081c420 _o_terminate 50741->50743 50742 7ff7e081c412 50742->50741 50744 7ff7e081c42e GetLastError DeleteObject SetLastError 50743->50744 50745 7ff7e081c45a 50744->50745 50745->50745 50746->50741 51152 7ff7e07f82f0 50746->51152 50749 7ff7e07f82f0 4 API calls 50750 7ff7e07f74c8 50749->50750 50751 7ff7e07f82f0 4 API calls 50750->50751 50752 7ff7e07f74db 50751->50752 50753 7ff7e07f82f0 4 API calls 50752->50753 50754 7ff7e07f74ee 50753->50754 50755 7ff7e07f82f0 4 API calls 50754->50755 50756 7ff7e07f7501 50755->50756 50757 7ff7e07f82f0 4 API calls 50756->50757 50758 7ff7e07f7514 50757->50758 50759 7ff7e07f82f0 4 API calls 50758->50759 50760 7ff7e07f7527 50759->50760 50761 7ff7e07f82f0 4 API calls 50760->50761 50762 7ff7e07f753a 50761->50762 50763 7ff7e07f82f0 4 API calls 50762->50763 50764 7ff7e07f754d 50763->50764 50765 7ff7e07f82f0 4 API calls 50764->50765 50766 7ff7e07f7560 50765->50766 50767 7ff7e07f82f0 4 API calls 50766->50767 50768 7ff7e07f7573 50767->50768 50769 7ff7e07f82f0 4 API calls 50768->50769 50770 7ff7e07f7586 50769->50770 50771 7ff7e07f82f0 4 API calls 50770->50771 50772 7ff7e07f7599 50771->50772 50773 7ff7e07f82f0 4 API calls 50772->50773 50774 7ff7e07f75ac 50773->50774 50775 7ff7e07f82f0 4 API calls 50774->50775 50776 7ff7e07f75bf 50775->50776 50777 7ff7e07f82f0 4 API calls 50776->50777 50778 7ff7e07f75d2 50777->50778 50779 7ff7e07f82f0 4 API calls 50778->50779 50780 7ff7e07f75e5 50779->50780 50781 7ff7e07f82f0 4 API calls 50780->50781 50782 7ff7e07f75f8 50781->50782 50783 7ff7e07f82f0 4 API calls 50782->50783 50784 7ff7e07f760b 50783->50784 50785 7ff7e07f82f0 4 API calls 50784->50785 50786 7ff7e07f761e 50785->50786 50787 7ff7e07f82f0 4 API calls 50786->50787 50788 7ff7e07f7631 50787->50788 50789 7ff7e07f82f0 4 API calls 50788->50789 50790 7ff7e07f7644 50789->50790 50791 7ff7e07f82f0 4 API calls 50790->50791 50792 7ff7e07f7657 50791->50792 50793 7ff7e07f82f0 4 API calls 50792->50793 50794 7ff7e07f766a 50793->50794 50795 7ff7e07f82f0 4 API calls 50794->50795 51128->50506 51157 7ff7e082d614 54 API calls Concurrency::wait 51128->51157 51130 7ff7e081c39e 51129->51130 51131 7ff7e07f6e1b 51129->51131 51171 7ff7e082d614 54 API calls Concurrency::wait 51130->51171 51158 7ff7e07f6ec4 51131->51158 51134 7ff7e081c3ba 51172 7ff7e082d614 54 API calls Concurrency::wait 51134->51172 51136 7ff7e07f6eb1 _o_terminate 51136->51130 51137 7ff7e081c3d7 51173 7ff7e082d614 54 API calls Concurrency::wait 51137->51173 51140 7ff7e081c3f4 51174 7ff7e082d614 54 API calls Concurrency::wait 51140->51174 51142 7ff7e07f6de7 51142->50520 51143 7ff7e081c412 _o_terminate 51145 7ff7e081c420 _o_terminate 51143->51145 51146 7ff7e081c42e GetLastError DeleteObject SetLastError 51145->51146 51147 7ff7e081c45a 51146->51147 51147->51147 51148->50507 51149->50511 51150->50513 51151->50515 51153 7ff7e081c420 _o_terminate 51152->51153 51154 7ff7e07f74b5 51152->51154 51155 7ff7e081c42e GetLastError DeleteObject SetLastError 51153->51155 51154->50749 51156 7ff7e081c45a 51155->51156 51156->51156 51157->50742 51159 7ff7e081c3d8 51158->51159 51160 7ff7e07f6ed2 51158->51160 51175 7ff7e082d614 54 API calls Concurrency::wait 51159->51175 51162 7ff7e07f6fc7 _o_terminate 51160->51162 51170 7ff7e07f6e2e 51160->51170 51162->51159 51163 7ff7e081c3f4 51176 7ff7e082d614 54 API calls Concurrency::wait 51163->51176 51165 7ff7e081c412 _o_terminate 51167 7ff7e081c420 _o_terminate 51165->51167 51168 7ff7e081c42e GetLastError DeleteObject SetLastError 51167->51168 51169 7ff7e081c45a 51168->51169 51169->51169 51170->51134 51170->51136 51170->51142 51171->51134 51172->51137 51173->51140 51174->51143 51175->51163 51176->51165 51178 7ff7e080be64 55 API calls 51177->51178 51179 7ff7e0804530 51178->51179 51179->50522 51181 7ff7e07f4731 51180->51181 51182 7ff7e07f472c 51180->51182 51181->50526 51181->50536 51197 7ff7e07f4a24 51182->51197 51184->50541 51185->50550 51186->50557 51187->50560 51188->50566 51189->50568 51190->50569 51191->50538 51192->50542 51193->50546 51194->50551 51195->50553 51196->50558 51198 7ff7e07f4a33 51197->51198 51205 7ff7e07f4a52 51197->51205 51199 7ff7e080cafc LoadLibraryW 51198->51199 51200 7ff7e07f4a48 51199->51200 51201 7ff7e081baaa GetLastError 51200->51201 51200->51205 51202 7ff7e081baca 51201->51202 51203 7ff7e081babb 51201->51203 51204 7ff7e081bad4 FreeLibrary 51202->51204 51202->51205 51206 7ff7e080cafc LoadLibraryW 51203->51206 51204->51205 51205->51181 51206->51202 51207->50577 51209 7ff7e080fd8c 21 API calls 51208->51209 51210 7ff7e0803a00 51209->51210 51211 7ff7e080390c 90 API calls 51210->51211 51212 7ff7e0803a1b OpenProcess 51211->51212 51213 7ff7e0803a6f 51212->51213 51214 7ff7e0821b40 51212->51214 51246 7ff7e07f8e58 51213->51246 51263 7ff7e082ebe8 54 API calls 51214->51263 51217 7ff7e0803a84 51219 7ff7e0803a9d 51217->51219 51220 7ff7e0803730 72 API calls 51217->51220 51218 7ff7e0821b51 51219->50586 51219->50587 51221 7ff7e0803a91 51220->51221 51262 7ff7e0803abc 29 API calls Concurrency::wait 51221->51262 51224 7ff7e080391c 51223->51224 51225 7ff7e080393e 51224->51225 51226 7ff7e080fd8c 21 API calls 51224->51226 51225->50582 51227 7ff7e0821a64 _o__invalid_parameter_noinfo_noreturn 51225->51227 51228 7ff7e080394a 51225->51228 51226->51225 51229 7ff7e0821a72 51227->51229 51228->50582 51316 7ff7e08033ac 51229->51316 51233 7ff7e0821b00 51234 7ff7e0821b16 51233->51234 51321 7ff7e07f60c4 55 API calls Concurrency::wait 51233->51321 51322 7ff7e0803334 55 API calls 2 library calls 51234->51322 51237 7ff7e0821aba 51237->51233 51320 7ff7e08060ec 90 API calls 51237->51320 51242->50582 51243->50595 51244->50598 51245->50602 51264 7ff7e07f8e1c 51246->51264 51249 7ff7e07f8f0d 51249->51217 51283 7ff7e082ebe8 54 API calls 51249->51283 51250 7ff7e07f8ea0 51269 7ff7e080bb0c RtlQueryPackageClaims 51250->51269 51254 7ff7e081c972 51255 7ff7e07f61e4 54 API calls 51254->51255 51257 7ff7e081c991 51255->51257 51256 7ff7e07f8ed4 51256->51249 51256->51257 51259 7ff7e07f8f01 FindCloseChangeNotification 51256->51259 51260 7ff7e07f61e4 54 API calls 51257->51260 51259->51249 51261 7ff7e081c9b0 51260->51261 51262->51219 51263->51218 51265 7ff7e07f8e39 OpenProcessToken 51264->51265 51266 7ff7e07f8e48 51264->51266 51265->51249 51265->51250 51284 7ff7e08388f8 GetLastError CloseHandle SetLastError 51266->51284 51270 7ff7e080bb57 51269->51270 51273 7ff7e080bb8f 51270->51273 51285 7ff7e082d614 54 API calls Concurrency::wait 51270->51285 51271 7ff7e07f8eb6 51271->51254 51271->51256 51276 7ff7e0818164 51271->51276 51273->51271 51286 7ff7e07f9a04 54 API calls Concurrency::wait 51273->51286 51275 7ff7e0826199 51287 7ff7e08181f0 51276->51287 51283->51254 51285->51273 51286->51275 51295 7ff7e0817ffc 51287->51295 51289 7ff7e0818213 51290 7ff7e0818219 51289->51290 51291 7ff7e0818234 GetSidSubAuthorityCount GetSidSubAuthority 51289->51291 51310 7ff7e07f9a04 54 API calls Concurrency::wait 51290->51310 51292 7ff7e0818232 51291->51292 51311 7ff7e081813c 51295->51311 51297 7ff7e0818018 GetTokenInformation 51298 7ff7e081810c 51297->51298 51299 7ff7e0818056 GetLastError 51297->51299 51315 7ff7e07f60e8 54 API calls 51298->51315 51299->51298 51300 7ff7e081806b 51299->51300 51302 7ff7e08109b4 21 API calls 51300->51302 51303 7ff7e081807b 51302->51303 51304 7ff7e08180a3 GetTokenInformation 51303->51304 51305 7ff7e0818083 51303->51305 51307 7ff7e08180a1 51304->51307 51308 7ff7e08180cd 51304->51308 51313 7ff7e07f9a04 54 API calls Concurrency::wait 51305->51313 51307->51289 51310->51292 51312 7ff7e081814b 51311->51312 51312->51297 51313->51307 51315->51307 51317 7ff7e080fd8c 21 API calls 51316->51317 51318 7ff7e08033d7 51317->51318 51319 7ff7e083fe18 90 API calls 4 library calls 51318->51319 51319->51237 51320->51237 51321->51234 51324->50606 51325->50609 51327 7ff7e07f4a24 3 API calls 51326->51327 51328 7ff7e07f4be5 51327->51328 51330 7ff7e07f4bfa 51328->51330 51484 7ff7e07f5cac 68 API calls 51328->51484 51336 7ff7e07f4c7c 51330->51336 51370 7ff7e0807700 51330->51370 51335 7ff7e0804c60 75 API calls 51337 7ff7e07f4c39 51335->51337 51438 7ff7e07f4a80 51336->51438 51405 7ff7e07f4030 memset 51337->51405 51341 7ff7e07f4ceb 51342 7ff7e07f4b70 75 API calls 51341->51342 51346 7ff7e07f4cf0 51342->51346 51343 7ff7e07f4d0b 51454 7ff7e07f4fec 51343->51454 51346->51343 51347 7ff7e07f61e4 54 API calls 51346->51347 51347->51343 51371 7ff7e0808200 11 API calls 51370->51371 51372 7ff7e0807718 51371->51372 51373 7ff7e07f4c1b 51372->51373 51485 7ff7e0808568 51372->51485 51376 7ff7e0808318 51373->51376 51377 7ff7e0808200 11 API calls 51376->51377 51378 7ff7e0808355 51377->51378 51379 7ff7e08084d1 51378->51379 51500 7ff7e0808838 51378->51500 51380 7ff7e080f780 Concurrency::wait 9 API calls 51379->51380 51382 7ff7e07f4c2b 51380->51382 51382->51335 51383 7ff7e080836d 51384 7ff7e0808379 RegOpenKeyW 51383->51384 51385 7ff7e0808428 51383->51385 51386 7ff7e08083b4 51384->51386 51387 7ff7e08083a4 51384->51387 51401 7ff7e0808430 51385->51401 51506 7ff7e080b19c 75 API calls Concurrency::wait 51385->51506 51389 7ff7e0808568 55 API calls 51386->51389 51396 7ff7e0808539 51386->51396 51387->51386 51388 7ff7e0808838 2 API calls 51387->51388 51392 7ff7e0808504 51388->51392 51390 7ff7e08083ce 51389->51390 51394 7ff7e080853c RegCloseKey 51392->51394 51395 7ff7e080850f RegOpenKeyW 51392->51395 51398 7ff7e08084c1 RegCloseKey 51394->51398 51395->51386 51396->51394 51398->51379 51399 7ff7e08086c4 RegQueryValueExW 51399->51401 51401->51399 51402 7ff7e08084a1 51401->51402 51403 7ff7e0807d70 108 API calls 51402->51403 51406 7ff7e07f40b5 CoInitializeEx 51405->51406 51407 7ff7e07f428f 51405->51407 51406->51407 51410 7ff7e07f40cf 51406->51410 51408 7ff7e07f42e4 51407->51408 51409 7ff7e07f4299 SearchPathW 51407->51409 51409->51408 51439 7ff7e07f4a98 51438->51439 51442 7ff7e07f4b3d 51439->51442 51524 7ff7e08132f8 54 API calls Concurrency::wait 51439->51524 51441 7ff7e07f4b46 51444 7ff7e07f4b50 51441->51444 51526 7ff7e08132f8 54 API calls Concurrency::wait 51441->51526 51442->51441 51525 7ff7e08132f8 54 API calls Concurrency::wait 51442->51525 51446 7ff7e07f4b5a 51444->51446 51527 7ff7e08132f8 54 API calls Concurrency::wait 51444->51527 51446->51341 51448 7ff7e081bbc4 51528 7ff7e080758c 21 API calls default_delete 51448->51528 51450 7ff7e081bbcb 51451 7ff7e081bbcf 51450->51451 51529 7ff7e080ed58 54 API calls 51450->51529 51451->51341 51453 7ff7e081bbf4 51453->51341 51455 7ff7e07f5013 51454->51455 51456 7ff7e081bd32 51455->51456 51457 7ff7e08027d4 21 API calls 51455->51457 51460 7ff7e081bd57 51456->51460 51577 7ff7e0839070 79 API calls 4 library calls 51456->51577 51458 7ff7e07f5042 51457->51458 51530 7ff7e07f4db0 51458->51530 51484->51330 51486 7ff7e0807736 RegCloseKey RegCloseKey 51485->51486 51489 7ff7e080856d 51485->51489 51486->51373 51489->51486 51491 7ff7e0808614 51489->51491 51495 7ff7e08078b4 51489->51495 51499 7ff7e084d548 54 API calls 51489->51499 51492 7ff7e0808631 51491->51492 51493 7ff7e08086c4 RegQueryValueExW 51492->51493 51494 7ff7e0808656 51493->51494 51494->51489 51496 7ff7e0807901 51495->51496 51497 7ff7e08086c4 RegQueryValueExW 51496->51497 51498 7ff7e0807930 51496->51498 51497->51498 51498->51489 51499->51489 51501 7ff7e0808871 51500->51501 51502 7ff7e080887d GetWindowsDirectoryW 51501->51502 51505 7ff7e0808911 51501->51505 51503 7ff7e080889b 51502->51503 51502->51505 51504 7ff7e08088ed CompareStringOrdinal 51503->51504 51503->51505 51504->51505 51505->51383 51506->51401 51524->51442 51525->51441 51526->51444 51527->51448 51528->51450 51529->51453 51577->51460 51703->50684 51704->50670 51705->50698 51706->50688 51707->50671 51708->50683 51709->50698 51710->50686 51711->50660 51712->50674 51713->50682 51714->50703 51715->50710 51716->50718 51717->50723 51718->50728 51720 7ff7e081118d 51721 7ff7e0811199 51720->51721 51724 7ff7e080cbf0 LdrResolveDelayLoadedAPI 51721->51724 51723 7ff7e08111d8 51724->51723 51725 7ff7e07f2f00 51750 7ff7e07f2d08 51725->51750 51727 7ff7e07f2f17 EnterCriticalSection 51728 7ff7e07f2fad 51727->51728 51729 7ff7e07f2f3a 51727->51729 51814 7ff7e086e594 78 API calls 51728->51814 51769 7ff7e07f308c 51729->51769 51732 7ff7e07f2f43 51733 7ff7e0802bcc 109 API calls 51732->51733 51734 7ff7e07f2f4e 51733->51734 51735 7ff7e07f2f5d 51734->51735 51736 7ff7e081b0b6 51734->51736 51791 7ff7e07f3068 SetEvent 51735->51791 51737 7ff7e07f3068 75 API calls 51736->51737 51739 7ff7e081b0c1 51737->51739 51740 7ff7e07f2f62 GetMessageW 51741 7ff7e081b0f2 51740->51741 51747 7ff7e07f2f82 51740->51747 51742 7ff7e081b103 51741->51742 51816 7ff7e087c494 CoUninitialize 51741->51816 51742->51739 51745 7ff7e081b121 UnhookWindowsHookEx 51742->51745 51743 7ff7e0804204 80 API calls 51743->51747 51745->51739 51747->51740 51747->51743 51748 7ff7e07f2f9b DispatchMessageW 51747->51748 51806 7ff7e07f2fbc 51747->51806 51815 7ff7e087518c 72 API calls 51747->51815 51748->51740 51751 7ff7e07f2dca GetEnvironmentVariableW 51750->51751 51752 7ff7e081af8c RegGetValueW 51751->51752 51753 7ff7e07f2de7 51751->51753 51752->51753 51755 7ff7e081afd7 51752->51755 51753->51751 51754 7ff7e07f2df2 51753->51754 51817 7ff7e07f2e2c 77 API calls 51754->51817 51757 7ff7e081b00a 51755->51757 51758 7ff7e081afeb SetEnvironmentVariableW 51755->51758 51818 7ff7e080f8e8 9 API calls 51757->51818 51758->51753 51759 7ff7e07f2dfb 51761 7ff7e080f780 Concurrency::wait 9 API calls 51759->51761 51762 7ff7e07f2e0a 51761->51762 51762->51727 51763 7ff7e081b00f 51764 7ff7e0803730 72 API calls 51763->51764 51765 7ff7e081b015 GetLastError 51764->51765 51766 7ff7e081b0ab 51765->51766 51819 7ff7e084a914 11 API calls 2 library calls 51766->51819 51768 7ff7e081b0b0 51768->51727 51770 7ff7e07f30ac 51769->51770 51789 7ff7e081b19d 51770->51789 51820 7ff7e07f3214 51770->51820 51773 7ff7e07f30d4 51775 7ff7e07f30de GetCurrentThreadId SetWindowsHookExW 51773->51775 51776 7ff7e081b154 51773->51776 51774 7ff7e081b1b9 51777 7ff7e07f61e4 54 API calls 51774->51777 51781 7ff7e07f311d 51775->51781 51779 7ff7e0803730 72 API calls 51776->51779 51778 7ff7e081b1d3 51777->51778 51778->51732 51780 7ff7e081b159 GetLastError 51779->51780 51853 7ff7e084a914 11 API calls 2 library calls 51780->51853 51830 7ff7e07f633c 51781->51830 51784 7ff7e081b17d 51788 7ff7e07f61e4 54 API calls 51784->51788 51788->51789 51854 7ff7e08132f8 54 API calls Concurrency::wait 51789->51854 51790 7ff7e07f315a NotifyWinEvent 51790->51732 51790->51776 51792 7ff7e07f3080 51791->51792 51793 7ff7e081b144 51791->51793 51792->51740 52107 7ff7e0828aa4 54 API calls 51793->52107 51795 7ff7e081b153 51796 7ff7e0803730 72 API calls 51795->51796 51797 7ff7e081b159 GetLastError 51796->51797 52108 7ff7e084a914 11 API calls 2 library calls 51797->52108 51799 7ff7e081b17d 51800 7ff7e07f61e4 54 API calls 51799->51800 51801 7ff7e081b19d 51800->51801 52109 7ff7e08132f8 54 API calls Concurrency::wait 51801->52109 51803 7ff7e081b1b9 51804 7ff7e07f61e4 54 API calls 51803->51804 51805 7ff7e081b1d3 51804->51805 51805->51740 51807 7ff7e07f2ff4 51806->51807 51808 7ff7e07f2fd7 51806->51808 51807->51747 51808->51807 52110 7ff7e0810000 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 51808->52110 51814->51732 51815->51747 51816->51742 51817->51759 51818->51763 51819->51768 51855 7ff7e07f3d4c 51820->51855 51823 7ff7e07f32b3 51823->51773 51824 7ff7e08109b4 21 API calls 51825 7ff7e07f324a 51824->51825 51829 7ff7e07f329d 51825->51829 51869 7ff7e07f3840 51825->51869 51827 7ff7e07f61e4 54 API calls 51828 7ff7e081b1d3 51827->51828 51828->51773 51829->51823 51829->51827 52096 7ff7e07f8f28 GetCurrentThreadId 51830->52096 51832 7ff7e07f635d 51833 7ff7e07f6365 51832->51833 51834 7ff7e081c17e 51832->51834 51836 7ff7e07f639c 51833->51836 51838 7ff7e07f6382 GetCurrentProcessId GetCurrentThreadId 51833->51838 52105 7ff7e08132f8 54 API calls Concurrency::wait 51834->52105 51837 7ff7e0804204 80 API calls 51836->51837 51839 7ff7e07f63ae 51837->51839 51838->51836 52097 7ff7e07f649c 51839->52097 51842 7ff7e07f3128 51845 7ff7e07f3190 51842->51845 51843 7ff7e07f61e4 54 API calls 51844 7ff7e081c1d0 51843->51844 51846 7ff7e07f31a6 51845->51846 51847 7ff7e07f31fe 51845->51847 51846->51847 51849 7ff7e07f31b0 SetActiveWindow 51846->51849 51848 7ff7e07f31bf ShowWindow 51847->51848 51850 7ff7e07f31e8 51848->51850 51849->51848 51851 7ff7e07fc350 103 API calls 51850->51851 51852 7ff7e07f313b 51851->51852 51852->51784 51852->51790 51853->51784 51854->51774 51856 7ff7e081b5bc 51855->51856 51857 7ff7e07f3d72 LoadCursorW 51855->51857 51944 7ff7e08132f8 54 API calls Concurrency::wait 51856->51944 51858 7ff7e07f4408 9 API calls 51857->51858 51860 7ff7e07f3dd0 51858->51860 51928 7ff7e07f3ee4 51860->51928 51861 7ff7e081b5d1 51862 7ff7e081b5d2 GetLastError 51861->51862 51864 7ff7e07f3233 51862->51864 51864->51823 51864->51824 51865 7ff7e07f3de7 51866 7ff7e07f3e01 51865->51866 51867 7ff7e07f3ee4 61 API calls 51865->51867 51866->51864 51868 7ff7e07f3e07 RegisterClassExW 51866->51868 51867->51866 51868->51862 51868->51864 51870 7ff7e07f3883 51869->51870 51871 7ff7e081b2b4 51869->51871 51872 7ff7e0805964 80 API calls 51870->51872 51874 7ff7e080fd8c 21 API calls 51871->51874 51873 7ff7e07f3895 51872->51873 51873->51871 51875 7ff7e07f38bc 51873->51875 51876 7ff7e081b2c8 51874->51876 51877 7ff7e080fd8c 21 API calls 51875->51877 52006 7ff7e0881338 90 API calls Concurrency::details::SchedulerBase::GetBitSet 51876->52006 51879 7ff7e07f38c6 51877->51879 51949 7ff7e07f336c 51879->51949 51881 7ff7e07f3b08 51884 7ff7e080f780 Concurrency::wait 9 API calls 51881->51884 51882 7ff7e081b33c MonitorFromRect 51883 7ff7e07f3979 51882->51883 51887 7ff7e081b35b MonitorFromRect GetMonitorInfoW 51882->51887 51886 7ff7e07f3989 CreateWindowExW 51883->51886 51888 7ff7e07f3b1a 51884->51888 51885 7ff7e07f38d3 51885->51881 51962 7ff7e07f34c8 51885->51962 51890 7ff7e081b3f8 GetLastError 51886->51890 51891 7ff7e07f3a1f 51886->51891 51887->51886 51888->51829 51893 7ff7e0803730 72 API calls 51890->51893 51891->51881 51898 7ff7e07f3a34 51891->51898 51899 7ff7e081b425 51891->51899 51895 7ff7e081b40b 51893->51895 51894 7ff7e0806c30 109 API calls 51897 7ff7e07f3969 51894->51897 52007 7ff7e084a914 11 API calls 2 library calls 51895->52007 51897->51882 51897->51883 51968 7ff7e07f3544 GetDC 51898->51968 51902 7ff7e081b463 51899->51902 52008 7ff7e07f9a04 54 API calls Concurrency::wait 51899->52008 51904 7ff7e07f61e4 54 API calls 51902->51904 51903 7ff7e07f3a3f 51903->51881 51978 7ff7e07f364c GetSystemMenu LoadMenuW 51903->51978 51905 7ff7e081b498 51904->51905 51907 7ff7e081b49e IsDlgButtonChecked 51905->51907 51908 7ff7e081b4bd 51907->51908 51909 7ff7e07f61e4 54 API calls 51908->51909 51911 7ff7e081b4d1 51909->51911 51910 7ff7e07f3a60 51910->51881 51912 7ff7e07f4408 9 API calls 51910->51912 51913 7ff7e07f3a7f 51912->51913 51993 7ff7e07f3e48 51913->51993 51916 7ff7e07f3a9a 51916->51907 51917 7ff7e07f3aa8 51916->51917 51918 7ff7e07f4b70 75 API calls 51917->51918 51919 7ff7e07f3aad 51918->51919 52000 7ff7e07f3cb4 51919->52000 51921 7ff7e07f3ab9 51929 7ff7e07f3f14 51928->51929 51930 7ff7e07f3f07 51928->51930 51932 7ff7e07f3f2a 51929->51932 51934 7ff7e081b60c 51929->51934 51930->51929 51931 7ff7e081b5f6 51930->51931 51946 7ff7e08132f8 54 API calls Concurrency::wait 51931->51946 51935 7ff7e07f3f40 51932->51935 51937 7ff7e081b623 51932->51937 51940 7ff7e07f3f45 51932->51940 51947 7ff7e08132f8 54 API calls Concurrency::wait 51934->51947 51945 7ff7e07f3f74 6 API calls 51935->51945 51948 7ff7e08132f8 54 API calls Concurrency::wait 51937->51948 51940->51865 51941 7ff7e081b63a GetLastError 51943 7ff7e07f3f8d 51941->51943 51943->51865 51944->51861 51945->51940 51946->51934 51947->51937 51948->51941 52009 7ff7e07f345c 51949->52009 51952 7ff7e07f341c 51953 7ff7e07f3436 51952->51953 52012 7ff7e082d614 54 API calls Concurrency::wait 51952->52012 51953->51885 51956 7ff7e07f35e4 ReleaseDC 51957 7ff7e07f35b5 51956->51957 51958 7ff7e081b27f 51956->51958 51957->51885 51957->51956 51961 7ff7e07f61e4 54 API calls 51957->51961 52013 7ff7e07f9a04 54 API calls Concurrency::wait 51957->52013 51959 7ff7e07f61e4 54 API calls 51958->51959 51960 7ff7e081b29b 51959->51960 51961->51957 51963 7ff7e07f3521 51962->51963 51964 7ff7e07f34d7 51962->51964 51963->51894 51964->51963 52014 7ff7e07f6570 51964->52014 51970 7ff7e07f357a 51968->51970 51975 7ff7e07f35b5 51968->51975 51971 7ff7e07f35a1 DeleteObject 51970->51971 51970->51975 51971->51975 51972 7ff7e07f35e4 ReleaseDC 51974 7ff7e081b27f 51972->51974 51972->51975 51973 7ff7e07f61e4 54 API calls 51973->51975 51976 7ff7e07f61e4 54 API calls 51974->51976 51975->51903 51975->51972 51975->51973 52095 7ff7e07f9a04 54 API calls Concurrency::wait 51975->52095 51977 7ff7e081b29b 51976->51977 51979 7ff7e08109b4 21 API calls 51978->51979 51980 7ff7e07f36b1 51979->51980 51981 7ff7e081b2a2 51980->51981 51982 7ff7e07f3715 LoadStringW 51980->51982 51983 7ff7e07f36d4 LoadStringW 51980->51983 51985 7ff7e07f3785 LoadStringW 51982->51985 51986 7ff7e07f373b memset SetMenuItemInfoW 51982->51986 51983->51982 51984 7ff7e07f36fa AppendMenuW 51983->51984 51984->51982 51987 7ff7e07f37af AppendMenuW 51985->51987 51988 7ff7e07f37c7 LoadStringW 51985->51988 51986->51985 51987->51988 51989 7ff7e07f37f1 AppendMenuW 51988->51989 51990 7ff7e07f3809 51988->51990 51989->51990 51991 7ff7e080f780 Concurrency::wait 9 API calls 51990->51991 51992 7ff7e07f381e 51991->51992 51992->51910 51994 7ff7e07f3ee4 61 API calls 51993->51994 51995 7ff7e07f3e6f 51994->51995 51996 7ff7e07f3a8a 51995->51996 51997 7ff7e07f3ee4 61 API calls 51995->51997 51996->51902 51996->51916 51998 7ff7e07f3e8a 51997->51998 51998->51996 51999 7ff7e07f3e90 IsDlgButtonChecked IsDlgButtonChecked 51998->51999 51999->51996 52001 7ff7e07f3d18 52000->52001 52002 7ff7e07f3ccd 52000->52002 52001->51921 52002->52001 52003 7ff7e07f3cd6 GetProcAddress 52002->52003 52006->51897 52007->51891 52008->51902 52010 7ff7e0805920 90 API calls 52009->52010 52011 7ff7e07f337e memset 52010->52011 52011->51952 52012->51957 52013->51957 52018 7ff7e07f87c8 52014->52018 52017 7ff7e080d8e8 55 API calls Concurrency::details::SchedulerBase::GetBitSet 52017->51963 52019 7ff7e07f87f6 52018->52019 52020 7ff7e07f3507 52018->52020 52019->52020 52021 7ff7e081c717 52019->52021 52023 7ff7e081c730 52019->52023 52027 7ff7e07f6630 52019->52027 52020->52017 52022 7ff7e07f61e4 54 API calls 52021->52022 52022->52023 52024 7ff7e07f61e4 54 API calls 52023->52024 52025 7ff7e081c74f 52024->52025 52049 7ff7e07f6740 52027->52049 52050 7ff7e07f6787 52049->52050 52051 7ff7e081c28c 52050->52051 52052 7ff7e07f679c 52050->52052 52092 7ff7e07f9a04 54 API calls Concurrency::wait 52051->52092 52084 7ff7e07f6a30 52052->52084 52056 7ff7e081c2ad 52058 7ff7e07f8350 3 API calls 52056->52058 52057 7ff7e07f67c0 memset MulDiv MulDiv 52059 7ff7e07f681f 52057->52059 52061 7ff7e081c2d0 52058->52061 52060 7ff7e07f6857 _o_wcscpy_s 52059->52060 52059->52061 52062 7ff7e07f6886 52060->52062 52093 7ff7e07f9a04 54 API calls Concurrency::wait 52061->52093 52087 7ff7e07f8350 52062->52087 52065 7ff7e07f6897 52065->52061 52069 7ff7e07f68c0 52065->52069 52067 7ff7e081c33f 52068 7ff7e081c30a 52094 7ff7e07f9a04 54 API calls Concurrency::wait 52068->52094 52069->52068 52070 7ff7e07f6971 52069->52070 52071 7ff7e07f6a30 wcsnlen 52070->52071 52072 7ff7e07f6979 52071->52072 52085 7ff7e07f6a44 wcsnlen 52084->52085 52086 7ff7e07f67af 52084->52086 52085->52086 52086->52056 52086->52057 52088 7ff7e07f8376 52087->52088 52089 7ff7e081c42e GetLastError DeleteObject SetLastError 52087->52089 52088->52065 52088->52089 52090 7ff7e081c45a 52089->52090 52090->52090 52092->52056 52093->52068 52094->52067 52095->51975 52096->51832 52098 7ff7e07f63c5 52097->52098 52099 7ff7e07f64c6 52097->52099 52098->51842 52098->51843 52099->52098 52106 7ff7e0810000 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 52099->52106 52105->51836 52107->51795 52108->51799 52109->51803 52111 7ff7e080f5d0 52112 7ff7e080f5e4 __scrt_initialize_crt 52111->52112 52113 7ff7e080f71c 52112->52113 52114 7ff7e080f5ec __scrt_acquire_startup_lock 52112->52114 52173 7ff7e08103a0 9 API calls Concurrency::wait 52113->52173 52116 7ff7e080f726 52114->52116 52119 7ff7e080f60a __scrt_release_startup_lock 52114->52119 52174 7ff7e08103a0 9 API calls Concurrency::wait 52116->52174 52118 7ff7e080f731 52121 7ff7e080f739 _o__exit 52118->52121 52120 7ff7e080f62f 52119->52120 52122 7ff7e080f6b5 52119->52122 52126 7ff7e080f6ad _register_thread_local_exe_atexit_callback 52119->52126 52133 7ff7e08104f4 memset GetStartupInfoW 52122->52133 52124 7ff7e080f6ba _o__get_wide_winmain_command_line 52134 7ff7e0809398 52124->52134 52126->52122 52133->52124 52175 7ff7e080d800 EventRegister 52134->52175 52137 7ff7e0805920 90 API calls 52138 7ff7e0809410 52137->52138 52180 7ff7e0805b04 52138->52180 52141 7ff7e07f9100 55 API calls 52142 7ff7e080942c 52141->52142 52187 7ff7e07f8538 52142->52187 52144 7ff7e0809487 EventUnregister 52145 7ff7e0822fd7 52144->52145 52146 7ff7e08094af SetProcessShutdownParameters ExitThread 52144->52146 52352 7ff7e0852584 55 API calls 52145->52352 52149 7ff7e0809461 52150 7ff7e080946b 52149->52150 52151 7ff7e0822fa2 52149->52151 52322 7ff7e08094d4 55 API calls 52150->52322 52241 7ff7e0805ad4 52151->52241 52153 7ff7e0822f72 52158 7ff7e0809485 52153->52158 52159 7ff7e0822f82 52153->52159 52154 7ff7e0809435 52154->52144 52154->52149 52154->52153 52235 7ff7e08077e8 RegOpenKeyExW 52154->52235 52158->52144 52350 7ff7e08094d4 55 API calls 52159->52350 52162 7ff7e0809473 52162->52144 52323 7ff7e0807980 52162->52323 52166 7ff7e0822f8a 52166->52144 52351 7ff7e0854788 14 API calls Concurrency::wait 52166->52351 52170 7ff7e07f9100 55 API calls 52170->52158 52171 7ff7e0822f9c 52171->52158 52173->52116 52174->52118 52176 7ff7e080d862 EventSetInformation 52175->52176 52177 7ff7e080d87d 52175->52177 52176->52177 52178 7ff7e080f780 Concurrency::wait 9 API calls 52177->52178 52179 7ff7e08093d0 GetStdHandle GetStdHandle GetCommandLineW 52178->52179 52179->52137 52181 7ff7e0805ad4 90 API calls 52180->52181 52182 7ff7e0805b2a 52181->52182 52183 7ff7e08051f4 90 API calls 52182->52183 52184 7ff7e0805b7a 52183->52184 52185 7ff7e08051f4 90 API calls 52184->52185 52186 7ff7e0805b8d 52185->52186 52186->52141 52188 7ff7e07f857d 52187->52188 52189 7ff7e07f878b 52187->52189 52190 7ff7e0805ad4 90 API calls 52188->52190 52192 7ff7e080f780 Concurrency::wait 9 API calls 52189->52192 52191 7ff7e07f859d CommandLineToArgvW 52190->52191 52194 7ff7e081c486 52191->52194 52208 7ff7e07f85d2 52191->52208 52193 7ff7e07f8799 52192->52193 52193->52154 52358 7ff7e07f60e8 54 API calls 52194->52358 52196 7ff7e07f874a 52197 7ff7e07f8762 52196->52197 52198 7ff7e081c6f4 52196->52198 52200 7ff7e07f8777 52197->52200 52201 7ff7e07f8767 LocalFree 52197->52201 52369 7ff7e08132f8 54 API calls Concurrency::wait 52198->52369 52199 7ff7e0805920 90 API calls 52199->52208 52203 7ff7e07f9100 55 API calls 52200->52203 52201->52200 52207 7ff7e07f8780 52203->52207 52205 7ff7e081c70f 52205->52154 52357 7ff7e0807414 55 API calls Concurrency::details::SchedulerBase::GetBitSet 52207->52357 52208->52199 52210 7ff7e07f9100 55 API calls 52208->52210 52222 7ff7e07f8632 52208->52222 52353 7ff7e07f5a60 91 API calls 52208->52353 52210->52208 52211 7ff7e081c4f3 52359 7ff7e0852a8c 90 API calls 52211->52359 52213 7ff7e0805ad4 90 API calls 52213->52222 52214 7ff7e081c505 52227 7ff7e081c556 52214->52227 52360 7ff7e0852a8c 90 API calls 52214->52360 52216 7ff7e081c543 52216->52227 52361 7ff7e0808bac 92 API calls Concurrency::wait 52216->52361 52222->52196 52222->52211 52222->52213 52222->52214 52224 7ff7e07f9100 55 API calls 52222->52224 52234 7ff7e081c6e9 52222->52234 52354 7ff7e0813330 91 API calls 52222->52354 52355 7ff7e07f5c10 55 API calls 52222->52355 52356 7ff7e0808bac 92 API calls Concurrency::wait 52222->52356 52223 7ff7e07f9100 55 API calls 52223->52227 52224->52222 52225 7ff7e07f9100 55 API calls 52225->52198 52227->52223 52230 7ff7e081c689 52227->52230 52362 7ff7e07f5c10 55 API calls 52227->52362 52363 7ff7e0813330 91 API calls 52227->52363 52364 7ff7e0852a8c 90 API calls 52227->52364 52365 7ff7e0852990 59 API calls 52227->52365 52366 7ff7e0852b44 90 API calls Concurrency::wait 52227->52366 52232 7ff7e081c6b5 52230->52232 52367 7ff7e07f5c10 55 API calls 52230->52367 52368 7ff7e08527b4 95 API calls Concurrency::wait 52232->52368 52234->52225 52236 7ff7e0807827 52235->52236 52237 7ff7e0807869 52236->52237 52238 7ff7e0807829 RegQueryValueExW 52236->52238 52239 7ff7e0807891 RegCloseKey 52237->52239 52240 7ff7e0807888 52237->52240 52238->52237 52239->52240 52240->52149 52240->52153 52370 7ff7e0804ab0 52241->52370 52243 7ff7e0805af0 52244 7ff7e086a2d4 52243->52244 52374 7ff7e086e044 52244->52374 52247 7ff7e086a39e 52249 7ff7e086e044 66 API calls 52247->52249 52248 7ff7e086a33a 52382 7ff7e083b23c 54 API calls 52248->52382 52251 7ff7e086a3cd 52249->52251 52253 7ff7e0807980 134 API calls 52251->52253 52262 7ff7e086a3d1 52251->52262 52252 7ff7e086a354 52254 7ff7e086a365 CloseHandle 52252->52254 52255 7ff7e086a371 52252->52255 52258 7ff7e086a41d 52253->52258 52254->52255 52256 7ff7e080f780 Concurrency::wait 9 API calls 52255->52256 52259 7ff7e0822fc6 52256->52259 52261 7ff7e086a428 52258->52261 52258->52262 52259->52170 52260 7ff7e086a3ea 52260->52252 52263 7ff7e086a3ff CloseHandle 52260->52263 52264 7ff7e086e044 66 API calls 52261->52264 52383 7ff7e083b23c 54 API calls 52262->52383 52263->52252 52268 7ff7e086a486 52264->52268 52265 7ff7e086e044 66 API calls 52265->52268 52267 7ff7e086a51c GetCurrentProcess GetCurrentProcess DuplicateHandle 52267->52268 52269 7ff7e086a58e memset memset GetStartupInfoW 52267->52269 52268->52265 52268->52267 52274 7ff7e086a4ca CloseHandle 52268->52274 52384 7ff7e083b23c 54 API calls 52268->52384 52385 7ff7e07f60e8 54 API calls 52268->52385 52271 7ff7e086a607 InitializeProcThreadAttributeList 52269->52271 52272 7ff7e086a604 52269->52272 52378 7ff7e080d424 52271->52378 52272->52271 52274->52268 52276 7ff7e086a63d 52386 7ff7e07f9a04 54 API calls Concurrency::wait 52276->52386 52277 7ff7e086a69e InitializeProcThreadAttributeList 52278 7ff7e086a734 UpdateProcThreadAttribute 52277->52278 52279 7ff7e086a6bf 52277->52279 52281 7ff7e086a7cc UpdateProcThreadAttribute 52278->52281 52298 7ff7e086a6d5 52278->52298 52387 7ff7e07f60e8 54 API calls 52279->52387 52281->52298 52283 7ff7e086a659 52298->52278 52322->52162 52413 7ff7e08075e4 52323->52413 52326 7ff7e080799c CreateEventExW 52327 7ff7e0807ad8 52326->52327 52328 7ff7e08079c1 GetLastError 52326->52328 52349 7ff7e0807ae2 52327->52349 52459 7ff7e07f9a04 54 API calls Concurrency::wait 52327->52459 52460 7ff7e0827b04 54 API calls 52327->52460 52329 7ff7e0807d28 54 API calls 52328->52329 52332 7ff7e08079dc 52329->52332 52332->52327 52333 7ff7e08079e6 CreateEventExW 52332->52333 52334 7ff7e082283c 52333->52334 52335 7ff7e0807a0c GetLastError 52333->52335 52461 7ff7e0827b04 54 API calls 52334->52461 52337 7ff7e0807d28 54 API calls 52335->52337 52338 7ff7e0807a27 52337->52338 52338->52327 52339 7ff7e080be64 55 API calls 52338->52339 52349->52158 52350->52166 52351->52171 52353->52208 52354->52222 52355->52222 52356->52222 52357->52189 52358->52222 52359->52214 52360->52216 52361->52227 52362->52227 52363->52227 52364->52227 52365->52227 52366->52227 52367->52232 52368->52234 52369->52205 52371 7ff7e0804ad5 52370->52371 52372 7ff7e0804ae0 52371->52372 52373 7ff7e080390c 90 API calls 52371->52373 52372->52243 52373->52372 52375 7ff7e086e057 52374->52375 52375->52375 52402 7ff7e086e17c 52375->52402 52379 7ff7e080d448 52378->52379 52380 7ff7e080d450 memset 52379->52380 52381 7ff7e080d45d 52379->52381 52380->52381 52381->52276 52381->52277 52382->52252 52383->52260 52384->52268 52385->52268 52386->52283 52387->52298 52403 7ff7e086e1ec NtOpenFile 52402->52403 52404 7ff7e086e1b9 52402->52404 52406 7ff7e086a336 52403->52406 52412 7ff7e0810000 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 52404->52412 52406->52247 52406->52248 52414 7ff7e080fd8c 21 API calls 52413->52414 52415 7ff7e08075fe 52414->52415 52416 7ff7e0807615 52415->52416 52417 7ff7e08076e2 52415->52417 52463 7ff7e08062dc 52416->52463 52512 7ff7e082d614 54 API calls Concurrency::wait 52417->52512 52420 7ff7e080762b GetOEMCP GetACP 52422 7ff7e080fd8c 21 API calls 52420->52422 52421 7ff7e08076f7 52423 7ff7e0807659 52422->52423 52471 7ff7e0807f10 52423->52471 52427 7ff7e0807688 52428 7ff7e08076b0 52427->52428 52484 7ff7e0816e9c 52427->52484 52428->52326 52428->52327 52459->52327 52460->52327 52461->52327 52464 7ff7e08062f5 52463->52464 52470 7ff7e0806356 52463->52470 52465 7ff7e08051f4 90 API calls 52464->52465 52466 7ff7e0806308 52465->52466 52467 7ff7e08051f4 90 API calls 52466->52467 52468 7ff7e0806329 52466->52468 52466->52470 52467->52468 52469 7ff7e08051f4 90 API calls 52468->52469 52468->52470 52469->52470 52470->52420 52470->52470 52479 7ff7e0807f46 52471->52479 52472 7ff7e0807f56 RegOpenKeyW 52472->52479 52473 7ff7e0822a00 GetProcessHeap HeapFree 52473->52479 52474 7ff7e080810c 52476 7ff7e080f780 Concurrency::wait 9 API calls 52474->52476 52475 7ff7e0807f8d RegEnumValueW 52475->52479 52477 7ff7e080766b 52476->52477 52477->52427 52483 7ff7e080ed58 54 API calls 52477->52483 52478 7ff7e08080fb RegCloseKey 52478->52474 52479->52472 52479->52473 52479->52474 52479->52475 52479->52478 52480 7ff7e0807ff3 GetProcessHeap HeapAlloc 52479->52480 52480->52478 52481 7ff7e0808025 52480->52481 52481->52475 52482 7ff7e0822a30 52481->52482 52483->52427 52485 7ff7e0808200 11 API calls 52484->52485 52486 7ff7e0816ef5 52485->52486 52487 7ff7e0816f08 GetLastError RegCloseKey 52486->52487 52488 7ff7e0816f38 52486->52488 52505 7ff7e0817075 52486->52505 52513 7ff7e082763c SetLastError 52487->52513 52514 7ff7e085c388 RegOpenKeyW 52488->52514 52491 7ff7e0854760 RegCloseKey 52492 7ff7e0817103 52491->52492 52493 7ff7e0854760 RegCloseKey 52492->52493 52494 7ff7e081710e 52493->52494 52496 7ff7e0854760 RegCloseKey 52494->52496 52495 7ff7e08086c4 RegQueryValueExW 52502 7ff7e0816f4f 52495->52502 52497 7ff7e08170c7 52496->52497 52499 7ff7e0816fd7 IIDFromString 52499->52502 52502->52495 52502->52499 52503 7ff7e07f61e4 54 API calls 52502->52503 52504 7ff7e081701f 52502->52504 52502->52505 52516 7ff7e084d548 54 API calls 52502->52516 52503->52502 52504->52505 52506 7ff7e081708b 52504->52506 52505->52491 52517 7ff7e0854760 52506->52517 52512->52421 52513->52488 52515 7ff7e085c39c 52514->52515 52515->52502 52516->52502 52526 7ff7e0812b94 52527 7ff7e0812b03 52526->52527 52530 7ff7e080cbf0 LdrResolveDelayLoadedAPI 52527->52530 52529 7ff7e0812b42 52529->52529 52530->52529 52546 7ff7e08117f7 52548 7ff7e0811742 52546->52548 52549 7ff7e080cbf0 LdrResolveDelayLoadedAPI 52548->52549 52549->52548 52550 7ff7e0801095 52576 7ff7e08024c0 52550->52576 52552 7ff7e0800f55 DeviceIoControl 52556 7ff7e0800f33 52552->52556 52553 7ff7e07f60e8 54 API calls 52553->52556 52554 7ff7e0801002 DeviceIoControl 52554->52556 52556->52552 52556->52553 52556->52554 52557 7ff7e081ff8d WaitForSingleObjectEx 52556->52557 52558 7ff7e0801157 52556->52558 52560 7ff7e0803730 72 API calls 52556->52560 52561 7ff7e07f61e4 54 API calls 52556->52561 52563 7ff7e0801184 52556->52563 52566 7ff7e0809c30 52556->52566 52616 7ff7e084a914 11 API calls 2 library calls 52556->52616 52557->52556 52615 7ff7e080d9e0 GetCurrentProcess TerminateProcess 52558->52615 52560->52556 52561->52556 52564 7ff7e080f780 Concurrency::wait 9 API calls 52563->52564 52565 7ff7e082002a 52564->52565 52569 7ff7e0809c79 52566->52569 52572 7ff7e0809dcc 52566->52572 52567 7ff7e080f780 Concurrency::wait 9 API calls 52568 7ff7e0809e42 52567->52568 52568->52556 52570 7ff7e0809d44 52569->52570 52569->52572 52661 7ff7e08496f0 10 API calls Concurrency::wait 52569->52661 52573 7ff7e08024c0 111 API calls 52570->52573 52617 7ff7e086c610 52570->52617 52654 7ff7e080d2e0 52570->52654 52572->52567 52573->52572 52577 7ff7e0820f34 52576->52577 52600 7ff7e0802510 52576->52600 52704 7ff7e0810000 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 52577->52704 52579 7ff7e0802531 52583 7ff7e0820f8e 52579->52583 52584 7ff7e0802547 52579->52584 52580 7ff7e0820f71 52705 7ff7e07f9a04 54 API calls Concurrency::wait 52580->52705 52706 7ff7e07f9a04 54 API calls Concurrency::wait 52583->52706 52589 7ff7e0820fd6 52584->52589 52590 7ff7e080257b 52584->52590 52596 7ff7e080260f 52584->52596 52588 7ff7e0820fbe 52707 7ff7e07f9a04 54 API calls Concurrency::wait 52588->52707 52708 7ff7e07f9a04 54 API calls Concurrency::wait 52589->52708 52598 7ff7e0820ffd 52590->52598 52599 7ff7e080259a memset 52590->52599 52593 7ff7e0802696 52594 7ff7e08026b9 52593->52594 52597 7ff7e07f61e4 54 API calls 52593->52597 52610 7ff7e08026c6 default_delete 52594->52610 52713 7ff7e086b0e4 92 API calls Concurrency::wait 52594->52713 52596->52593 52605 7ff7e07f61e4 54 API calls 52596->52605 52597->52594 52709 7ff7e07f9a04 54 API calls Concurrency::wait 52598->52709 52599->52598 52602 7ff7e08025b4 DeviceIoControl 52599->52602 52600->52579 52600->52580 52600->52593 52602->52596 52606 7ff7e082102e 52602->52606 52605->52593 52710 7ff7e07f60e8 54 API calls 52606->52710 52608 7ff7e0802711 52608->52556 52609 7ff7e0821043 52609->52596 52611 7ff7e082104e 52609->52611 52610->52608 52714 7ff7e084b96c 10 API calls Concurrency::wait 52610->52714 52711 7ff7e07f9a04 54 API calls Concurrency::wait 52611->52711 52613 7ff7e0820ffb 52712 7ff7e07f9a04 54 API calls Concurrency::wait 52613->52712 52616->52556 52618 7ff7e0803730 72 API calls 52617->52618 52620 7ff7e086c633 52618->52620 52619 7ff7e086c659 52675 7ff7e07f9a04 54 API calls Concurrency::wait 52619->52675 52620->52619 52662 7ff7e0803420 52620->52662 52626 7ff7e086c6ef 52627 7ff7e086a1f4 memset 52626->52627 52647 7ff7e086c7a0 52626->52647 52629 7ff7e086c71d 52627->52629 52628 7ff7e086c871 52631 7ff7e086c8ac 52628->52631 52632 7ff7e086c8e2 52628->52632 52635 7ff7e086c76e 52629->52635 52636 7ff7e086c747 52629->52636 52680 7ff7e0830df8 _o___std_exception_copy _o_terminate std::bad_exception::bad_exception 52631->52680 52681 7ff7e0830df8 _o___std_exception_copy _o_terminate std::bad_exception::bad_exception 52632->52681 52639 7ff7e0804788 55 API calls 52635->52639 52676 7ff7e07f9a04 54 API calls Concurrency::wait 52636->52676 52637 7ff7e086ca83 _o_terminate 52653 7ff7e086c67a default_delete 52637->52653 52642 7ff7e086c77e 52639->52642 52640 7ff7e086c8b1 52640->52637 52649 7ff7e086c8d5 52640->52649 52641 7ff7e086c7e9 52643 7ff7e0804788 55 API calls 52641->52643 52642->52647 52677 7ff7e07f9a04 54 API calls Concurrency::wait 52642->52677 52644 7ff7e086c825 52643->52644 52644->52628 52646 7ff7e086c82c 52644->52646 52679 7ff7e07f9a04 54 API calls Concurrency::wait 52646->52679 52647->52628 52678 7ff7e0842f00 memset 52647->52678 52650 7ff7e086c9ed 52649->52650 52651 7ff7e07f61e4 54 API calls 52649->52651 52650->52653 52682 7ff7e086b0e4 92 API calls Concurrency::wait 52650->52682 52651->52650 52653->52572 52655 7ff7e0803730 72 API calls 52654->52655 52656 7ff7e080d2fa 52655->52656 52686 7ff7e080d384 52656->52686 52658 7ff7e080d319 52659 7ff7e080d323 52658->52659 52700 7ff7e07f9a04 54 API calls Concurrency::wait 52658->52700 52659->52572 52661->52570 52663 7ff7e08217ba 52662->52663 52665 7ff7e0803435 52662->52665 52683 7ff7e07f9a04 54 API calls Concurrency::wait 52663->52683 52666 7ff7e080343e 52665->52666 52684 7ff7e07f9a04 54 API calls Concurrency::wait 52665->52684 52666->52619 52669 7ff7e080af84 52666->52669 52668 7ff7e08217fc 52670 7ff7e080b003 52669->52670 52673 7ff7e080afae 52669->52673 52670->52619 52670->52626 52671 7ff7e0825a3e 52685 7ff7e07f9a04 54 API calls Concurrency::wait 52671->52685 52673->52671 52674 7ff7e080afef memset 52673->52674 52674->52670 52675->52653 52676->52653 52677->52647 52678->52641 52679->52653 52680->52640 52681->52640 52682->52653 52683->52665 52684->52668 52685->52670 52687 7ff7e080d3ae 52686->52687 52699 7ff7e080d3f0 52686->52699 52688 7ff7e080d3ba 52687->52688 52689 7ff7e0826bf6 52687->52689 52691 7ff7e080d424 memset 52688->52691 52701 7ff7e07f9a04 54 API calls Concurrency::wait 52689->52701 52692 7ff7e080d3c8 52691->52692 52693 7ff7e0826c1b 52692->52693 52694 7ff7e080d3d6 52692->52694 52702 7ff7e07f9a04 54 API calls Concurrency::wait 52693->52702 52695 7ff7e0804788 55 API calls 52694->52695 52697 7ff7e080d3e6 52695->52697 52697->52699 52703 7ff7e07f9a04 54 API calls Concurrency::wait 52697->52703 52699->52658 52700->52659 52701->52699 52702->52699 52703->52699 52705->52583 52706->52588 52707->52589 52708->52613 52709->52613 52710->52609 52711->52613 52712->52610 52713->52610 52714->52608

    Executed Functions

    Function 00007FF7E086A2D4 Relevance: 60.0, APIs: 28, Strings: 6, Instructions: 483COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 7ff7e086a2d4-7ff7e086a338 call 7ff7e086e044 3 7ff7e086a39e-7ff7e086a3cf call 7ff7e086e044 0->3 4 7ff7e086a33a-7ff7e086a354 call 7ff7e083b23c 0->4 9 7ff7e086a3d1 3->9 10 7ff7e086a410-7ff7e086a41f call 7ff7e0807980 3->10 11 7ff7e086a356-7ff7e086a363 4->11 12 7ff7e086a3d4-7ff7e086a3f9 call 7ff7e083b23c 9->12 21 7ff7e086a428-7ff7e086a488 call 7ff7e0810f1c call 7ff7e086e044 10->21 22 7ff7e086a421-7ff7e086a426 10->22 14 7ff7e086a365-7ff7e086a36c CloseHandle 11->14 15 7ff7e086a371-7ff7e086a39c call 7ff7e080f780 11->15 12->11 24 7ff7e086a3ff-7ff7e086a40b CloseHandle 12->24 14->15 28 7ff7e086a4e9-7ff7e086a510 call 7ff7e086e044 21->28 29 7ff7e086a48a 21->29 22->12 24->11 34 7ff7e086a51c-7ff7e086a571 GetCurrentProcess * 2 DuplicateHandle 28->34 35 7ff7e086a512-7ff7e086a517 28->35 30 7ff7e086a48d-7ff7e086a49e call 7ff7e083b23c 29->30 36 7ff7e086a4a3-7ff7e086a4c8 call 7ff7e0810154 30->36 37 7ff7e086a58e-7ff7e086a602 memset * 2 GetStartupInfoW 34->37 38 7ff7e086a573-7ff7e086a589 call 7ff7e07f60e8 34->38 35->30 46 7ff7e086a4ca-7ff7e086a4d6 CloseHandle 36->46 47 7ff7e086a4d7-7ff7e086a4e0 36->47 41 7ff7e086a607-7ff7e086a63b InitializeProcThreadAttributeList call 7ff7e080d424 37->41 42 7ff7e086a604 37->42 38->36 49 7ff7e086a63d-7ff7e086a67d call 7ff7e07f9a04 call 7ff7e0810154 41->49 50 7ff7e086a69e-7ff7e086a6bd InitializeProcThreadAttributeList 41->50 42->41 46->47 47->28 70 7ff7e086a68c-7ff7e086a699 49->70 71 7ff7e086a67f-7ff7e086a68b CloseHandle 49->71 51 7ff7e086a734-7ff7e086a76e UpdateProcThreadAttribute 50->51 52 7ff7e086a6bf-7ff7e086a6ff call 7ff7e07f60e8 call 7ff7e080fd50 call 7ff7e0810154 50->52 54 7ff7e086a7cc-7ff7e086a821 UpdateProcThreadAttribute 51->54 55 7ff7e086a770 51->55 86 7ff7e086a703 52->86 60 7ff7e086a82d 54->60 61 7ff7e086a823-7ff7e086a828 54->61 58 7ff7e086a775-7ff7e086a7a4 call 7ff7e07f60e8 DeleteProcThreadAttributeList call 7ff7e080fd50 55->58 85 7ff7e086a7a7-7ff7e086a7c7 call 7ff7e0810154 58->85 65 7ff7e086a831-7ff7e086a839 60->65 61->58 65->65 69 7ff7e086a83b-7ff7e086a862 ExpandEnvironmentStringsW 65->69 75 7ff7e086a8a3-7ff7e086a8b9 call 7ff7e086a1f4 69->75 76 7ff7e086a864-7ff7e086a89e call 7ff7e07f60e8 DeleteProcThreadAttributeList call 7ff7e080fd50 69->76 72 7ff7e086a938 70->72 71->70 77 7ff7e086a93a-7ff7e086a941 CloseHandle 72->77 78 7ff7e086a946 72->78 88 7ff7e086a950-7ff7e086a967 ExpandEnvironmentStringsW 75->88 89 7ff7e086a8bf-7ff7e086a91c call 7ff7e07f9a04 DeleteProcThreadAttributeList call 7ff7e080fd50 call 7ff7e0810154 75->89 76->85 77->78 78->88 85->86 91 7ff7e086a705-7ff7e086a711 CloseHandle 86->91 92 7ff7e086a712-7ff7e086a71f 86->92 94 7ff7e086a96d-7ff7e086a985 call 7ff7e07f60e8 88->94 95 7ff7e086aa01-7ff7e086aa55 CreateProcessW 88->95 121 7ff7e086a91e-7ff7e086a92a CloseHandle 89->121 122 7ff7e086a92b-7ff7e086a934 89->122 91->92 98 7ff7e086a72d 92->98 99 7ff7e086a721-7ff7e086a728 CloseHandle 92->99 109 7ff7e086a987-7ff7e086a9d0 call 7ff7e080fd50 DeleteProcThreadAttributeList call 7ff7e080fd50 call 7ff7e0810154 94->109 100 7ff7e086aa57-7ff7e086aa7b call 7ff7e07f60e8 call 7ff7e086a2a0 95->100 101 7ff7e086aa80-7ff7e086aadb call 7ff7e086a2a0 call 7ff7e0830fbc call 7ff7e086a264 call 7ff7e0830fbc call 7ff7e0810154 call 7ff7e0837910 * 2 ExitThread 95->101 98->51 99->98 100->109 131 7ff7e086a9d2-7ff7e086a9de CloseHandle 109->131 132 7ff7e086a9df-7ff7e086a9ec 109->132 121->122 122->72 131->132 133 7ff7e086a9ee-7ff7e086a9f5 CloseHandle 132->133 134 7ff7e086a9fa 132->134 133->134 134->95
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CloseHandle
    • String ID: %WINDIR%\system32\cmd.exe$\Device\ConDrv\Server$\Input$\Output$\Reference$onecore\windows\core\console\open\src\server\entrypoints.cpp
    • API String ID: 2962429428-1317094634
    • Opcode ID: 2fb6155ce4c142ed654327455baf2032791b064daada749f767de5a627f7465d
    • Instruction ID: d58e1b04a2cba54671d3f0b7f541bc409e4677e5df18e73a0c58f7ca9f583c90
    • Opcode Fuzzy Hash: 2fb6155ce4c142ed654327455baf2032791b064daada749f767de5a627f7465d
    • Instruction Fuzzy Hash: 3722A432608A8286E710AB21E8407EDF760FB85BA8FC04232DA5D57BD9DF7CE554CB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07FA540 Relevance: 34.0, APIs: 17, Strings: 2, Instructions: 785nativeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalEnterEventNotifyNtdllProc_SectionWindow
    • String ID: onecore\windows\core\console\open\src\interactivity\win32\windowproc.cpp$~
    • API String ID: 1545919202-736058143
    • Opcode ID: 85ec1b87d71284b0c9983e4654e457e1ce9ca4ec13fdeaa8fd0d62b9e291da42
    • Instruction ID: ff447a891a20fd7cd481ff2cc06ffc7ca56711755bc27e4587c59df85af9253b
    • Opcode Fuzzy Hash: 85ec1b87d71284b0c9983e4654e457e1ce9ca4ec13fdeaa8fd0d62b9e291da42
    • Instruction Fuzzy Hash: D8729162A0C6438AFA24BB25E450779E7A1FF99744FD44137DA8E43795CE3CF4608B22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08001E0 Relevance: 26.9, APIs: 9, Strings: 6, Instructions: 696COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 502 7ff7e08001e0-7ff7e08002aa call 7ff7e0801bdc call 7ff7e0801c70 call 7ff7e0802238 511 7ff7e08002d1-7ff7e0800302 502->511 512 7ff7e08002ac-7ff7e08002cf 502->512 511->512 514 7ff7e0800304-7ff7e080032b 511->514 515 7ff7e0800330-7ff7e08003f2 call 7ff7e0801bdc call 7ff7e0801c70 call 7ff7e0801bdc 514->515 522 7ff7e081fc82-7ff7e081fca4 _o_terminate 515->522 523 7ff7e08003f8-7ff7e080040b 515->523 524 7ff7e0800411-7ff7e080042f 523->524 525 7ff7e0800a99-7ff7e0800aa1 523->525 527 7ff7e0800435-7ff7e0800446 524->527 528 7ff7e081fc6e-7ff7e081fc81 ?_Xout_of_range@std@@YAXPEBD@Z 524->528 531 7ff7e081f9b6 525->531 529 7ff7e0800453-7ff7e080045a 527->529 530 7ff7e0800448-7ff7e080044e 527->530 528->522 529->531 533 7ff7e0800460-7ff7e0800466 529->533 530->529 532 7ff7e0800450 530->532 534 7ff7e081f9be 531->534 532->529 533->531 535 7ff7e080046c-7ff7e0800472 533->535 537 7ff7e081f9c6 534->537 535->531 536 7ff7e0800478-7ff7e0800498 535->536 538 7ff7e08004a5-7ff7e08004ac 536->538 539 7ff7e080049a-7ff7e08004a0 536->539 543 7ff7e081f9ce 537->543 538->534 540 7ff7e08004b2-7ff7e08004b8 538->540 539->538 541 7ff7e08004a2 539->541 540->534 542 7ff7e08004be-7ff7e08004c4 540->542 541->538 542->534 544 7ff7e08004ca-7ff7e0800501 542->544 545 7ff7e081f9d8 543->545 546 7ff7e081fc5a-7ff7e081fc6d ?_Xout_of_range@std@@YAXPEBD@Z 544->546 547 7ff7e0800507-7ff7e080050a 544->547 548 7ff7e081f9df 545->548 546->528 547->537 549 7ff7e0800510-7ff7e0800516 547->549 551 7ff7e081f9e6 548->551 549->537 550 7ff7e080051c-7ff7e0800522 549->550 550->537 552 7ff7e0800528-7ff7e080052e 550->552 554 7ff7e081f9ed-7ff7e081fa02 551->554 552->537 553 7ff7e0800534-7ff7e080053a 552->553 553->537 555 7ff7e0800540-7ff7e0800560 553->555 556 7ff7e081fa08 554->556 557 7ff7e0800a80-7ff7e0800a87 554->557 558 7ff7e0800566-7ff7e0800569 555->558 559 7ff7e081fc3b-7ff7e081fc59 _o_terminate 555->559 561 7ff7e0800696-7ff7e08006dc 556->561 557->554 560 7ff7e0800a8d-7ff7e0800a94 557->560 558->543 562 7ff7e080056f-7ff7e0800574 558->562 559->546 560->561 565 7ff7e08006e2-7ff7e08006f6 561->565 566 7ff7e081fb8e-7ff7e081fba1 ?_Xout_of_range@std@@YAXPEBD@Z 561->566 563 7ff7e080057a-7ff7e0800581 562->563 564 7ff7e081fc16-7ff7e081fc3a _o_terminate 562->564 567 7ff7e081fbf1-7ff7e081fc15 _o_terminate 563->567 568 7ff7e0800587-7ff7e080058b 563->568 564->559 570 7ff7e081fa62-7ff7e081fab8 call 7ff7e085af30 565->570 571 7ff7e08006fc-7ff7e0800783 call 7ff7e0801bdc call 7ff7e0801e1c 565->571 569 7ff7e081fba2-7ff7e081fbb9 call 7ff7e082d614 566->569 567->564 574 7ff7e0800591-7ff7e08005cb 568->574 575 7ff7e081fbd2-7ff7e081fbf0 _o_terminate 568->575 584 7ff7e081fbba-7ff7e081fbd1 call 7ff7e082d614 569->584 581 7ff7e081fabe-7ff7e081fac1 570->581 593 7ff7e081fb0f 571->593 594 7ff7e0800789-7ff7e080078d 571->594 574->545 579 7ff7e08005d1-7ff7e08005e1 574->579 575->567 579->545 583 7ff7e08005e7-7ff7e08005eb 579->583 587 7ff7e081fac8-7ff7e081facc 581->587 588 7ff7e081fac3-7ff7e081fac6 581->588 583->545 585 7ff7e08005f1-7ff7e08005f5 583->585 584->575 585->545 590 7ff7e08005fb-7ff7e080060c 585->590 592 7ff7e081facf-7ff7e081fad2 587->592 588->592 590->548 595 7ff7e0800612-7ff7e0800615 590->595 598 7ff7e081faec 592->598 599 7ff7e081fad4-7ff7e081fad8 592->599 600 7ff7e081fb16-7ff7e081fb1d 593->600 596 7ff7e0800793-7ff7e08007c3 594->596 597 7ff7e0800a5d-7ff7e0800a67 594->597 595->548 601 7ff7e080061b-7ff7e080061e 595->601 603 7ff7e08007c7-7ff7e08007d2 call 7ff7e0800ab0 596->603 597->512 602 7ff7e0800a6d-7ff7e0800a73 597->602 606 7ff7e081faef-7ff7e081faf2 598->606 604 7ff7e081fae7-7ff7e081faea 599->604 605 7ff7e081fada-7ff7e081fadf 599->605 612 7ff7e081fb26-7ff7e081fb44 600->612 601->548 607 7ff7e0800624-7ff7e080062b 601->607 602->515 618 7ff7e0800a50-7ff7e0800a59 call 7ff7e080b4d4 603->618 619 7ff7e08007d8-7ff7e0800809 call 7ff7e0801d3c 603->619 604->581 605->604 609 7ff7e081fae1-7ff7e081fae5 605->609 610 7ff7e081fb50-7ff7e081fb63 ?_Xout_of_range@std@@YAXPEBD@Z 606->610 611 7ff7e081faf4-7ff7e081fb02 606->611 607->548 613 7ff7e0800631-7ff7e080063c 607->613 609->606 614 7ff7e081fb64-7ff7e081fb78 call 7ff7e082d614 610->614 611->593 612->610 613->584 616 7ff7e0800642-7ff7e0800646 613->616 626 7ff7e081fb79-7ff7e081fb8d call 7ff7e082d614 614->626 616->551 621 7ff7e080064c-7ff7e0800654 616->621 618->597 627 7ff7e080080e-7ff7e0800817 619->627 621->551 625 7ff7e080065a-7ff7e080065e 621->625 625->551 628 7ff7e0800664-7ff7e080066b 625->628 626->566 627->626 630 7ff7e080081d-7ff7e080083c call 7ff7e0800180 627->630 628->551 631 7ff7e0800671-7ff7e080067a 628->631 638 7ff7e0800840-7ff7e0800849 630->638 631->569 634 7ff7e0800680-7ff7e0800687 631->634 636 7ff7e081fa0d-7ff7e081fa1b call 7ff7e0801bf8 634->636 637 7ff7e080068d-7ff7e0800690 634->637 636->561 644 7ff7e081fa21 636->644 637->557 637->561 638->612 639 7ff7e080084f-7ff7e080085c 638->639 639->612 641 7ff7e0800862-7ff7e080086d 639->641 641->612 643 7ff7e0800873-7ff7e080087e 641->643 643->612 645 7ff7e0800884-7ff7e080088f 643->645 646 7ff7e081fa28-7ff7e081fa2b 644->646 645->612 647 7ff7e0800895-7ff7e08008a2 645->647 648 7ff7e081fa2d-7ff7e081fa4c 646->648 649 7ff7e081fa53-7ff7e081fa5d 646->649 647->612 650 7ff7e08008a8-7ff7e08008b3 647->650 648->646 651 7ff7e081fa4e 648->651 649->561 650->612 652 7ff7e08008b9-7ff7e08008c1 650->652 651->561 652->612 653 7ff7e08008c7-7ff7e08008d3 652->653 653->612 654 7ff7e08008d9-7ff7e08008dd 653->654 654->612 655 7ff7e08008e3-7ff7e08008ef 654->655 655->600 656 7ff7e08008f5-7ff7e08008fd 655->656 657 7ff7e0800955-7ff7e080096e call 7ff7e0800ce0 656->657 658 7ff7e08008ff-7ff7e080090e 656->658 660 7ff7e0800912-7ff7e080094a call 7ff7e0800af0 call 7ff7e0800ab0 657->660 658->660 666 7ff7e0800970-7ff7e08009d6 660->666 667 7ff7e080094c-7ff7e0800950 660->667 666->614 669 7ff7e08009dc-7ff7e0800a07 666->669 667->638 671 7ff7e0800a09-7ff7e0800a41 call 7ff7e0802178 669->671 672 7ff7e0800a47-7ff7e0800a4b 669->672 671->672 672->603
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID: VUUUUUUU$invalid deque<T> subscript$invalid unordered_map<K, T> key$invalid vector<T> subscript$onecore\windows\core\console\open\src\buffer\out\textbuffercelliterator.cpp$onecore\windows\core\console\open\src\renderer\base\renderer.cpp
    • API String ID: 0-1200157833
    • Opcode ID: 4a6cfa8453aac8f9fae70810a8c520623c7b5b6ab5367d6bae87c6ed507a9865
    • Instruction ID: d16f77cbb56c82e335a9a6e407377471be04f73acdf16ae4e622366463c835f7
    • Opcode Fuzzy Hash: 4a6cfa8453aac8f9fae70810a8c520623c7b5b6ab5367d6bae87c6ed507a9865
    • Instruction Fuzzy Hash: 8562CE22A18B8585EB20AF65D4503FDB7A1FF54B88F905023EA8D17B5ADF3CE560C721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F3840 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 268COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 675 7ff7e07f3840-7ff7e07f387d 676 7ff7e07f3883-7ff7e07f38b6 call 7ff7e0805964 675->676 677 7ff7e081b2b4 675->677 679 7ff7e081b2be-7ff7e081b300 call 7ff7e080fd8c call 7ff7e0881338 676->679 682 7ff7e07f38bc-7ff7e07f38fb call 7ff7e080fd8c call 7ff7e07f336c 676->682 677->679 694 7ff7e081b32e-7ff7e081b336 679->694 692 7ff7e07f3901-7ff7e07f3921 call 7ff7e07f34c8 682->692 693 7ff7e07f3b08-7ff7e07f3b32 call 7ff7e080f780 682->693 705 7ff7e07f3926-7ff7e07f3973 call 7ff7e0806c30 692->705 695 7ff7e081b33c-7ff7e081b355 MonitorFromRect 694->695 696 7ff7e07f3979-7ff7e07f3981 694->696 695->696 700 7ff7e081b35b-7ff7e081b3f3 MonitorFromRect GetMonitorInfoW 695->700 699 7ff7e07f3989-7ff7e07f3a19 CreateWindowExW 696->699 703 7ff7e081b3f8-7ff7e081b41f GetLastError call 7ff7e0803730 call 7ff7e084a914 699->703 704 7ff7e07f3a1f 699->704 700->699 706 7ff7e07f3a21 703->706 720 7ff7e081b425-7ff7e081b428 703->720 704->706 705->694 705->696 706->693 709 7ff7e07f3a27-7ff7e07f3a2e 706->709 713 7ff7e07f3a34-7ff7e07f3a44 call 7ff7e07f3544 709->713 714 7ff7e081b433-7ff7e081b442 709->714 723 7ff7e07f3b34-7ff7e07f3b3c 713->723 724 7ff7e07f3a4a 713->724 716 7ff7e081b46a-7ff7e081b471 714->716 717 7ff7e081b444-7ff7e081b468 call 7ff7e07f9a04 714->717 722 7ff7e081b473-7ff7e081b47c 716->722 717->722 720->714 727 7ff7e081b484-7ff7e081b498 call 7ff7e07f61e4 722->727 723->724 724->693 726 7ff7e07f3a50-7ff7e07f3a68 call 7ff7e07f3620 call 7ff7e07f364c 724->726 726->693 735 7ff7e07f3a6e-7ff7e07f3a94 call 7ff7e07f5324 call 7ff7e07f4408 call 7ff7e07f3e48 726->735 734 7ff7e081b49e-7ff7e081b4b7 IsDlgButtonChecked 727->734 736 7ff7e081b4bd-7ff7e081b4d1 call 7ff7e07f61e4 734->736 735->727 745 7ff7e07f3a9a-7ff7e07f3aa2 735->745 745->734 746 7ff7e07f3aa8-7ff7e07f3ad7 call 7ff7e07f4b70 call 7ff7e07f3cb4 call 7ff7e07f3c88 call 7ff7e07f3c20 call 7ff7e07f3b50 745->746 756 7ff7e07f3adc-7ff7e07f3ae6 746->756 756->736 757 7ff7e07f3aec-7ff7e07f3af9 756->757 757->693 758 7ff7e07f3afb-7ff7e07f3b07 FreeLibrary 757->758 758->693
    APIs
      • Part of subcall function 00007FF7E080FD8C: _o_malloc.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000,00007FF7E080393E,?,?,?,?,00007FF7E082A040,?,?,?,?,?,?,?), ref: 00007FF7E080FDA6
      • Part of subcall function 00007FF7E07F336C: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E07F33F3
    • CreateWindowExW.USER32 ref: 00007FF7E07F3A07
    • FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E07F3AFB
    • MonitorFromRect.USER32 ref: 00007FF7E081B346
    • MonitorFromRect.USER32 ref: 00007FF7E081B366
    • GetMonitorInfoW.USER32 ref: 00007FF7E081B3A5
      • Part of subcall function 00007FF7E07F3C20: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E07F3C4A
      • Part of subcall function 00007FF7E07F3B50: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E07F3B80
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Monitor$FromLibraryRect$AddressCreateFreeInfoLoadProcWindow_o_mallocmemset
    • String ID: ($ConsoleWindowClass$CreateWindow failed with gle = 0x%x$onecore\windows\core\console\open\src\interactivity\win32\window.cpp$onecore\windows\core\console\open\src\renderer\dx\dxrenderer.cpp
    • API String ID: 1139980140-1952155981
    • Opcode ID: 50eb771a3ee9fdf65174a5cd7481a29a364981a9268b66c08aa05397ad2b211d
    • Instruction ID: bbdb39d408d244f853a1d5cbe2cfd69da453a1ddf7bbfc552f792c6661a9fa23
    • Opcode Fuzzy Hash: 50eb771a3ee9fdf65174a5cd7481a29a364981a9268b66c08aa05397ad2b211d
    • Instruction Fuzzy Hash: 83C17271A087828AEB60EB65E4507BAF7A0FB99744F808036DA8D47755DF3CF464CB21
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F4030 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 927 7ff7e07f4030-7ff7e07f40af memset 928 7ff7e07f40b5-7ff7e07f40c9 CoInitializeEx 927->928 929 7ff7e07f428f-7ff7e07f4297 927->929 928->929 932 7ff7e07f40cf-7ff7e07f40f0 call 7ff7e0830db8 928->932 930 7ff7e07f4316-7ff7e07f432a call 7ff7e07f4408 call 7ff7e07f43a4 929->930 931 7ff7e07f4299-7ff7e07f42cf SearchPathW 929->931 954 7ff7e07f432f-7ff7e07f4331 930->954 933 7ff7e07f42d1-7ff7e07f42e2 PathFileExistsW 931->933 934 7ff7e07f430c-7ff7e07f4314 931->934 946 7ff7e07f40f2-7ff7e07f40fb 932->946 947 7ff7e07f4109-7ff7e07f4143 call 7ff7e07f9100 call 7ff7e0810230 932->947 937 7ff7e07f42e4-7ff7e07f42ec 933->937 938 7ff7e07f42fa 933->938 934->930 939 7ff7e07f434e-7ff7e07f4362 IsValidCodePage 934->939 937->937 944 7ff7e07f42ee-7ff7e07f42f8 937->944 945 7ff7e07f42fd-7ff7e07f4307 call 7ff7e0808160 938->945 942 7ff7e07f4364-7ff7e07f436a 939->942 943 7ff7e07f4370-7ff7e07f4399 call 7ff7e080f780 939->943 942->943 944->938 944->945 945->934 952 7ff7e07f4100-7ff7e07f4108 call 7ff7e08051f4 946->952 953 7ff7e07f40fd 946->953 963 7ff7e07f4145-7ff7e07f4159 memset 947->963 964 7ff7e07f415b-7ff7e07f415e 947->964 952->947 953->952 954->939 958 7ff7e07f4333-7ff7e07f4349 call 7ff7e07f61e4 954->958 958->939 965 7ff7e07f4161-7ff7e07f4164 963->965 964->965 966 7ff7e07f4166-7ff7e07f4177 call 7ff7e0872b38 965->966 967 7ff7e07f417c-7ff7e07f41f5 call 7ff7e084d5c4 memset call 7ff7e0880820 965->967 966->967 973 7ff7e07f420e-7ff7e07f4216 967->973 974 7ff7e07f41f7-7ff7e07f4201 967->974 975 7ff7e07f425b-7ff7e07f425d 973->975 976 7ff7e07f4218-7ff7e07f4246 call 7ff7e0808a88 call 7ff7e0808a10 973->976 977 7ff7e07f4203 974->977 978 7ff7e07f4207-7ff7e07f420c 974->978 980 7ff7e07f425f-7ff7e07f4264 975->980 981 7ff7e07f4279 975->981 976->975 989 7ff7e07f4248-7ff7e07f4257 976->989 977->978 978->973 980->981 983 7ff7e07f4266-7ff7e07f4277 call 7ff7e084d7c4 980->983 984 7ff7e07f427e-7ff7e07f428a CoUninitialize 981->984 983->984 984->929 989->975
    APIs
    Strings
    • onecore\windows\core\console\open\src\interactivity\win32\systemconfigurationprovider.cpp, xrefs: 00007FF7E07F433D
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memset$Path$CodeExistsFileInitializePageSearchUninitializeValid
    • String ID: onecore\windows\core\console\open\src\interactivity\win32\systemconfigurationprovider.cpp
    • API String ID: 1996372929-2568609167
    • Opcode ID: 130623dbf95e0c9764bd701d9cf7bcae3037fa7c1d87cbedf5cef16bede689bb
    • Instruction ID: 290b093cfa8c47b8bf5710d81d9c7bf01afd8e070dbd1344b64172a31e094a7d
    • Opcode Fuzzy Hash: 130623dbf95e0c9764bd701d9cf7bcae3037fa7c1d87cbedf5cef16bede689bb
    • Instruction Fuzzy Hash: 9B9174316087828AEB20EF65E8443AAB7A0FF49794F804136DA4D47795DF3CF565CB21
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0807F10 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 144memoryregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Heap$Process$AllocCloseEnumFreeOpenValue
    • String ID: *$Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont
    • API String ID: 1259498659-1414037276
    • Opcode ID: 95a25b4c387e207c0183909abcc9ae36269f40b986082016df7b61991ff046e6
    • Instruction ID: 42d307c40f65ef6610f9da97e5654a4b2924b7e410349451ee428eeff216be28
    • Opcode Fuzzy Hash: 95a25b4c387e207c0183909abcc9ae36269f40b986082016df7b61991ff046e6
    • Instruction Fuzzy Hash: 8D619F32A08B82C6E710AF20E4003AAB7E4FB49B55FD44532DA8D577A4DF7CE565CB21
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08024C0 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 310COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1021 7ff7e08024c0-7ff7e080250a 1022 7ff7e0802510-7ff7e0802518 1021->1022 1023 7ff7e0820f34-7ff7e0820f47 call 7ff7e0810000 1021->1023 1024 7ff7e080251e-7ff7e080252b 1022->1024 1025 7ff7e0802729 1022->1025 1023->1022 1034 7ff7e0820f4d-7ff7e0820f6c call 7ff7e0807244 call 7ff7e080fd30 call 7ff7e080ff98 1023->1034 1027 7ff7e0802531-7ff7e0802538 1024->1027 1028 7ff7e0820f71-7ff7e0820f8e call 7ff7e07f9a04 1024->1028 1030 7ff7e0802734-7ff7e0802756 1025->1030 1032 7ff7e080253e-7ff7e0802541 1027->1032 1033 7ff7e0820f95-7ff7e0820f9f 1027->1033 1028->1033 1046 7ff7e0802696-7ff7e080269e 1030->1046 1037 7ff7e0820fa1-7ff7e0820fa6 1032->1037 1038 7ff7e0802547-7ff7e0802567 1032->1038 1036 7ff7e0820fab-7ff7e0820fd6 call 7ff7e07f9a04 * 2 1033->1036 1034->1022 1048 7ff7e0820fdd-7ff7e0820ffb call 7ff7e07f9a04 1036->1048 1037->1036 1042 7ff7e0802616-7ff7e080264a 1038->1042 1043 7ff7e080256d-7ff7e0802575 1038->1043 1042->1030 1045 7ff7e0802650-7ff7e0802680 1042->1045 1043->1048 1049 7ff7e080257b-7ff7e0802594 call 7ff7e0810230 1043->1049 1064 7ff7e0802686-7ff7e0802690 1045->1064 1065 7ff7e082108c-7ff7e0821093 1045->1065 1051 7ff7e08026a4-7ff7e08026b3 1046->1051 1052 7ff7e08210b2 1046->1052 1071 7ff7e082106e-7ff7e0821087 call 7ff7e07f9a04 1048->1071 1069 7ff7e0820ffd 1049->1069 1070 7ff7e080259a-7ff7e08025ae memset 1049->1070 1058 7ff7e08210b9-7ff7e08210cd call 7ff7e07f61e4 1051->1058 1059 7ff7e08026b9-7ff7e08026c0 1051->1059 1052->1058 1068 7ff7e08210d3-7ff7e08210e8 call 7ff7e086b0e4 1058->1068 1067 7ff7e08026c6-7ff7e08026cc 1059->1067 1059->1068 1064->1046 1073 7ff7e082109b-7ff7e08210ad call 7ff7e07f61e4 1064->1073 1065->1073 1075 7ff7e08026d0-7ff7e08026d3 1067->1075 1068->1075 1094 7ff7e08210ee-7ff7e08210f5 1068->1094 1078 7ff7e0821005-7ff7e082102c call 7ff7e07f9a04 call 7ff7e0830fbc 1069->1078 1077 7ff7e08025b4-7ff7e0802609 DeviceIoControl 1070->1077 1070->1078 1083 7ff7e08026d9-7ff7e08026ef 1071->1083 1073->1046 1082 7ff7e08210fa-7ff7e08210ff call 7ff7e08033f4 1075->1082 1075->1083 1085 7ff7e082102e-7ff7e0821048 call 7ff7e07f60e8 1077->1085 1086 7ff7e080260f-7ff7e0802613 1077->1086 1078->1071 1104 7ff7e0821105-7ff7e0821116 1082->1104 1092 7ff7e08026f1-7ff7e08026f8 1083->1092 1093 7ff7e080275b-7ff7e0802762 1083->1093 1085->1086 1103 7ff7e082104e-7ff7e0821069 call 7ff7e07f9a04 call 7ff7e080fd50 1085->1103 1086->1042 1098 7ff7e0802711-7ff7e0802727 1092->1098 1100 7ff7e08026fa-7ff7e080270b 1092->1100 1097 7ff7e0802764-7ff7e0802775 1093->1097 1093->1098 1094->1075 1097->1098 1102 7ff7e0802777-7ff7e082114b 1097->1102 1100->1098 1100->1104 1102->1098 1109 7ff7e0821151-7ff7e0821163 1102->1109 1103->1071 1104->1098 1105 7ff7e082111c-7ff7e0821138 1104->1105 1108 7ff7e082116a-7ff7e082118f call 7ff7e084b96c 1105->1108 1108->1098 1109->1108
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ControlDeviceInit_thread_footermemset
    • String ID: onecore\windows\core\console\open\src\server\apidispatchers.cpp$onecore\windows\core\console\open\src\server\apimessage.cpp$onecore\windows\core\console\open\src\server\devicecomm.cpp$onecore\windows\core\console\open\src\server\objecthandle.cpp
    • API String ID: 1779181428-3195736410
    • Opcode ID: dbd94078d11fc217706ec849a00fb5915cd96b8e9a403e26537bcbb400a994f5
    • Instruction ID: 4f4b88db8834f8f57b3ae6d1bf53d393734446b94cf5b8e30476f31f82f5b702
    • Opcode Fuzzy Hash: dbd94078d11fc217706ec849a00fb5915cd96b8e9a403e26537bcbb400a994f5
    • Instruction Fuzzy Hash: E8E17D36A09A4289FB10EF65D4403A9A3A5FB58B88F904133EE0D57799DF38F464C762
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F4890 Relevance: 12.1, APIs: 8, Instructions: 90threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Create$Event$ErrorLastThread
    • String ID:
    • API String ID: 933546937-0
    • Opcode ID: 3e705504bee1b986780280c992fec324ae05ee63325228fd33bfdb941f436ccb
    • Instruction ID: 254eb3361a11305c02f3c879237be25ef07491018c1cbfed245c893ce2ec1c09
    • Opcode Fuzzy Hash: 3e705504bee1b986780280c992fec324ae05ee63325228fd33bfdb941f436ccb
    • Instruction Fuzzy Hash: 02315E36B08B5387E724ABA1A04037AEAA0FF8D745F848136CA4D46780DF78F0748721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080C444 Relevance: 4.8, APIs: 3, Instructions: 269comCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CreateInstance$Initialize
    • String ID:
    • API String ID: 1108742289-0
    • Opcode ID: 9405de347dbfd829269eb6ef14b9164b92aa1fec28bf2dfa18d124d9f41105d7
    • Instruction ID: 10be39f181316f509972e27940da6c0385a9d3b3419f0cca04679836cc604eed
    • Opcode Fuzzy Hash: 9405de347dbfd829269eb6ef14b9164b92aa1fec28bf2dfa18d124d9f41105d7
    • Instruction Fuzzy Hash: F3C14C36B09A0792EB10EF69D8402ADB764FB88B98B954033CE0D57364DF38F469C361
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F9B68 Relevance: 4.7, APIs: 3, Instructions: 192threadCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CurrentDebuggerPresentThread
    • String ID:
    • API String ID: 1979983199-0
    • Opcode ID: 08a343c138afcf0e4278cadc290ad3ac2402ddb9d0d3f4566890aecefd591565
    • Instruction ID: 4074ca8e924f85a65acacc16938b4623d91ea79076ce7b12a8b50284f00ca69a
    • Opcode Fuzzy Hash: 08a343c138afcf0e4278cadc290ad3ac2402ddb9d0d3f4566890aecefd591565
    • Instruction Fuzzy Hash: BD814A21A08B8285EA61AF25A840379F7A5FF49B84F945037C98D07365DF3CF860C722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07FA4A0 Relevance: 4.5, APIs: 3, Instructions: 41COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: LongWindow
    • String ID:
    • API String ID: 1378638983-0
    • Opcode ID: eaccde9b1cf64f8869ceb46db073be90b0a48436feec131d932085be766eb376
    • Instruction ID: 754183eb02c64153c75d1524cda521183dbac244881030a77410abb59755c36b
    • Opcode Fuzzy Hash: eaccde9b1cf64f8869ceb46db073be90b0a48436feec131d932085be766eb376
    • Instruction Fuzzy Hash: A2015631608B81CADA105B56B404179F760FB8EFD0B9C8136EE9D07795DF3CE4618B51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E086E17C Relevance: 3.0, APIs: 2, Instructions: 41filenativeCOMMON
    Download Yara Rule
    APIs
    • NtOpenFile.NTDLL ref: 00007FF7E086E20E
      • Part of subcall function 00007FF7E0810000: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803769,?,?,?,?,00007FF7E081B159), ref: 00007FF7E0810010
      • Part of subcall function 00007FF7E086E0D4: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,00007FF7E086E1D3), ref: 00007FF7E086E0F9
      • Part of subcall function 00007FF7E086E0D4: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,00007FF7E086E1D3), ref: 00007FF7E086E130
    • _Init_thread_footer.LIBCMT ref: 00007FF7E086E1E7
      • Part of subcall function 00007FF7E080FF98: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803790,?,?,?,?,00007FF7E081B159), ref: 00007FF7E080FFA8
      • Part of subcall function 00007FF7E080FF98: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803790,?,?,?,?,00007FF7E081B159), ref: 00007FF7E080FFE8
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalSection$Enter$AddressFileInit_thread_footerLeaveLibraryLoadOpenProc_onexit
    • String ID:
    • API String ID: 3950269274-0
    • Opcode ID: 4a57cf8ef95a6fa6ad051b5736db962d27c8695b47695afc9f959abf5f25bdc2
    • Instruction ID: 62102d6cdd70289c05abae2ab706e0713e5e90134efd4f4ccb7c20ecb858f578
    • Opcode Fuzzy Hash: 4a57cf8ef95a6fa6ad051b5736db962d27c8695b47695afc9f959abf5f25bdc2
    • Instruction Fuzzy Hash: 2A114F35A08A4196E710EB15F840366F760FB85794F904133EA4D53BA5CE3CF965CF22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080CBF0 Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: DelayLoadedResolve
    • String ID:
    • API String ID: 841769287-0
    • Opcode ID: d4bcf5648cf3a719f65998386e3ed87ae81a2469b60f108fe8cbda3770a06d38
    • Instruction ID: e9940666b51a2946455373ac65ade06cdb120be9dac03a00bbf6e8dc3dd6f9e3
    • Opcode Fuzzy Hash: d4bcf5648cf3a719f65998386e3ed87ae81a2469b60f108fe8cbda3770a06d38
    • Instruction Fuzzy Hash: 2BE0B674A08A818AE610AB44E800264FB60FB49795FC04277D94C57324DF3CB164CB65
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080FD8C Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 141libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • _o_malloc.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000,00007FF7E080393E,?,?,?,?,00007FF7E082A040,?,?,?,?,?,?,?), ref: 00007FF7E080FDA6
    • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7E080FDBC
      • Part of subcall function 00007FF7E0810964: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7E081096D
      • Part of subcall function 00007FF7E0810964: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,00007FF7E080FDC1,?,?,00000000,00007FF7E080393E), ref: 00007FF7E081097E
    • InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E080FDF5
    • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E080FE03
    • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E080FE19
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E080FE36
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E080FE4A
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E080FE5E
    • CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E080FEF7
    • DeleteCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E080FF3B
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7E080FF4D
      • Part of subcall function 00007FF7E08103A0: IsProcessorFeaturePresent.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1 ref: 00007FF7E08103BC
      • Part of subcall function 00007FF7E08103A0: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E08103E0
      • Part of subcall function 00007FF7E08103A0: RtlCaptureContext.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF7E08103E9
      • Part of subcall function 00007FF7E08103A0: RtlLookupFunctionEntry.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF7E0810403
      • Part of subcall function 00007FF7E08103A0: RtlVirtualUnwind.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF7E0810444
      • Part of subcall function 00007FF7E08103A0: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E0810477
      • Part of subcall function 00007FF7E08103A0: IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FF7E0810498
      • Part of subcall function 00007FF7E08103A0: SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7E08104B9
      • Part of subcall function 00007FF7E08103A0: UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7E08104C4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: AddressExceptionHandleProc$CriticalFilterModulePresentSectionUnhandledmemset$CaptureCloseConcurrency::cancel_current_taskContextCountCreateDebuggerDeleteEntryEventFeatureFunctionInitializeLookupProcessorSpinThrowUnwindVirtual_o_mallocstd::bad_alloc::bad_alloc
    • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
    • API String ID: 683641506-1714406822
    • Opcode ID: 89482b8a29658c4957c474c3bd8516f9c8688f04d070855abcecea634f7f21d8
    • Instruction ID: 67da92f9da6cbe162c254bf36717d82f1bb55ce951566249d4deefbfe8a2f710
    • Opcode Fuzzy Hash: 89482b8a29658c4957c474c3bd8516f9c8688f04d070855abcecea634f7f21d8
    • Instruction Fuzzy Hash: D5416010A09B0382FA14BB24E810376E290BF567A4FD45633C91D667E6DF3CF8658632
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0808200 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 110registryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Open$CurrentUser
    • String ID: Console
    • API String ID: 688027284-4190041642
    • Opcode ID: fc13efb3c6ea6ebafb38fb605395a0d4d6430630945e86f989dda7effe20daf3
    • Instruction ID: 9089fbadee4ef72e4882b0fdccef959cc3303d89768f32cd442746bd8ffd41b9
    • Opcode Fuzzy Hash: fc13efb3c6ea6ebafb38fb605395a0d4d6430630945e86f989dda7effe20daf3
    • Instruction Fuzzy Hash: 43416431608F42CAE710AF65E844378BBA0FB4DBA9F855232DA4E47794DF7CE4548321
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F8AF4 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 203COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 778 7ff7e07f8af4-7ff7e07f8b33 GetClientRect 779 7ff7e081c7e8-7ff7e081c7ed 778->779 780 7ff7e07f8b39-7ff7e07f8b58 778->780 783 7ff7e081c7f4-7ff7e081c811 call 7ff7e07f9a04 779->783 781 7ff7e07f8b5a-7ff7e07f8b61 780->781 782 7ff7e07f8b88-7ff7e07f8b9f GetDC 780->782 781->782 784 7ff7e07f8b63 781->784 786 7ff7e07f8ba5-7ff7e07f8baf 782->786 787 7ff7e081c7ef 782->787 797 7ff7e081c817-7ff7e081c81c 783->797 788 7ff7e07f8b65-7ff7e07f8b86 call 7ff7e080f780 784->788 790 7ff7e07f8bb1-7ff7e07f8bb6 call 7ff7e08c0168 786->790 791 7ff7e07f8c27-7ff7e07f8c3a call 7ff7e08c0128 786->791 787->783 798 7ff7e07f8bbd-7ff7e07f8bcd 790->798 791->797 799 7ff7e07f8c40-7ff7e07f8c5b call 7ff7e08c0168 791->799 800 7ff7e081c8d0-7ff7e081c8ed call 7ff7e07f9a04 797->800 801 7ff7e07f8bd3-7ff7e07f8bed call 7ff7e08c0148 798->801 802 7ff7e081c8c4-7ff7e081c8c9 798->802 809 7ff7e07f8c61-7ff7e07f8c7a call 7ff7e08c0148 799->809 810 7ff7e081c821-7ff7e081c844 call 7ff7e07f9a04 799->810 811 7ff7e07f8bf3-7ff7e07f8c22 DeleteObject DeleteDC 801->811 812 7ff7e081c8cb 801->812 802->800 817 7ff7e07f8c80-7ff7e07f8cc7 call 7ff7e08c0170 809->817 818 7ff7e081c846 809->818 819 7ff7e081c879-7ff7e081c888 DeleteDC 810->819 811->788 812->800 822 7ff7e081c88e-7ff7e081c893 817->822 826 7ff7e07f8ccd-7ff7e07f8ce6 call 7ff7e08c0148 817->826 821 7ff7e081c84b-7ff7e081c869 call 7ff7e07f9a04 818->821 819->822 828 7ff7e081c86c-7ff7e081c878 DeleteObject 821->828 825 7ff7e081c89a-7ff7e081c8bb call 7ff7e07f9a04 822->825 825->828 833 7ff7e07f8cec-7ff7e07f8d06 call 7ff7e08c0148 826->833 834 7ff7e081c895 826->834 828->819 837 7ff7e081c8bd-7ff7e081c8c2 833->837 838 7ff7e07f8d0c-7ff7e07f8d32 DeleteObject DeleteDC 833->838 834->825 837->821 838->779
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Delete$Object$ClientRect
    • String ID: $onecore\windows\core\console\open\src\renderer\gdi\paint.cpp
    • API String ID: 3225647489-3907913552
    • Opcode ID: 0957ca3f2d78c0b5a0fe66ec131cf66af33073c9cc4b9ebdbd41c3cd4258681e
    • Instruction ID: 9bb44451ef964b49f13be0458a71dd3021725576c9629a743e055cad6c3f5867
    • Opcode Fuzzy Hash: 0957ca3f2d78c0b5a0fe66ec131cf66af33073c9cc4b9ebdbd41c3cd4258681e
    • Instruction Fuzzy Hash: EE818431A097818AEA50AB51A44077AFBA1FF8EB81F85A036CD0E57754DF3CF465CB12
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F364C Relevance: 16.6, APIs: 11, Instructions: 117windowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Menu$Load$String$Append$InfoItemSystemmemset
    • String ID:
    • API String ID: 398140726-0
    • Opcode ID: c08555cc84f6c1548c84f533c10935f9dc63a1cdd43766967cfbe5da3ba769fb
    • Instruction ID: 498ebf7581caaeb4ed495de73f327a7e55996134b0db81f0ae70c92729455edf
    • Opcode Fuzzy Hash: c08555cc84f6c1548c84f533c10935f9dc63a1cdd43766967cfbe5da3ba769fb
    • Instruction Fuzzy Hash: 02516B35B04B468AF700AF61E4447B9ABA0FB89B94F848532CD0D67B54DF38E529CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F6740 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 242COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 857 7ff7e07f6740-7ff7e07f6796 call 7ff7e08c0128 860 7ff7e081c28c-7ff7e081c2ad call 7ff7e07f9a04 857->860 861 7ff7e07f679c-7ff7e07f67ba call 7ff7e07f8398 call 7ff7e07f6a30 857->861 867 7ff7e081c2b3-7ff7e081c2d1 call 7ff7e08c0140 call 7ff7e07f8350 860->867 861->867 870 7ff7e07f67c0-7ff7e07f6822 memset MulDiv * 2 call 7ff7e0818403 861->870 876 7ff7e081c2d9 867->876 870->876 877 7ff7e07f6828-7ff7e07f6843 call 7ff7e08c01a8 870->877 880 7ff7e081c2e2-7ff7e081c2e7 876->880 881 7ff7e07f6845-7ff7e07f6854 877->881 882 7ff7e07f6857-7ff7e07f689e _o_wcscpy_s call 7ff7e08c01a0 call 7ff7e07f8350 877->882 883 7ff7e081c2ee-7ff7e081c30a call 7ff7e07f9a04 880->883 881->882 882->880 891 7ff7e07f68a4-7ff7e07f68ba call 7ff7e08c0148 882->891 890 7ff7e081c310-7ff7e081c315 883->890 892 7ff7e081c323-7ff7e081c33f call 7ff7e07f9a04 890->892 897 7ff7e081c2e9 891->897 898 7ff7e07f68c0-7ff7e07f68d6 call 7ff7e08c0198 891->898 897->883 898->890 901 7ff7e07f68dc-7ff7e07f6900 call 7ff7e08c01d8 898->901 904 7ff7e081c317-7ff7e081c31c 901->904 905 7ff7e07f6906-7ff7e07f6939 call 7ff7e08c01b8 901->905 904->892 908 7ff7e07f6952-7ff7e07f696b call 7ff7e08c01c8 905->908 909 7ff7e07f693b-7ff7e07f694d 905->909 912 7ff7e07f6971-7ff7e07f6981 call 7ff7e07f6a30 908->912 913 7ff7e081c31e 908->913 909->908 916 7ff7e07f6a22-7ff7e07f6a25 912->916 917 7ff7e07f6987-7ff7e07f698d 912->917 913->892 918 7ff7e07f69b0-7ff7e07f6a20 call 7ff7e07f6a30 call 7ff7e07f6a74 DeleteObject DeleteDC call 7ff7e080f780 916->918 919 7ff7e07f698f-7ff7e07f69a7 MulDiv 917->919 920 7ff7e07f69ac 917->920 919->920 920->918
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Delete$Object_o_wcscpy_smemsetwcsnlen
    • String ID: Terminal$onecore\windows\core\console\open\src\renderer\gdi\state.cpp
    • API String ID: 459465077-367812907
    • Opcode ID: e5077dd480a39a492637a9a452f2f1d27335631b0803523240b5f8da18139766
    • Instruction ID: f93aac7e6594123d08862cf0babd977fbed449a28d2bf3821f82b43c6f882048
    • Opcode Fuzzy Hash: e5077dd480a39a492637a9a452f2f1d27335631b0803523240b5f8da18139766
    • Instruction Fuzzy Hash: 58A164326086828AEB10AB61E4407BEF761FB8AB85F949037DE4E57754CF3DE424C712
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0808318 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 169registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1114 7ff7e0808318-7ff7e080835a call 7ff7e0808200 1117 7ff7e0808360-7ff7e0808373 call 7ff7e0808838 1114->1117 1118 7ff7e08084d1-7ff7e08084f7 call 7ff7e080f780 1114->1118 1123 7ff7e0808379-7ff7e080839e RegOpenKeyW 1117->1123 1124 7ff7e0822afc 1117->1124 1125 7ff7e080854d-7ff7e0808550 1123->1125 1126 7ff7e08083a4-7ff7e08083ae call 7ff7e080fd50 1123->1126 1127 7ff7e0822b05-7ff7e0822b08 1124->1127 1129 7ff7e0808558-7ff7e080855e 1125->1129 1133 7ff7e08084f9-7ff7e080850d call 7ff7e0808838 1126->1133 1134 7ff7e08083b4-7ff7e08083fc call 7ff7e0808568 call 7ff7e08086c4 1126->1134 1132 7ff7e0822b11-7ff7e0822b22 1127->1132 1131 7ff7e0808529-7ff7e0808533 call 7ff7e080fd50 1129->1131 1131->1134 1150 7ff7e0808539 1131->1150 1135 7ff7e0822b28-7ff7e0822b38 call 7ff7e080b19c 1132->1135 1136 7ff7e0808430-7ff7e0808436 1132->1136 1148 7ff7e080853c-7ff7e0808548 RegCloseKey 1133->1148 1149 7ff7e080850f-7ff7e0808527 RegOpenKeyW 1133->1149 1134->1127 1155 7ff7e0808402-7ff7e0808423 call 7ff7e08086c4 1134->1155 1135->1136 1153 7ff7e0822b3e-7ff7e0822b4d 1135->1153 1141 7ff7e080843b-7ff7e0808478 call 7ff7e0808780 call 7ff7e08086c4 1136->1141 1161 7ff7e080847a-7ff7e0808485 1141->1161 1162 7ff7e0808492-7ff7e080849f 1141->1162 1154 7ff7e08084c1-7ff7e08084cc RegCloseKey 1148->1154 1149->1129 1149->1131 1150->1148 1153->1136 1157 7ff7e0822b53-7ff7e0822b59 1153->1157 1154->1118 1160 7ff7e0808428-7ff7e080842a 1155->1160 1157->1136 1160->1132 1160->1136 1163 7ff7e080848b 1161->1163 1164 7ff7e0822b5e-7ff7e0822b61 1161->1164 1162->1141 1165 7ff7e08084a1-7ff7e08084bf call 7ff7e0807d70 RegCloseKey 1162->1165 1163->1162 1164->1162 1165->1150 1165->1154
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Open$Close$CompareCurrentDirectoryOrdinalQueryStringUserValueWindows
    • String ID: CodePage$ColorTable%02u$WindowPosition
    • API String ID: 2278421442-3581126301
    • Opcode ID: e5592a74f416dfd74213d25434947a49eb3ceee9e85fc7aa61e34401f8c42edf
    • Instruction ID: f32d9de8850b2e46ec71a21ae706313f8cd9b7f8db61ec34348da9417a6c66c6
    • Opcode Fuzzy Hash: e5592a74f416dfd74213d25434947a49eb3ceee9e85fc7aa61e34401f8c42edf
    • Instruction Fuzzy Hash: 2C616036B18A42C5FA10EB15E84077AA7A0FB88B88FC05032DE8E57755DE7CF465CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080F5D0 Relevance: 13.6, APIs: 9, Instructions: 106COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: __scrt_acquire_startup_lock__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_o__cexit_o__exit_o__get_wide_winmain_command_line_register_thread_local_exe_atexit_callback
    • String ID:
    • API String ID: 105026157-0
    • Opcode ID: 86571d060c2f4b11015df3e24945bd3ae71d8f93e48ff83bbd6313533f7ff502
    • Instruction ID: 83f0e171240bc75963bc1fb700f0085674e13d82f44810e16e68a7d82bb017f5
    • Opcode Fuzzy Hash: 86571d060c2f4b11015df3e24945bd3ae71d8f93e48ff83bbd6313533f7ff502
    • Instruction Fuzzy Hash: 1D315D11A0D24346FA14B76498113BAE381AF95348FC48037E54E6BBD3DE7CBC248A73
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0800ED0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 161COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ControlDevice$memset
    • String ID: DeviceIoControl failed with Result 0x%x$onecore\windows\core\console\open\src\server\apimessage.cpp$onecore\windows\core\console\open\src\server\devicecomm.cpp
    • API String ID: 3112380785-4252510830
    • Opcode ID: bbb6972217592379cf6a994356aca5b19b6f3177f366266d7923d9f6016e52ac
    • Instruction ID: f10468f6d205ee645176bf5b52ad154b7fa2820b11bb1d0e671fd45f84c1e84d
    • Opcode Fuzzy Hash: bbb6972217592379cf6a994356aca5b19b6f3177f366266d7923d9f6016e52ac
    • Instruction Fuzzy Hash: EB716F32A08B8286FB10EF65E4407ADB7A5FB89798F904036EA4D57B55DF38F460CB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0807980 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 00007FF7E08075E4: GetOEMCP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7E080762B
      • Part of subcall function 00007FF7E08075E4: GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7E080763D
    • CreateEventExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E08079A9
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7E08079C1
    • CreateEventExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E08079F4
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7E0807A0C
      • Part of subcall function 00007FF7E080BE64: DeviceIoControl.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E086A183), ref: 00007FF7E080BE91
    • CreateThread.KERNELBASE ref: 00007FF7E0807A87
    • FindCloseChangeNotification.KERNELBASE ref: 00007FF7E0807A9F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Create$ErrorEventLast$ChangeCloseControlDeviceFindNotificationThread
    • String ID: onecore\windows\core\console\open\src\host\srvinit.cpp
    • API String ID: 2061414795-2090781281
    • Opcode ID: 69c753e179489be78ab4b29c0059f47dc3d6574d130b7caa6291e01be3c964b2
    • Instruction ID: 86064be9bef83262677642531f8789364e74b151c9d7a5b013dee5dc75af0d4f
    • Opcode Fuzzy Hash: 69c753e179489be78ab4b29c0059f47dc3d6574d130b7caa6291e01be3c964b2
    • Instruction Fuzzy Hash: 2C418A21B0C64392FB24BB61A4503BAE691FF98744FD48037DA4E4A796DE3CF5258732
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F308C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 87threadCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00007FF7E07F2F43), ref: 00007FF7E07F30DE
    • SetWindowsHookExW.USER32 ref: 00007FF7E07F30FA
      • Part of subcall function 00007FF7E07F633C: GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,00000000,00007FF7E07F3128,?,?,00000000,00007FF7E07F2F43), ref: 00007FF7E07F6382
      • Part of subcall function 00007FF7E07F633C: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,00000000,00007FF7E07F3128,?,?,00000000,00007FF7E07F2F43), ref: 00007FF7E07F6390
      • Part of subcall function 00007FF7E07F3190: SetActiveWindow.USER32 ref: 00007FF7E07F31B3
      • Part of subcall function 00007FF7E07F3190: ShowWindow.USER32 ref: 00007FF7E07F31C4
    • NotifyWinEvent.USER32 ref: 00007FF7E07F3168
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,000001C82450C120,00007FF7E0807022), ref: 00007FF7E081B15C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Current$ThreadWindow$ActiveErrorEventHookLastNotifyProcessShowWindows
    • String ID: CreateWindowsWindow failed with status 0x%x, gle = 0x%x$onecore\windows\core\console\open\src\interactivity\win32\window.cpp$onecore\windows\core\console\open\src\interactivity\win32\windowio.cpp
    • API String ID: 387974148-1859572769
    • Opcode ID: e9a91b82687fc7275b53282cedb79e64168926d00ad800e9861367d6a42509e4
    • Instruction ID: 4b853105d108a5245ca85d204f56d2b00c5032c115258be3c4203bf485f50b80
    • Opcode Fuzzy Hash: e9a91b82687fc7275b53282cedb79e64168926d00ad800e9861367d6a42509e4
    • Instruction Fuzzy Hash: B2415E25A08A4396EA10BB25E8503B9EBA0FF9DB84BC45033DA0D47765DE3CF464C722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F3D4C Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 72registryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ClassCursorErrorInit_thread_footerLastLoadRegister
    • String ID: +$ConsoleWindowClass$P$onecore\windows\core\console\open\src\interactivity\win32\window.cpp
    • API String ID: 3666843503-2508929681
    • Opcode ID: bd104d6fa308457d559e0cb38f5776f2eabad12d9d87308f057094b38c31f259
    • Instruction ID: d724172bcc853395d6b480b78fb537cbb63d54da1dca372407f81c64d3c5afe0
    • Opcode Fuzzy Hash: bd104d6fa308457d559e0cb38f5776f2eabad12d9d87308f057094b38c31f259
    • Instruction Fuzzy Hash: 0F316D32E04B529AEB00EBA0E4442ADB7B4FB48788F904237DE4D53B54DF38E565C761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07FCCE0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 209COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID: UUUUUUUU$vector<T> too long
    • API String ID: 0-1961640351
    • Opcode ID: da7c582c3a34ec837d2802e32e4152bd5b95ce8900358520e789fd5473c5f954
    • Instruction ID: b2fbac31c4b6c4bcc5e4001c156add6b75b473ecf2243b27eda44161e41164f6
    • Opcode Fuzzy Hash: da7c582c3a34ec837d2802e32e4152bd5b95ce8900358520e789fd5473c5f954
    • Instruction Fuzzy Hash: E991CE33619B8085D720EF15E84476EB7B8FB99790F964226DAAD43794DF38E0A1C311
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0816E9C Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 169registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E0808200: RegOpenCurrentUser.KERNELBASE ref: 00007FF7E0808238
      • Part of subcall function 00007FF7E0808200: RegOpenKeyW.ADVAPI32 ref: 00007FF7E0808272
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7E0816F0D
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7E0816F21
      • Part of subcall function 00007FF7E082763C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FF7E0816F38), ref: 00007FF7E0827648
    • IIDFromString.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF7E0816FE3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ErrorLastOpen$CloseCurrentFromStringUser
    • String ID: %%Startup$N$onecore\windows\core\console\open\src\propslib\delegationconfig.cpp
    • API String ID: 3802179046-4239833828
    • Opcode ID: 7faab78157e642b59734033c18791615cb718cbafc4c69f633b7d1252390dc66
    • Instruction ID: f1f4d2dfbe598f794f78b62282bab0165aad5ef4a0bb48e05b8f28f37a1515d3
    • Opcode Fuzzy Hash: 7faab78157e642b59734033c18791615cb718cbafc4c69f633b7d1252390dc66
    • Instruction Fuzzy Hash: C8818222A09B8186F710AB24E8402B9B770FF99744F916236EA8D53765DF3DF5A0C721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080B760 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50synchronizationCOMMON
    Download Yara Rule
    APIs
    Strings
    • onecore\windows\core\console\open\src\renderer\base\thread.cpp, xrefs: 00007FF7E0825D03
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: EventObjectSingleWait$ResetSleep
    • String ID: onecore\windows\core\console\open\src\renderer\base\thread.cpp
    • API String ID: 1999667587-1671638080
    • Opcode ID: 84ec2b8fe5a6cc1f73e90be529820d4510c89e4cff8a1aefdf7c77b915609e09
    • Instruction ID: 0b7488fb375c76ecc3ad522c1fa65863507d2cb69e90b5a43032ffa8c6c0c612
    • Opcode Fuzzy Hash: 84ec2b8fe5a6cc1f73e90be529820d4510c89e4cff8a1aefdf7c77b915609e09
    • Instruction Fuzzy Hash: 83113D26A08A4286EB50AF35D450378ABA0FF89F59F945232CD5E573A1CF38F4658322
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080A9F0 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 457COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: InvertRect
    • String ID: onecore\windows\core\console\open\src\renderer\gdi\paint.cpp
    • API String ID: 3660401689-3409953778
    • Opcode ID: 3ef4159072fe74af2585ad147ba53bbe3bf49334057d50279dd4d4bc3400aa08
    • Instruction ID: c32f333c746b10b7611803d07de4d14c82b0154a963d0b4473b3d3b63436a101
    • Opcode Fuzzy Hash: 3ef4159072fe74af2585ad147ba53bbe3bf49334057d50279dd4d4bc3400aa08
    • Instruction Fuzzy Hash: 3312C122A4864286F720EB60D0442BDB7A2FB58758FD19237DA0D17B95DF3CF5A1C326
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0809398 Relevance: 9.1, APIs: 6, Instructions: 108threadCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E080D800: EventRegister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0(?,?,?,?,?,?,000001C82450C120,00007FF7E080733E), ref: 00007FF7E080D84C
      • Part of subcall function 00007FF7E080D800: EventSetInformation.API-MS-WIN-EVENTING-PROVIDER-L1-1-0(?,?,?,?,?,?,000001C82450C120,00007FF7E080733E), ref: 00007FF7E080D871
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7E08093D5
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7E08093E9
    • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7E08093F8
      • Part of subcall function 00007FF7E07F8538: CommandLineToArgvW.API-MS-WIN-SHCORE-OBSOLETE-L1-1-0 ref: 00007FF7E07F85B6
    • EventUnregister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FF7E080949B
    • SetProcessShutdownParameters.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7E08094B3
    • ExitThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7E08094C1
      • Part of subcall function 00007FF7E08077E8: RegOpenKeyExW.KERNELBASE ref: 00007FF7E0807817
      • Part of subcall function 00007FF7E08077E8: RegQueryValueExW.KERNELBASE ref: 00007FF7E0807859
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Event$CommandHandleLine$ArgvExitInformationOpenParametersProcessQueryRegisterShutdownThreadUnregisterValue
    • String ID:
    • API String ID: 3181419396-0
    • Opcode ID: a1c4ee5ea7b59342cb05d75793bd8c418fbe2ac6402cb65e3a1fbd8b9118c587
    • Instruction ID: 611880ca697e5a3f8f97b107a9ce3ebbd101d5f209a702268ca17880b77c467f
    • Opcode Fuzzy Hash: a1c4ee5ea7b59342cb05d75793bd8c418fbe2ac6402cb65e3a1fbd8b9118c587
    • Instruction Fuzzy Hash: 6B418C21B08A829AFB10BB70D4502BDB7A0BF58388FD10177DA4D5A796DE38F465C362
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080ADD0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 153COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID: onecore\windows\core\console\open\src\renderer\gdi\paint.cpp$onecore\windows\core\console\open\src\renderer\gdi\state.cpp
    • API String ID: 0-357235055
    • Opcode ID: 077f840fea9819a06087a83384223d9309759567d531e3daf935357b79ba7af2
    • Instruction ID: c3852494801ab4ae59309850bfa9304067195f55b597ed0baa3e4acfa01eb507
    • Opcode Fuzzy Hash: 077f840fea9819a06087a83384223d9309759567d531e3daf935357b79ba7af2
    • Instruction Fuzzy Hash: 35616231A08A8285FB50AB25E4407B9E7A0FF84B98FD44133DA4E57795DF3CF4A58722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0807D70 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 147COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: QueryValue
    • String ID: AllowAltF4Close$WordDelimiters
    • API String ID: 3660427363-1684327172
    • Opcode ID: 2797744265af84ea1eb56430fcc3294bf2633fa174054370e8285b95abd3f1f1
    • Instruction ID: 45f72c993aabc796d49a8e70189d72c262b051fc13dcd7ab15540ad90911f553
    • Opcode Fuzzy Hash: 2797744265af84ea1eb56430fcc3294bf2633fa174054370e8285b95abd3f1f1
    • Instruction Fuzzy Hash: BB619A36B18A4285EB54EB21E4406ADB7A1FB68788F801032DE8D53B59CF3CF465CB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08090B8 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102synchronizationCOMMON
    Download Yara Rule
    APIs
    • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7E08090EA
    • CreateMutexW.KERNELBASE ref: 00007FF7E0809132
      • Part of subcall function 00007FF7E0809200: WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E0809219
      • Part of subcall function 00007FF7E0808DB0: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E0808E61
      • Part of subcall function 00007FF7E0808DB0: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E0808E7C
      • Part of subcall function 00007FF7E080E134: ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E080E138
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Mutexmemset$CreateCurrentObjectProcessReleaseSingleWait
    • String ID: Local\SM0:%d:%d:%hs$wil$x
    • API String ID: 588896006-630742106
    • Opcode ID: 60032cc7b009ede1fe2acf72d49425f035304dc705b6817203536b47d7b41713
    • Instruction ID: fd172c5427464511872ca3bdb842d6091e5c9f9e56d32a03633fc0b77018ff12
    • Opcode Fuzzy Hash: 60032cc7b009ede1fe2acf72d49425f035304dc705b6817203536b47d7b41713
    • Instruction Fuzzy Hash: 5D418232618A4296FB14AB21E4403FAE3A0FF98784FC45032EA8E47756DE7CF465C751
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08077E8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48registryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: OpenQueryValue
    • String ID: Console$ForceV2
    • API String ID: 4153817207-204486278
    • Opcode ID: 71234e7760d4f20a33a0bbf8ffc25d87a8b8842a46504550143a2fec4486d5d4
    • Instruction ID: 9823894f01b9acdf436ef8ad6ff1067c852b297fe9f0396c4334f4842234ac44
    • Opcode Fuzzy Hash: 71234e7760d4f20a33a0bbf8ffc25d87a8b8842a46504550143a2fec4486d5d4
    • Instruction Fuzzy Hash: BB117232E18A42C6FB20AB50E40437AF7A4FB85799FD04232DA8D42B64DF7CE454CB25
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F4468 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E080FD8C: _o_malloc.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000,00007FF7E080393E,?,?,?,?,00007FF7E082A040,?,?,?,?,?,?,?), ref: 00007FF7E080FDA6
      • Part of subcall function 00007FF7E080FD8C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7E080FDBC
      • Part of subcall function 00007FF7E080FD8C: InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E080FDF5
      • Part of subcall function 00007FF7E080FD8C: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E080FE03
      • Part of subcall function 00007FF7E080FD8C: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E080FE19
      • Part of subcall function 00007FF7E080FD8C: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E080FE36
      • Part of subcall function 00007FF7E080FD8C: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E080FE4A
      • Part of subcall function 00007FF7E080FD8C: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E080FE5E
      • Part of subcall function 00007FF7E07F4890: CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E07F48B2
      • Part of subcall function 00007FF7E07F4890: CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E07F48E4
      • Part of subcall function 00007FF7E07F4890: CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E07F490D
      • Part of subcall function 00007FF7E07F4890: CreateThread.KERNELBASE ref: 00007FF7E07F4943
      • Part of subcall function 00007FF7E07F474C: ~_Func_class.LIBCONCRT ref: 00007FF7E07F4786
      • Part of subcall function 00007FF7E0802BCC: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000001,?,00000000,00007FF7E0875ED6,?,?,?,?,00000000,00007FF7E0824487), ref: 00007FF7E0802BFC
    • WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E07F4638
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E07F465A
    • FindCloseChangeNotification.KERNELBASE ref: 00007FF7E07F4669
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Create$AddressCriticalEventProcSection$HandleModule$ChangeCloseConcurrency::cancel_current_taskCountEnterFindFunc_classInitializeLeaveNotificationObjectSingleSpinThreadWait_o_malloc
    • String ID: onecore\windows\core\console\open\src\host\srvinit.cpp
    • API String ID: 2405433026-2090781281
    • Opcode ID: 9dc250b217d863a623bee425c3f180cb7d9fcbe0af7a11138e4df1584ce87291
    • Instruction ID: b924f116f9a929d5a31aff5aa6a1af1b197f0662cc316b33dde0c01b9ff16ae0
    • Opcode Fuzzy Hash: 9dc250b217d863a623bee425c3f180cb7d9fcbe0af7a11138e4df1584ce87291
    • Instruction Fuzzy Hash: F5916D21A08B828AEB20BB51E4503BAA7A4FF99754F804133CA4D47796DF7CF474C722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: DeleteObject$_o_wcscpy_smemset
    • String ID: onecore\windows\core\console\open\src\renderer\gdi\state.cpp
    • API String ID: 2027464467-181080528
    • Opcode ID: 73e345f51cd89fd9c63c104ba66e475015b57add9a2206fd59f4b46000c648f2
    • Instruction ID: 8dc7fb2d6c5f032879d0880060a0d0f29bff6e2dfb6a25bd367c7a69962ec308
    • Opcode Fuzzy Hash: 73e345f51cd89fd9c63c104ba66e475015b57add9a2206fd59f4b46000c648f2
    • Instruction Fuzzy Hash: 72413D32A09A829BEB40AB61E4403B9A760FF49B81F945037DA4E93751DF38F475C722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F3544 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: DeleteObjectRelease
    • String ID: onecore\windows\core\console\open\src\renderer\gdi\state.cpp
    • API String ID: 111263778-181080528
    • Opcode ID: fb49ace60a9cb14482e76d2d3fe04202ba201d533200a15313111d77437a7515
    • Instruction ID: 4ae4c7a4776fcd46c02c68511d9099726b8c134a43df40ce71467e0a06525c7c
    • Opcode Fuzzy Hash: fb49ace60a9cb14482e76d2d3fe04202ba201d533200a15313111d77437a7515
    • Instruction Fuzzy Hash: 60318D61B0DA8396EA54AB51A440379E764FF88B80F848037DE4E57B54CF3CF0758B22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0817FFC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: InformationToken$ErrorLast
    • String ID: onecore\internal\sdk\inc\wil\opensource\wil\token_helpers.h
    • API String ID: 2567405617-2881811202
    • Opcode ID: 67d32a1ae32010cc25eb9c886df297ba97b8570a00a158c54a86b82b8b995226
    • Instruction ID: 937a11781efd46cc9334e07e8d41fd4372119cf2dd2c1c3254fda4f2a2a458d9
    • Opcode Fuzzy Hash: 67d32a1ae32010cc25eb9c886df297ba97b8570a00a158c54a86b82b8b995226
    • Instruction Fuzzy Hash: 5F318322B0864282FB106B15E80177AE761EFC57D4FE48132DA4D17B95DE3DF4668712
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08075E4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E080FD8C: _o_malloc.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000,00007FF7E080393E,?,?,?,?,00007FF7E082A040,?,?,?,?,?,?,?), ref: 00007FF7E080FDA6
    • GetOEMCP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7E080762B
    • GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7E080763D
      • Part of subcall function 00007FF7E080FD8C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7E080FDBC
      • Part of subcall function 00007FF7E080FD8C: InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E080FDF5
      • Part of subcall function 00007FF7E080FD8C: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E080FE03
      • Part of subcall function 00007FF7E080FD8C: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E080FE19
      • Part of subcall function 00007FF7E080FD8C: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E080FE36
      • Part of subcall function 00007FF7E080FD8C: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E080FE4A
      • Part of subcall function 00007FF7E080FD8C: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E080FE5E
      • Part of subcall function 00007FF7E0807F10: RegOpenKeyW.ADVAPI32 ref: 00007FF7E0807F70
      • Part of subcall function 00007FF7E0807F10: RegEnumValueW.KERNELBASE ref: 00007FF7E0807FCE
      • Part of subcall function 00007FF7E0807F10: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7E0807FF3
      • Part of subcall function 00007FF7E0807F10: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7E080800D
    Strings
    • onecore\windows\core\console\open\src\server\devicecomm.cpp, xrefs: 00007FF7E08076E8
    • onecore\windows\core\console\open\src\host\renderfontdefaults.cpp, xrefs: 00007FF7E0807677
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: AddressProc$HandleHeapModule$AllocConcurrency::cancel_current_taskCountCriticalEnumInitializeOpenProcessSectionSpinValue_o_malloc
    • String ID: onecore\windows\core\console\open\src\host\renderfontdefaults.cpp$onecore\windows\core\console\open\src\server\devicecomm.cpp
    • API String ID: 4221633738-3638091250
    • Opcode ID: a2723e1037f0bd41d12e8eed9f5bcfafa84f49ef05180da3c4f3de3927b019ac
    • Instruction ID: 0830a2289f52925f65167ea43116d68fbb926ea3557568431a913d7f0597f8d8
    • Opcode Fuzzy Hash: a2723e1037f0bd41d12e8eed9f5bcfafa84f49ef05180da3c4f3de3927b019ac
    • Instruction Fuzzy Hash: B8313035A08A4286F605BB54E4003B9B7A1FF54754FC44232D99D877A2EF3DF4648722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F2F00 Relevance: 6.1, APIs: 4, Instructions: 77windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E07F2D08: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7E07F2DD3
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E07F2F1E
    • GetMessageW.USER32 ref: 00007FF7E07F2F6E
    • DispatchMessageW.USER32 ref: 00007FF7E07F2F9F
      • Part of subcall function 00007FF7E07F308C: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00007FF7E07F2F43), ref: 00007FF7E07F30DE
      • Part of subcall function 00007FF7E07F308C: SetWindowsHookExW.USER32 ref: 00007FF7E07F30FA
      • Part of subcall function 00007FF7E07F308C: NotifyWinEvent.USER32 ref: 00007FF7E07F3168
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Message$CriticalCurrentDispatchEnterEnvironmentEventHookNotifySectionThreadVariableWindows
    • String ID:
    • API String ID: 1259943464-0
    • Opcode ID: ccf14bf73a039b9fec25a85e6546e9a236cec985bc75126feac83c117555f8d6
    • Instruction ID: e8709d9e800c8021ab4b8cdf48f585d98b8a4e28bb4e70b7ed1b5d911accb680
    • Opcode Fuzzy Hash: ccf14bf73a039b9fec25a85e6546e9a236cec985bc75126feac83c117555f8d6
    • Instruction Fuzzy Hash: F2314C25E18A4299FB00BB6198913B9F7A0AF69744FC44037EA1D43796DE3CF4758622
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E086C610 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 282COMMON
    Download Yara Rule
    APIs
    • default_delete.LIBCPMT ref: 00007FF7E086CA5D
      • Part of subcall function 00007FF7E0842F00: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000028,00007FF7E08502AF,?,?,?,?,00000000,?,00000000,00007FF7E08501BC), ref: 00007FF7E0842F2D
    • _o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7E086CA83
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: _o_terminatedefault_deletememset
    • String ID: onecore\windows\core\console\open\src\server\apidispatchers.cpp
    • API String ID: 1132286936-3284698556
    • Opcode ID: fde5961494f2eff5e4237dbb3e4d5b6568c0184219e4f839cfbc981fde5951a4
    • Instruction ID: 189b2e2456b2b8855ad4d5a7035f6848dd0c5138a862b1cbb70f05ac074deb36
    • Opcode Fuzzy Hash: fde5961494f2eff5e4237dbb3e4d5b6568c0184219e4f839cfbc981fde5951a4
    • Instruction Fuzzy Hash: 0BC18175A0868282EA70AB55B0407BAE791FF94B80F918037DA8D47B55DF3CF464C762
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0803B30 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E07F8F28: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00007FF7E07F635D,?,?,?,?,00000000,00007FF7E07F3128,?,?,00000000,00007FF7E07F2F43), ref: 00007FF7E07F8F31
      • Part of subcall function 00007FF7E080FD8C: _o_malloc.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000,00007FF7E080393E,?,?,?,?,00007FF7E082A040,?,?,?,?,?,?,?), ref: 00007FF7E080FDA6
      • Part of subcall function 00007FF7E08039D4: OpenProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1 ref: 00007FF7E0803A52
    • ?_Xlength_error@std@@YAXPEBD@Z.MSVCP_WIN ref: 00007FF7E0821D9B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CurrentOpenProcessThreadXlength_error@std@@_o_malloc
    • String ID: list<T> too long$onecore\windows\core\console\open\src\server\processlist.cpp
    • API String ID: 584409634-208596408
    • Opcode ID: a0d2ce8b8050471da4974daf0101d702b93ebc83116f7af41c4a3d9b9280f2a5
    • Instruction ID: a6d590fef88f1ad8d3f3ebecfdb3595b6f1085d7de79a7569f2ded40b95838e9
    • Opcode Fuzzy Hash: a0d2ce8b8050471da4974daf0101d702b93ebc83116f7af41c4a3d9b9280f2a5
    • Instruction Fuzzy Hash: 47519F32A08A4186EB54AB15E050379B7E0FB94B88F949436DB8D47B96CF3CF861C721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F3B50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: AddressProc
    • String ID: DarkMode_Explorer$onecore\windows\core\console\open\src\interactivity\win32\windowtheme.cpp
    • API String ID: 190572456-2049200211
    • Opcode ID: 0cd93e2ea6b2b49560b1f9e83bf05438ba2dfbb9cf8b0e9135c03fb704ef9d77
    • Instruction ID: 7d97bd7879f6be1a9177f5911a82366968a8104be7b24ad4bb0075015c488c2b
    • Opcode Fuzzy Hash: 0cd93e2ea6b2b49560b1f9e83bf05438ba2dfbb9cf8b0e9135c03fb704ef9d77
    • Instruction Fuzzy Hash: F4318E61A0CB439AFB50AB54A49037AA761EF4A780FD06033C90E53391DF3CF468C622
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F8E58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ChangeClaimsCloseFindNotificationOpenPackageProcessQueryToken
    • String ID: onecore\windows\core\console\open\src\server\processpolicy.cpp
    • API String ID: 3297886754-2159332910
    • Opcode ID: 93c8558f7c48d896d9c4088f07808c36744434de1b3111d6bb49c5471fb9969f
    • Instruction ID: a0e6bddad5da3f35fd3f56813c62f7af207518e95423a05d06da93096152c2a2
    • Opcode Fuzzy Hash: 93c8558f7c48d896d9c4088f07808c36744434de1b3111d6bb49c5471fb9969f
    • Instruction Fuzzy Hash: 3531842260C68386EB50AB15A0402BAAB60FB89794FD44233DA5E43799CE3CF565C762
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F8A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ClientRectVisibleWindow
    • String ID: onecore\windows\core\console\open\src\renderer\gdi\paint.cpp
    • API String ID: 2093131216-3409953778
    • Opcode ID: bcdf387d913997fc76ebdf337c9ba0f6388e30a3300b957304a86cfcc4d2e3c1
    • Instruction ID: 058c8282aad624ecde8df6cdeda40dfef6a1169992270ff79b76b4da65badb90
    • Opcode Fuzzy Hash: bcdf387d913997fc76ebdf337c9ba0f6388e30a3300b957304a86cfcc4d2e3c1
    • Instruction Fuzzy Hash: F5219B32A0868285EB90AF25D440379A750EF48B9CF949133DA1D473D5DF3CF4A4C722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080DB9C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Paint$Begin
    • String ID: onecore\windows\core\console\open\src\interactivity\win32\windowproc.cpp
    • API String ID: 3787552996-255808027
    • Opcode ID: d75906cabbd135e2b09a02a994a758599352d23f9e913afea7032d4d0eb9f89a
    • Instruction ID: 36bdcb2a594248d48b056e78a7a8acd40b85fcbe1ddcdf21d4eabcb22caacd66
    • Opcode Fuzzy Hash: d75906cabbd135e2b09a02a994a758599352d23f9e913afea7032d4d0eb9f89a
    • Instruction Fuzzy Hash: 3F216F61B0CB8682FE60AB25E4503B9A3A0FF88B44F949132D98E47755DF3CF519C722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080B400 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: DeleteFillObjectRect
    • String ID: onecore\windows\core\console\open\src\renderer\gdi\paint.cpp
    • API String ID: 1372181131-3409953778
    • Opcode ID: 1ea43a43cedeb61a734e5e2425742af34b021a12afaa4105a5ae6bb0f3f8a154
    • Instruction ID: 7b86789f304f9a8378d59cba92d694acaa976dce05078cb582ceb07a56959219
    • Opcode Fuzzy Hash: 1ea43a43cedeb61a734e5e2425742af34b021a12afaa4105a5ae6bb0f3f8a154
    • Instruction Fuzzy Hash: 0D118625608B4286E610AB55F4407B9E6A0FB8DB94F94A033DE0D53765DF3CF5A4C712
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08181F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E0817FFC: GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF7E0818042
      • Part of subcall function 00007FF7E0817FFC: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7E0818056
    • GetSidSubAuthorityCount.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF7E081823C
    • GetSidSubAuthority.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF7E0818252
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Authority$CountErrorInformationLastToken
    • String ID: onecore\windows\core\console\conint\processpolicy.cpp
    • API String ID: 184111022-3682059561
    • Opcode ID: f44cfd390e7427bfce922ec8325fea8398b290dbf94853171cdb98acb5f93061
    • Instruction ID: acf3fb0fe3724bd5a624ddef72b92e0874230608d7fec8ad3cc5d3d256d0681e
    • Opcode Fuzzy Hash: f44cfd390e7427bfce922ec8325fea8398b290dbf94853171cdb98acb5f93061
    • Instruction Fuzzy Hash: C5016132608981C6D740AB15E4903BAB7A0FFC8B94F849032EA4E87755CE3CE459C711
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F3CB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: AddressProc
    • String ID: EnableChildWindowDpiMessage
    • API String ID: 190572456-233965631
    • Opcode ID: e2daeb415acb03678ffe11faf66226804ac1aa83e7a5f201559d7d9c527b626a
    • Instruction ID: 17445af079f008ffa2dffe0864b8eb729ddcf8d8e440aa286b95bb74af482e15
    • Opcode Fuzzy Hash: e2daeb415acb03678ffe11faf66226804ac1aa83e7a5f201559d7d9c527b626a
    • Instruction Fuzzy Hash: E401ED24B0DA869AFE14AB15E840374E790AF59B84F984036CD0E46751DF3CF8B59622
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080CEA0 Relevance: 4.6, APIs: 3, Instructions: 74COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E080CAFC: LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,00007FF7E07F4BE5), ref: 00007FF7E080CB11
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7E0826A56
    • FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E0826A85
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Library$ErrorFreeLastLoad
    • String ID:
    • API String ID: 1501378888-0
    • Opcode ID: a930adfcc60502900953242a714a47bf8aeaa8a65ee9e27ded345f46f1669db9
    • Instruction ID: 4fed48ee73702b5c9cf099ff887136ec890db65077063ad59dfb00be2c40205d
    • Opcode Fuzzy Hash: a930adfcc60502900953242a714a47bf8aeaa8a65ee9e27ded345f46f1669db9
    • Instruction Fuzzy Hash: 3B214F31A0864386FA14AF91E4503BAE695BF88754FD48036EB4E47785DFBCF8648322
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07FC350 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129COMMON
    Download Yara Rule
    APIs
    • ?_Xout_of_range@std@@YAXPEBD@Z.MSVCP_WIN(?,?,?,?,?,?,?,?,00007FF7E07F31F0,?,?,00000000,00007FF7E07F313B,?,?,00000000), ref: 00007FF7E081E86B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xout_of_range@std@@
    • String ID: invalid deque<T> subscript
    • API String ID: 1960685668-2228476695
    • Opcode ID: 4585d2b37325c699cdb172b816c26d00d296ef04d724098ec90211f9d478fcc0
    • Instruction ID: ba26abb2207b5a5dbf1e532b12e3e4a55888b24cdf607328ea3ce0958bd4328b
    • Opcode Fuzzy Hash: 4585d2b37325c699cdb172b816c26d00d296ef04d724098ec90211f9d478fcc0
    • Instruction Fuzzy Hash: 37513836A19B5586EA28EF1AE450379B7A0FB98B80F944137DA4D83764DF3CE421C721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08039D4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E080FD8C: _o_malloc.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000,00007FF7E080393E,?,?,?,?,00007FF7E082A040,?,?,?,?,?,?,?), ref: 00007FF7E080FDA6
    • OpenProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1 ref: 00007FF7E0803A52
      • Part of subcall function 00007FF7E07F8E58: OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7E07F8E8C
      • Part of subcall function 00007FF7E07F8E58: FindCloseChangeNotification.KERNELBASE ref: 00007FF7E07F8F01
    Strings
    • onecore\windows\core\console\open\src\server\processhandle.cpp, xrefs: 00007FF7E0821B40
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: OpenProcess$ChangeCloseFindNotificationToken_o_malloc
    • String ID: onecore\windows\core\console\open\src\server\processhandle.cpp
    • API String ID: 2776094353-196835915
    • Opcode ID: aad74363f159e933836b21511dd4a74910d22a7d319744f39c12092afff27737
    • Instruction ID: ee96e762c5e38591353f2b63b80ebcb823923e63b1b5d11cbc579a486f9a2cac
    • Opcode Fuzzy Hash: aad74363f159e933836b21511dd4a74910d22a7d319744f39c12092afff27737
    • Instruction Fuzzy Hash: 68219C72618B4486E740EF01E448BA9B7E9FB88B54F8A8139DE4C07792CF3CE450C761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080BE64 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMON
    Download Yara Rule
    APIs
    • DeviceIoControl.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E086A183), ref: 00007FF7E080BE91
    Strings
    • onecore\windows\core\console\open\src\server\devicecomm.cpp, xrefs: 00007FF7E0826283
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ControlDevice
    • String ID: onecore\windows\core\console\open\src\server\devicecomm.cpp
    • API String ID: 2352790924-3100342381
    • Opcode ID: ba034b46ec0b23c7f9023b7a1e5cdf6f509564d89de755d9395a5e2959253202
    • Instruction ID: 85e44e1252a0b0dab325e11b060bb093657e2d9ddfb56be2cfccdc379eabb381
    • Opcode Fuzzy Hash: ba034b46ec0b23c7f9023b7a1e5cdf6f509564d89de755d9395a5e2959253202
    • Instruction Fuzzy Hash: 7CF06D36A18B42CAE700DB64E44436DB3E4F788790FA04132D64C86710CF3DE5658B11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080CAFC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: ext-ms-win-ntuser-window-l1-1-0
    • API String ID: 1029625771-2367781076
    • Opcode ID: ff0ef25f3b5fffa23d58deb0a9897e06cdc76d409071552cccb77962417fa5f5
    • Instruction ID: bd3ff06009ba9ded0ce695335d5be976f29ae4853b4fa3dca7860e22f8682137
    • Opcode Fuzzy Hash: ff0ef25f3b5fffa23d58deb0a9897e06cdc76d409071552cccb77962417fa5f5
    • Instruction Fuzzy Hash: A1D0C721B08A0186FB24AF62A400374A2D0AB88B10FCC9032C80C0A341DF3CF0A08322
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0803C54 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 191COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E0803C9E
      • Part of subcall function 00007FF7E07F6C80: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E07F6D5B
      • Part of subcall function 00007FF7E07F6C80: _o_wcscpy_s.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7E07F6D6F
      • Part of subcall function 00007FF7E07F6C80: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E07F6D88
      • Part of subcall function 00007FF7E08044D8: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E0804516
      • Part of subcall function 00007FF7E081728C: CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF7E08173C0
      • Part of subcall function 00007FF7E081728C: CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF7E0817411
      • Part of subcall function 00007FF7E080BE64: DeviceIoControl.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E086A183), ref: 00007FF7E080BE91
    Strings
    • onecore\windows\core\console\open\src\server\iodispatchers.cpp, xrefs: 00007FF7E0803D74
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memset$ControlCreateCriticalDeviceEnterInitializeInstanceSection_o_wcscpy_s
    • String ID: onecore\windows\core\console\open\src\server\iodispatchers.cpp
    • API String ID: 3618303396-2920610734
    • Opcode ID: 4dbc1ab172e9b01e2916110fea69ae44fca6d97b70c887de9f5ba8f34c162b1a
    • Instruction ID: b10b9291c34fae6497253b0c9f4a7d13884ecd37567d224ff38f54af578f3096
    • Opcode Fuzzy Hash: 4dbc1ab172e9b01e2916110fea69ae44fca6d97b70c887de9f5ba8f34c162b1a
    • Instruction Fuzzy Hash: 8F915122A18B8286F720AB15E4403BAF7A4FBA9784F804136EA4D47B95DF3CF455C761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080AF84 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000001,?,00007FF7E086AEBE), ref: 00007FF7E080AFF7
    Strings
    • onecore\windows\core\console\open\src\server\apimessage.cpp, xrefs: 00007FF7E0825A59
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memset
    • String ID: onecore\windows\core\console\open\src\server\apimessage.cpp
    • API String ID: 2221118986-884894635
    • Opcode ID: 0a93d4353845a3c5878bfbfbf4d29c77fa67e346f1878334bf1fe1d1b689b324
    • Instruction ID: cd798bd8e15f22ec39261412833fb2f7bf768005de0e31b2310b2fd54bb95bf2
    • Opcode Fuzzy Hash: 0a93d4353845a3c5878bfbfbf4d29c77fa67e346f1878334bf1fe1d1b689b324
    • Instruction Fuzzy Hash: 5E210B32B0875286E710EF29A480229B7E1FB48BD4F504137DE0D57B59EE3DE862C711
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F336C Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memset
    • String ID: onecore\windows\core\console\open\src\renderer\gdi\state.cpp
    • API String ID: 2221118986-181080528
    • Opcode ID: 11e181e2ef1a22a4fa5a39a63aca7238e7d9b52012e603696beaa878ec9efff8
    • Instruction ID: 95efed5c5137825c849962bd7e972b1334bccacde20f66977fd3d396b3c7856d
    • Opcode Fuzzy Hash: 11e181e2ef1a22a4fa5a39a63aca7238e7d9b52012e603696beaa878ec9efff8
    • Instruction Fuzzy Hash: 0E31B432918B8585E740EF70D4843E977A0EB49B68F98433ADE1D8A3D5DF3CA0A4C721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F3E48 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ButtonChecked
    • String ID:
    • API String ID: 1719414920-0
    • Opcode ID: 9c938b063ae1c74f4aacd4afc7449b3887d1516581e6c9d4cc955ec8867ea6d7
    • Instruction ID: 78957b9bc7e63578ea21797089f06900ac7fe8b5ac445f5d6811449c81b3df16
    • Opcode Fuzzy Hash: 9c938b063ae1c74f4aacd4afc7449b3887d1516581e6c9d4cc955ec8867ea6d7
    • Instruction Fuzzy Hash: 36012D22704A9693EB009F66E44059DA760FB8DBC4B959033EF4D47718CE39E95ACB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F3190 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Window$ActiveShow
    • String ID:
    • API String ID: 789302438-0
    • Opcode ID: 40d8d60e3d52dd23abbe9f42418284e1bc84510699fc08d9c6b81293faad0079
    • Instruction ID: 647c0ddd6ffd6d74bf1e1e3e3f26837891f67a20924eb2cfa7691555aa977359
    • Opcode Fuzzy Hash: 40d8d60e3d52dd23abbe9f42418284e1bc84510699fc08d9c6b81293faad0079
    • Instruction Fuzzy Hash: A701FF61A08B4786EE54AB16E58427DA6A0EB4DB84F944033CD1E46761CE3DF479C622
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0807700 Relevance: 3.0, APIs: 2, Instructions: 22registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E0808200: RegOpenCurrentUser.KERNELBASE ref: 00007FF7E0808238
      • Part of subcall function 00007FF7E0808200: RegOpenKeyW.ADVAPI32 ref: 00007FF7E0808272
    • RegCloseKey.KERNELBASE(?,?,00000000,00007FF7E07F4C1B), ref: 00007FF7E080773B
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00007FF7E07F4C1B), ref: 00007FF7E080774C
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CloseOpen$CurrentUser
    • String ID:
    • API String ID: 2076574964-0
    • Opcode ID: 86c306239c4ddfa5aa241bbe7177b4a0f593bf21c3fa90607d621e304acdf670
    • Instruction ID: 77111afba732758c07164f33cf06d7d81dc81fc9a5fb638e27e8876502da9cb9
    • Opcode Fuzzy Hash: 86c306239c4ddfa5aa241bbe7177b4a0f593bf21c3fa90607d621e304acdf670
    • Instruction Fuzzy Hash: 62F03735718946C2EA00AB11E4406B9EB60FF85B85FC46032EE4F0B765DF7DE4A8CB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F4FEC Relevance: 1.6, APIs: 1, Instructions: 98COMMON
    Download Yara Rule
    APIs
    • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,00000000,00007FF7E07F4D4C), ref: 00007FF7E07F506B
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Info
    • String ID:
    • API String ID: 1807457897-0
    • Opcode ID: f14f64e95679472db7b35d07fc2c4e3cf573b6c2a6d2e6b8cd18f5e6a3b0ab4b
    • Instruction ID: 962259a52ab7f1a75414a453c78f0ff881b83d58005ed95fbddb60da55805be5
    • Opcode Fuzzy Hash: f14f64e95679472db7b35d07fc2c4e3cf573b6c2a6d2e6b8cd18f5e6a3b0ab4b
    • Instruction Fuzzy Hash: 4D413825A18A0386FA14BB24E8513B5A7A0BF69744FC00137D54D873A2DF7CF564CB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0801095 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ControlDevice$memset
    • String ID:
    • API String ID: 3112380785-0
    • Opcode ID: 927ad33f8ab33099ba1bc953e1e4ac2726bd20f979bbb6b650f298fffe1fdd68
    • Instruction ID: cf017e282c6e9908d597d8e826ebf4368aeeda9c5dc5e81b94e2bcdfdf16e25f
    • Opcode Fuzzy Hash: 927ad33f8ab33099ba1bc953e1e4ac2726bd20f979bbb6b650f298fffe1fdd68
    • Instruction Fuzzy Hash: 0D217832A18B818AFB50DF60E44026EB7F1FB95748F540136EB8D96B58DF38E460DB10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08086C4 Relevance: 1.5, APIs: 1, Instructions: 36registryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: QueryValue
    • String ID:
    • API String ID: 3660427363-0
    • Opcode ID: 9096d2b29d7658d0d1c42a5f4b6cd185ffd2113cadd8fee6b98d0f6e655550ff
    • Instruction ID: a37c6313f0098ca6778dddb540f9ddf33436979b3d49a8b6f5d0510adba7b440
    • Opcode Fuzzy Hash: 9096d2b29d7658d0d1c42a5f4b6cd185ffd2113cadd8fee6b98d0f6e655550ff
    • Instruction Fuzzy Hash: 4A018FB6A19741CBFB449B18904573DB2E0F748398FA04036EB8E47744DB3CE8A0CB21
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080B570 Relevance: 1.5, APIs: 1, Instructions: 28threadCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E080B5DC: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FF7E080B57E), ref: 00007FF7E080B610
    • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7E080B57E
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CurrentThread
    • String ID:
    • API String ID: 2882836952-0
    • Opcode ID: 8bb362dd67c4abac960d4abd61c8e3d820fe317d3b5f049fbb3da9ff70c0b320
    • Instruction ID: 4b8c035c9d160e207fee4bdcb105a2f6f2650096b85f7c85eee1415b945d0a89
    • Opcode Fuzzy Hash: 8bb362dd67c4abac960d4abd61c8e3d820fe317d3b5f049fbb3da9ff70c0b320
    • Instruction Fuzzy Hash: 3EF03A74E0D6068AFA197B60A925379B6D1BF99308FD48433C40C06386EE3CB9618E73
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080B6D0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: InfoScroll
    • String ID:
    • API String ID: 629608716-0
    • Opcode ID: da6d97b26d76b76542c7af19fdd4d10ccd5dc26307b1bd809d2e5d4f75203cff
    • Instruction ID: d5fd663edea468f21604a5a920f03b83b2ea54893a4ff299e3ae8558531e9251
    • Opcode Fuzzy Hash: da6d97b26d76b76542c7af19fdd4d10ccd5dc26307b1bd809d2e5d4f75203cff
    • Instruction Fuzzy Hash: D6F03CB3A186808BE760DF24E84175AB7E0F799B09F804616EA8C83B15DF3CD5058F00
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F43A4 Relevance: 1.5, APIs: 1, Instructions: 26windowCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ExtractIcon
    • String ID:
    • API String ID: 556654666-0
    • Opcode ID: 1bfdb838004fddc47f7fb4642291eaae359895f15b64d8238ee633cbb20ea4a5
    • Instruction ID: c17b466036946b66c67ae428a1561473d8402e31d9d2cc5ad82650b36ae8a375
    • Opcode Fuzzy Hash: 1bfdb838004fddc47f7fb4642291eaae359895f15b64d8238ee633cbb20ea4a5
    • Instruction Fuzzy Hash: 84F08C6661468486DB509F59E4412A8A3A0FB58B84B984522DE5887714CF3CE4A6CA00
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080E0B0 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CreateThread
    • String ID:
    • API String ID: 2422867632-0
    • Opcode ID: f35dd847acce4158e1fb236cd9bd9ad2addd7f51e53b47b04fc428a89ca1a7e6
    • Instruction ID: c285f279fd2711b8931446f661fedc5aeec719fc44940a35d977d1dc7b4d6d78
    • Opcode Fuzzy Hash: f35dd847acce4158e1fb236cd9bd9ad2addd7f51e53b47b04fc428a89ca1a7e6
    • Instruction Fuzzy Hash: 5FE03032A18B4187E724CF24F441669FBB0F789768F988239DA9D067A8DB3CD165CA10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080BDC0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: EventNotify
    • String ID:
    • API String ID: 1801992857-0
    • Opcode ID: 6d2145976b6f00127d3547ca1f634e192ded3877e4bc87512b2cf20bb39a59b7
    • Instruction ID: cc462d164f0f880508bd9e867f6cacb86c3293201f7d220e4493da174c2c9a14
    • Opcode Fuzzy Hash: 6d2145976b6f00127d3547ca1f634e192ded3877e4bc87512b2cf20bb39a59b7
    • Instruction Fuzzy Hash: 84E0CD24B1694182EB146715DCA0734A760FF49F45FC15031CB0D07710CE3CA4248B11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080E070 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: MessagePost
    • String ID:
    • API String ID: 410705778-0
    • Opcode ID: 7a63f267b84f7be99e190ffbb054523b9a0373e909b48339e1db061994f5387c
    • Instruction ID: bd8bacbc15d1cb3bd4b7652aae79961d03457ca527cb25afbb42bbefebdfce60
    • Opcode Fuzzy Hash: 7a63f267b84f7be99e190ffbb054523b9a0373e909b48339e1db061994f5387c
    • Instruction Fuzzy Hash: 4AD022B7B7088283E7005BB1FC83B2925A0E39EB46FD27010CB0A97B40C93CC0520F00
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080D9B0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: InfoParametersSystem
    • String ID:
    • API String ID: 3098949447-0
    • Opcode ID: a83f00480aded687f23c5aa130310f309df9e4a649b905f1067a1d7096a0db58
    • Instruction ID: ca7ac3988d21951c8415c74ebffb037e844d9a0a1836fcc4a67f5041a721826e
    • Opcode Fuzzy Hash: a83f00480aded687f23c5aa130310f309df9e4a649b905f1067a1d7096a0db58
    • Instruction Fuzzy Hash: E5D01277A15680C7D348BB15E8809AABB70F7DD754BC46011E70703B14CA38D5E9CF00
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E085C388 Relevance: 1.5, APIs: 1, Instructions: 9registryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Open
    • String ID:
    • API String ID: 71445658-0
    • Opcode ID: 00140a1532980521842c9a79a2b83843f974fd40ab8fd3ab8e1bc5daa0ae7b42
    • Instruction ID: 4b1c74efd90dbf328598695ef988ddde1dd959fc262bfd509b3a2212bbeba140
    • Opcode Fuzzy Hash: 00140a1532980521842c9a79a2b83843f974fd40ab8fd3ab8e1bc5daa0ae7b42
    • Instruction Fuzzy Hash: 6BC08C68E10481CAD20077165C01378A490BB89712FC18062C008C1341CA2CE0644B31
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0854760 Relevance: 1.5, APIs: 1, Instructions: 9registryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Close
    • String ID:
    • API String ID: 3535843008-0
    • Opcode ID: 37140430e2f384be3ae912214004bf8914cc9523fc1a8eace7b5b0703db2df15
    • Instruction ID: 41e785cf1288c5816048f25b80fc00299a06f7a8e5ccaa69d763d0f62cf79067
    • Opcode Fuzzy Hash: 37140430e2f384be3ae912214004bf8914cc9523fc1a8eace7b5b0703db2df15
    • Instruction Fuzzy Hash: EDC04C25A07545CAEE08AB619455138A760BF9FB06BE8A571C50E16300CF3C64694721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08044D8 Relevance: 1.4, APIs: 1, Instructions: 164COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memset
    • String ID:
    • API String ID: 2221118986-0
    • Opcode ID: f93d6eb085b2083018b0cca92b7adeb816a6f2df40a6cfeca14c3c0f8bdc5b92
    • Instruction ID: 149d73122fb566ac09a9e357b08ee37b64251216db94690ba07901cb69264a1d
    • Opcode Fuzzy Hash: f93d6eb085b2083018b0cca92b7adeb816a6f2df40a6cfeca14c3c0f8bdc5b92
    • Instruction Fuzzy Hash: F7817B67E08BC487E7158F38C6012B9B3A0F769B48F55A215DB9C57622EB39F2E5C700
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 00007FF7E07FFCB0 Relevance: 32.0, APIs: 13, Strings: 5, Instructions: 451COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xout_of_range@std@@_o_terminate
    • String ID: VUUUUUUU$invalid deque<T> subscript$invalid unordered_map<K, T> key$invalid vector<T> subscript$onecore\windows\core\console\open\src\buffer\out\textbuffercelliterator.cpp
    • API String ID: 1206583107-2159643177
    • Opcode ID: 38c8b80b411c102e31fe0f492724646f83131d51db3d1b58e0f21689adf7d8ea
    • Instruction ID: 2d2005e678a0e0f91cba1bf8621654c2efaa54a3af33ca7b3d1ef94a53582bfd
    • Opcode Fuzzy Hash: 38c8b80b411c102e31fe0f492724646f83131d51db3d1b58e0f21689adf7d8ea
    • Instruction Fuzzy Hash: 3712AE22A09B8585EB10EB65D0402B8B7A1FF58B88B948537CE4E17B65DF3CF5A1C321
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07FF690 Relevance: 30.3, APIs: 10, Strings: 7, Instructions: 560COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xout_of_range@std@@
    • String ID: VUUUUUUU$invalid deque<T> subscript$invalid unordered_map<K, T> key$invalid vector<T> subscript$onecore\windows\core\console\open\src\buffer\out\textbuffercelliterator.cpp$onecore\windows\core\console\open\src\host\screeninfo.cpp$onecore\windows\core\console\open\src\types\convert.cpp
    • API String ID: 1960685668-1255646998
    • Opcode ID: ec1d4d118aa555b5f25c39f1a38b41e4a251a33d4f47c47f18bb1bc1044d76bf
    • Instruction ID: 3dce37dc7d6125b79f234696d95506c5d40bed541922b7dd309b26093063b4ef
    • Opcode Fuzzy Hash: ec1d4d118aa555b5f25c39f1a38b41e4a251a33d4f47c47f18bb1bc1044d76bf
    • Instruction Fuzzy Hash: 0432C366A18A8681EF24EB15D0507BAA3A1FF98B80FD04037CA4D57796DF3CF860C361
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0801250 Relevance: 28.6, APIs: 6, Strings: 10, Instructions: 635COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xout_of_range@std@@
    • String ID: VUUUUUUU$VUUUUUUU$VUUUUUUU$invalid string_view position$invalid vector<T> subscript$onecore\windows\core\console\open\src\buffer\out\charrow.cpp$onecore\windows\core\console\open\src\buffer\out\charrowcellreference.cpp$onecore\windows\core\console\open\src\buffer\out\outputcelliterator.cpp$onecore\windows\core\console\open\src\buffer\out\row.cpp$onecore\windows\core\console\open\src\types\codepointwidthdetector.cpp
    • API String ID: 1960685668-845067340
    • Opcode ID: 9923a29590919a9c9127537bc93becf8f3c2398c84a6510d3f6df8a615940280
    • Instruction ID: e208c9a73aa4eb5c4edba43ae38bb74f480152107e6a423b33b3b6969229f119
    • Opcode Fuzzy Hash: 9923a29590919a9c9127537bc93becf8f3c2398c84a6510d3f6df8a615940280
    • Instruction Fuzzy Hash: 3052BE22A08A8596EB14AB74C1453FCA3A1FB55798F808233DF4D17B96EF38F5A5C311
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E087532C Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 251clipboardmemoryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Global$Clipboard$AllocDataLockUnlock$CloseEmptyOpen
    • String ID: HTML Format$Windows Console Host$onecore\windows\core\console\open\src\interactivity\win32\clipboard.cpp
    • API String ID: 3454716560-1260932009
    • Opcode ID: f76930f987153cee35c04029cee38e16808d9e0fc032d0632b61abe5d8397ed6
    • Instruction ID: 0d044f810f0846f53b1e6cbd0f153231bf47d625a663aa2440beced13616b5b1
    • Opcode Fuzzy Hash: f76930f987153cee35c04029cee38e16808d9e0fc032d0632b61abe5d8397ed6
    • Instruction Fuzzy Hash: 04B16036A05A468AEB00AF65D4443F9A7A2FB98B84FD44033DA0D53759DF7CF865C321
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07FCFA0 Relevance: 23.5, APIs: 11, Strings: 2, Instructions: 723COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xout_of_range@std@@
    • String ID: invalid deque<T> subscript$onecore\windows\core\console\open\src\host\_stream.cpp
    • API String ID: 1960685668-3945297005
    • Opcode ID: 004b24496161a0f140cb5d54deb2b9a8894713f6dd84608b0d0b780c0934e9bc
    • Instruction ID: 9062ceda659595d3318535fd4caa081011f7b3f60aa2808df4b1fb6f82484b4b
    • Opcode Fuzzy Hash: 004b24496161a0f140cb5d54deb2b9a8894713f6dd84608b0d0b780c0934e9bc
    • Instruction Fuzzy Hash: 23727126A1C7C585EA20EB25E0403BAF7A1FF99744F905136DA8D43759EF3CE464CB12
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E084EB40 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 346COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: default_delete
    • String ID: onecore\windows\core\console\open\src\host\readdatacooked.cpp$onecore\windows\core\console\open\src\server\objecthandle.cpp
    • API String ID: 3712186324-2221960914
    • Opcode ID: 5857e9075e7d9512f2284e0c43dc198d981737869d2f9938d0806dacffc31188
    • Instruction ID: 66770b67f14880536adec2e7f44dd303e6d2ea5412707a6d5ca3b0bdaaafabdb
    • Opcode Fuzzy Hash: 5857e9075e7d9512f2284e0c43dc198d981737869d2f9938d0806dacffc31188
    • Instruction Fuzzy Hash: 0BD1A562A08B8186EB30AB69E04137EE3A0FB55B94F845636DB8E03B95DF7DF450C311
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0874DE8 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 195libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Library$Loadmemset$AddressCriticalDirectoryEnterFreeProcRectSectionSystemWindow
    • String ID: .\console.dll$CPlApplet$\console.dll$onecore\windows\core\console\open\src\interactivity\win32\menu.cpp
    • API String ID: 1517543677-1215343536
    • Opcode ID: 7a90a091d0f52849ed14452e99e505ed3fe9846d2fe5e52f845196a240e93f4e
    • Instruction ID: d437896603ab3d3e9f3c045fb8102d0b3f364cbb69e237af545c2d7bcc30e80a
    • Opcode Fuzzy Hash: 7a90a091d0f52849ed14452e99e505ed3fe9846d2fe5e52f845196a240e93f4e
    • Instruction Fuzzy Hash: E971C422B18A4286EB54AB25D8147B9A7A0FF84744FC86433DD0E87799DF3CF558C722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0809960 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 312COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ByteCharMultiWide$_o_terminate$memset
    • String ID: onecore\windows\core\console\open\src\renderer\gdi\math.cpp$onecore\windows\core\console\open\src\renderer\gdi\paint.cpp
    • API String ID: 2157953957-3378245266
    • Opcode ID: b3af8851f210106928c51e306d907b8ac035fc85282f710267371c24d84ba422
    • Instruction ID: 32e569f9e5ec617c06170d5cc0a773d9d6219f9feb2944661fa35d72c48f98f8
    • Opcode Fuzzy Hash: b3af8851f210106928c51e306d907b8ac035fc85282f710267371c24d84ba422
    • Instruction Fuzzy Hash: D7D1C532A0878286E720EB21E45077AF7A4FB89B94F90A137DA8D53794DF3CE465C711
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E081728C Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 255comsynchronizationpipeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Process$Current$Create$DuplicateExitHandleInitializeInstanceObjectPipeSingleWait
    • String ID: onecore\internal\sdk\inc\wil\opensource\wil\resource.h$onecore\windows\core\console\open\src\server\iodispatchers.cpp
    • API String ID: 3593327365-798144096
    • Opcode ID: d960d5e14453ca26b4cc43961bb404a2e1d43e11d9509595c5d19f59c2db9b6b
    • Instruction ID: ecab1aa4a95ee4f3b6bdcf103baaca783ac2b4e6546b363138764d626fdbd5de
    • Opcode Fuzzy Hash: d960d5e14453ca26b4cc43961bb404a2e1d43e11d9509595c5d19f59c2db9b6b
    • Instruction Fuzzy Hash: 13C15036608B8286E760EB25E4403AAF7A0FB89754F844137DA9D43B65DF3CF064CB21
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08771C8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133windownativeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Alpc$Message$Attribute$ConnectCreateInformationInitializePortQueryStringUnicodememset
    • String ID: \ConsoleInputServerPort
    • API String ID: 1000960221-2084386880
    • Opcode ID: d70be9f50a9605f18c35c02a6d51181896ae7a02e91167237e31f86e3fa97f49
    • Instruction ID: e765f831baed0a327ec9d202ab3b648b3f592d6f66296c7567e0132c092126b6
    • Opcode Fuzzy Hash: d70be9f50a9605f18c35c02a6d51181896ae7a02e91167237e31f86e3fa97f49
    • Instruction Fuzzy Hash: A7516932A08B51DAE710CF20E8447AEBBB4F749348F910126EE8D57B08DF78E5A4CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08103A0 Relevance: 13.6, APIs: 9, Instructions: 72COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
    • String ID:
    • API String ID: 313767242-0
    • Opcode ID: a38168b68acdbfef8fd9f57433e00a2adc235c3168885ea1ae28803a8634db5d
    • Instruction ID: dddb74aa5cbde5d7af659c3a3b23de63ffc17d23135d509472e7b9f732c7c325
    • Opcode Fuzzy Hash: a38168b68acdbfef8fd9f57433e00a2adc235c3168885ea1ae28803a8634db5d
    • Instruction Fuzzy Hash: AC316572609B8186EB60AF60E8403EDB360FB44758F84443ADB4D57B99DF7CE558CB21
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0843FE0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 243COMMON
    Download Yara Rule
    APIs
    Strings
    • onecore\windows\core\console\open\src\host\inputreadhandledata.cpp, xrefs: 00007FF7E084405D
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: default_deletememmove
    • String ID: onecore\windows\core\console\open\src\host\inputreadhandledata.cpp
    • API String ID: 36335320-3387545977
    • Opcode ID: ccfe96a43fd18fbe976e1eaeeaf5ec8a391075d85fe09d6adc6994ee83848ebf
    • Instruction ID: 681370d0a2e3c60fbfc94196a11fd1d0ddade01d83b17174982a831db96268ed
    • Opcode Fuzzy Hash: ccfe96a43fd18fbe976e1eaeeaf5ec8a391075d85fe09d6adc6994ee83848ebf
    • Instruction Fuzzy Hash: 1491D522B1879189EB60FF11A0417AAE7A5FB55BC4F846036EF8D07B45DE3CE4A1C712
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E086E9E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83registryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ErrorLastLibrary$ClassCreateFreeLoadRegisterWindowmemset
    • String ID: PseudoConsoleWindow
    • API String ID: 671991893-840225159
    • Opcode ID: 1699381ed861368e9aa51664b16f804d2e2b9c845235e8800711acc22298da40
    • Instruction ID: af6184eb692840c555bffbb5cf87500ffe8f0a84c3818a8088989e670f15abb5
    • Opcode Fuzzy Hash: 1699381ed861368e9aa51664b16f804d2e2b9c845235e8800711acc22298da40
    • Instruction Fuzzy Hash: 5D318336A08B8186E3609F55F440369F6A1FB88790FD68136D68D53758DF3CF461CB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07FD7F0 Relevance: 12.1, APIs: 2, Strings: 4, Instructions: 1575COMMON
    Download Yara Rule
    APIs
    • GetStringTypeW.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7E07FDC78
      • Part of subcall function 00007FF7E0840798: MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7E0840855
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ByteCharMultiStringTypeWide
    • String ID: $CONSRV: Ignoring backspace to previous line$onecore\windows\core\console\open\src\host\_stream.cpp$onecore\windows\core\console\open\src\types\codepointwidthdetector.cpp
    • API String ID: 3139900361-3398608187
    • Opcode ID: 03b4235f10196d47ce5aabbb0c16536e598ef2272ded692a81a7485f9f27b1aa
    • Instruction ID: e52670a7935fc5e400376df6e72182550c5e678d9471c085deabe320e60e2aa6
    • Opcode Fuzzy Hash: 03b4235f10196d47ce5aabbb0c16536e598ef2272ded692a81a7485f9f27b1aa
    • Instruction Fuzzy Hash: 5CF29F22A1CAC185EA759B25E0413FAF3A1FF98784F445122DACD53B59EF3CE4A1CB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E084E0F8 Relevance: 9.4, APIs: 2, Strings: 4, Instructions: 444COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E084A914: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E084A956
      • Part of subcall function 00007FF7E084A914: _vswprintf_c.LEGACY_STDIO_DEFINITIONS ref: 00007FF7E084A96B
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00000000,?,00000000,?,onecore\windows\core\console\open\src\server\objecthandle.cpp,?,00007FF7E084F180), ref: 00007FF7E084E513
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00000000,?,00000000,?,onecore\windows\core\console\open\src\server\objecthandle.cpp,?,00007FF7E084F180), ref: 00007FF7E084E614
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memmove$_vswprintf_cmemset
    • String ID: WriteCharsLegacy failed %x$WriteCharsLegacy failed 0x%x$onecore\windows\core\console\open\src\host\readdatacooked.cpp$onecore\windows\core\console\open\src\server\objecthandle.cpp
    • API String ID: 1118619546-1833037669
    • Opcode ID: 1c28c976be025ce30be37d1b00e05af8c637796405b572f14ecea54c1241d808
    • Instruction ID: 2966c144ddc6fcf63ea6d38647f7043895be077c35b60ae93c4cba1e931d76f9
    • Opcode Fuzzy Hash: 1c28c976be025ce30be37d1b00e05af8c637796405b572f14ecea54c1241d808
    • Instruction Fuzzy Hash: 36229F72A147918AE750AF35C0403AD7BA4FB04B98F915237EE4D57799EF38E8A0C361
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E088A910 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 190memorysleepCOMMON
    Download Yara Rule
    APIs
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7E088A970
    • memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E088A996
    • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF7E088A9B1
      • Part of subcall function 00007FF7E088AC1C: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E088ABE4), ref: 00007FF7E088AC96
      • Part of subcall function 00007FF7E088AC1C: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E088ABE4), ref: 00007FF7E088ACB4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Heap$Free$AllocSleepmemset
    • String ID: Courier New$en-us
    • API String ID: 3324063907-2224409271
    • Opcode ID: cead42774eb9d84a466740232a417697810dff1019e194685ac062292d6ee36e
    • Instruction ID: 2b448cda22b2b81ba15845a204630c4cf706c9b7b8c128d0b424830165beb245
    • Opcode Fuzzy Hash: cead42774eb9d84a466740232a417697810dff1019e194685ac062292d6ee36e
    • Instruction Fuzzy Hash: D5918F32B14B4686EB00EF3AD8403A8B761FB89B98F955232DE0D5B764DF39E451C760
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0874554 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 213COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32 ref: 00007FF7E08745E1
      • Part of subcall function 00007FF7E07F4408: _Init_thread_footer.LIBCMT ref: 00007FF7E07F4450
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,00000001,00007FF7E0874E40), ref: 00007FF7E0874703
    • memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,00000001,00007FF7E0874E40), ref: 00007FF7E08747E7
    • memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,00000001,00007FF7E0874E40), ref: 00007FF7E087474D
      • Part of subcall function 00007FF7E0872B38: memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E07F417C), ref: 00007FF7E0872B60
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memmovememset$Init_thread_footerRectWindow
    • String ID: onecore\windows\core\console\open\src\interactivity\win32\menu.cpp
    • API String ID: 4133184459-2952571135
    • Opcode ID: 47ead6a6dc8b2f4bb23c12e2f1563f1a741b1f719efe53c22453d2e97aa17745
    • Instruction ID: fd95c79c92adbc8bfb130c88f27e8c7b1ef16a076a2ded860e92b073b1a1fce3
    • Opcode Fuzzy Hash: 47ead6a6dc8b2f4bb23c12e2f1563f1a741b1f719efe53c22453d2e97aa17745
    • Instruction Fuzzy Hash: D2A19A3AA086829AE748EF25E5407A8B7A0FB58780F844137DA1D87755DF3CF475CB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0801780 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 306COMMON
    Download Yara Rule
    APIs
    Strings
    • onecore\windows\core\console\open\src\buffer\out\attrrow.cpp, xrefs: 00007FF7E08206E0
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memmove
    • String ID: onecore\windows\core\console\open\src\buffer\out\attrrow.cpp
    • API String ID: 2162964266-2351056112
    • Opcode ID: 7387e73138805870515b5675e2abddaa99fee1c2c49673b474438d25282a496d
    • Instruction ID: 602c317578b2786dd521bdffb58020b42e618d54877af68f8aa96622484fdbf0
    • Opcode Fuzzy Hash: 7387e73138805870515b5675e2abddaa99fee1c2c49673b474438d25282a496d
    • Instruction Fuzzy Hash: 4FC1F462F197A144FF109B6584102BCBBF1BB15B98B944033DE9C27796CF38E562C321
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0849608 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • FindResourceExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,00000001,00007FF7E08493D6), ref: 00007FF7E0849651
    • LoadResource.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,00000001,00007FF7E08493D6), ref: 00007FF7E0849668
    • LockResource.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,00000001,00007FF7E08493D6), ref: 00007FF7E084967C
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000001,00007FF7E08493D6), ref: 00007FF7E08496BF
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Resource$FindLoadLockmemmove
    • String ID:
    • API String ID: 3479116980-0
    • Opcode ID: 27e3433fc7ddbfc7b62fb350d3baf12d08a0c4a3679c6fde9e3b08f1f963ece2
    • Instruction ID: 7161698bc29dbf696ae7938b9d01189e8d5fa5c1736a386eb720967370c218c3
    • Opcode Fuzzy Hash: 27e3433fc7ddbfc7b62fb350d3baf12d08a0c4a3679c6fde9e3b08f1f963ece2
    • Instruction Fuzzy Hash: 2621F6A1B05B818AEB609F05A440239E6E1FF99F90B994135DE8D17795DF3CF821C310
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080F7A8 Relevance: 6.0, APIs: 4, Instructions: 21COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,?,?,00007FF7E080F8DD), ref: 00007FF7E080F7B1
    • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FF7E080F8DD), ref: 00007FF7E080F7C9
    • UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FF7E080F8DD), ref: 00007FF7E080F7D2
    • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FF7E080F8DD), ref: 00007FF7E080F7EB
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$CurrentDebuggerPresentProcess
    • String ID:
    • API String ID: 2506494423-0
    • Opcode ID: 4b20ff4fb918c47df7b43a62383b1f621ddfa75d121d6af590887687acafd5d8
    • Instruction ID: 811d59ba4cd55ed6673db27cf2f86175c16310a8f5991aa38d75c4506b79c389
    • Opcode Fuzzy Hash: 4b20ff4fb918c47df7b43a62383b1f621ddfa75d121d6af590887687acafd5d8
    • Instruction Fuzzy Hash: 70F06564D08603CBF7183BA0A815334E250AF59714FC40037CA0E09393DF7C78A48732
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07FA43C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54nativeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ByteCharMultiNtdllProc_WideWindow
    • String ID: onecore\windows\core\console\open\src\types\convert.cpp
    • API String ID: 2884015231-4041387901
    • Opcode ID: c2344d99f5e431281ebbb50e120f7b4043e2dc82a2175189585dda22a4af8c00
    • Instruction ID: 39b13f319e61aa4671ea70aa0ff9647b0e17af9951e77d2e54f9b06eeef753e6
    • Opcode Fuzzy Hash: c2344d99f5e431281ebbb50e120f7b4043e2dc82a2175189585dda22a4af8c00
    • Instruction Fuzzy Hash: E311C362E0C74682F71077949054379DB60AF98794FE04537D68D13BD5CE3CF4658222
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0875F30 Relevance: 4.7, APIs: 3, Instructions: 243COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E0810000: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803769,?,?,?,?,00007FF7E081B159), ref: 00007FF7E0810010
    • _Init_thread_footer.LIBCMT ref: 00007FF7E0875FA5
      • Part of subcall function 00007FF7E080FF98: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803790,?,?,?,?,00007FF7E081B159), ref: 00007FF7E080FFA8
      • Part of subcall function 00007FF7E080FF98: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803790,?,?,?,?,00007FF7E081B159), ref: 00007FF7E080FFE8
      • Part of subcall function 00007FF7E08051F4: memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E0805951,?,?,?,00007FF7E07F1267), ref: 00007FF7E0805224
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E08760CD
    • SetWindowLongPtrW.USER32 ref: 00007FF7E087628D
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalSection$Enter$Init_thread_footerLeaveLongWindow_onexitmemmove
    • String ID:
    • API String ID: 1010988071-0
    • Opcode ID: 5613ac7f2f2352003b9cd18280b783c65a1fca720c255712c546491c33e169f7
    • Instruction ID: fc46b1c27a1f6ca9e463ac1b5bc97a098fe36f795bed87cf17d2dd637ca3f7bb
    • Opcode Fuzzy Hash: 5613ac7f2f2352003b9cd18280b783c65a1fca720c255712c546491c33e169f7
    • Instruction Fuzzy Hash: 01A1C432A08A4686EB00EB66D8443B9E7A1FF99784F848233D90D57765DF3CF465CB21
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08094D4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23filenativeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: FileInformationQueryVolume
    • String ID: onecore\windows\core\console\open\src\host\exemain.cpp
    • API String ID: 634242254-3772832676
    • Opcode ID: 0fbd3bc5b44322365b29f88852f3eef38487287aff61bea0370e85e0512d1853
    • Instruction ID: 954f7ce3de47e52fbf60f3a7b15cb607afc5a9f0d052e03843ebc1d68935e9fe
    • Opcode Fuzzy Hash: 0fbd3bc5b44322365b29f88852f3eef38487287aff61bea0370e85e0512d1853
    • Instruction Fuzzy Hash: FAF0A0A2718643C5E700AB65E800BA9EBA0FB81B84FC05132D64CA37A4DE3CE119CB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E084D5C4 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
    Download Yara Rule
    APIs
    • memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FF7E07F4189), ref: 00007FF7E084D5EA
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000,00007FF7E07F4189), ref: 00007FF7E084D6B1
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memmovememset
    • String ID:
    • API String ID: 1288253900-0
    • Opcode ID: 03b139c33d83ba5ee53381c1b2f0b6da3b4fd2c10359d6c886aa76cbe74f1b7e
    • Instruction ID: 22fa15b832c2d2ff7de2586d2b76fc2cf3db706b2260fb4078dc5cfbbd97fbef
    • Opcode Fuzzy Hash: 03b139c33d83ba5ee53381c1b2f0b6da3b4fd2c10359d6c886aa76cbe74f1b7e
    • Instruction Fuzzy Hash: 295190776146919FD369CF79E68169ABBE0F708340F04852ADBAAC3B00E738F560CB10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E087D7C4 Relevance: 1.7, Strings: 1, Instructions: 445COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID: onecore\windows\core\console\open\src\tsf\tfeditses.cpp
    • API String ID: 0-2059936226
    • Opcode ID: 3ff47884fe392a2e59f6512da17317d27421c4b033de8e8d54c43cd588ff2ff5
    • Instruction ID: d20b7300995f182baf6a3a4b7f995150afa241fb1bafff872ccf917c69e5ac3b
    • Opcode Fuzzy Hash: 3ff47884fe392a2e59f6512da17317d27421c4b033de8e8d54c43cd588ff2ff5
    • Instruction Fuzzy Hash: 31222E36608BC582D6709B15E4903AAB7A4FB88B84F944133DE8D93B69DF3CE495CB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E087EC6C Relevance: 1.6, Strings: 1, Instructions: 349COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID: onecore\windows\core\console\open\src\tsf\tfeditses.cpp
    • API String ID: 0-2059936226
    • Opcode ID: dbc731b3c37723fc460128b3273a513a93623d242ccee1de5fbf8468f452903d
    • Instruction ID: a9f3d2e9a2264178869dd847d7e6cb16df724b26ad000eecece2727b68ee5a6c
    • Opcode Fuzzy Hash: dbc731b3c37723fc460128b3273a513a93623d242ccee1de5fbf8468f452903d
    • Instruction Fuzzy Hash: 69F17532709AC281EA70EB15E4443AAE351FBC8790F944233DA9D97B99DF3CE455CB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F8448 Relevance: 1.6, APIs: 1, Instructions: 68windowCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Iconic
    • String ID:
    • API String ID: 110040809-0
    • Opcode ID: 9068afc85db04c7bc8fdbc2c950caf1cea046e5dd071fb0963d56da4dc97d689
    • Instruction ID: da0e6500338fc4b8bae48fa977165dd0573b00199dc67ac84721b07a3a505eb9
    • Opcode Fuzzy Hash: 9068afc85db04c7bc8fdbc2c950caf1cea046e5dd071fb0963d56da4dc97d689
    • Instruction Fuzzy Hash: ED316E72A087818AEB64AF25E440279B7A0FB8CB44F844136DA8D03756DF3CF5B1CA21
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0877A68 Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: AlpcPortReceiveSendWait
    • String ID:
    • API String ID: 1544246631-0
    • Opcode ID: 96335afa32a163275d59152c94de65dfcb58fb4bd1e5bec9257e49fe85bd3ddf
    • Instruction ID: 31ba5a588d0e9b52a1588c2e8c4afd7e5c2b224aac270daf340c3a21fa278873
    • Opcode Fuzzy Hash: 96335afa32a163275d59152c94de65dfcb58fb4bd1e5bec9257e49fe85bd3ddf
    • Instruction Fuzzy Hash: 6EF015B7A00B94C6C304DF10E888A5C37B8F369B90FA18128CB9C07300CF768AB5C780
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E088A198 Relevance: 1.5, APIs: 1, Instructions: 217COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memset
    • String ID:
    • API String ID: 2221118986-0
    • Opcode ID: c784b1c81fddccf678159b29d2a14d35a5c1dd171f68f6a6c951c46dcca90c6b
    • Instruction ID: df420399bbbb1b4d7193465514221a72d0d2c4aee8f56dd139a3bd9518d8db87
    • Opcode Fuzzy Hash: c784b1c81fddccf678159b29d2a14d35a5c1dd171f68f6a6c951c46dcca90c6b
    • Instruction Fuzzy Hash: 80B15B36A04B468AE700DF7AD8402ADB7B5FB88B8CB854026DE4C57768DF38E565C360
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0883544 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
    Download Yara Rule
    Strings
    • onecore\windows\core\console\open\src\renderer\dx\dxrenderer.cpp, xrefs: 00007FF7E0883582
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID: onecore\windows\core\console\open\src\renderer\dx\dxrenderer.cpp
    • API String ID: 0-3506895815
    • Opcode ID: d4b27e129f135dd6f597cfcf370770624bd7d82f26d8e6d5e6f956233e6c8147
    • Instruction ID: dbe26d7053f11bbbfe1435e3a3e28ae22d2ad11166cb9f2b7cf29e9ed8451d75
    • Opcode Fuzzy Hash: d4b27e129f135dd6f597cfcf370770624bd7d82f26d8e6d5e6f956233e6c8147
    • Instruction Fuzzy Hash: 8A210761D266995AE252D73F5C40E24B511AFAE78179CD722F80862A91DB3CF0B1DB20
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08625E0 Relevance: .7, Instructions: 656COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Init_thread_footer
    • String ID:
    • API String ID: 1385522511-0
    • Opcode ID: 60294320b2635873fce02d32b61c2fba14cecacfae23ffbcad21eda511285cb0
    • Instruction ID: 585799864e2e67eb60cfbd1c6fe6de676922ca144f285f83d41ba6571999aef7
    • Opcode Fuzzy Hash: 60294320b2635873fce02d32b61c2fba14cecacfae23ffbcad21eda511285cb0
    • Instruction Fuzzy Hash: 6052B43AE18B4386E728AB25E44477CB760EBA4B54F9240B7DA4D077A1DE3DF854C321
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E082ACA8 Relevance: .3, Instructions: 315COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d0e95e0bdf6359c02b911645d69179460b5126967ef7ec910e81b61f8ae5bb7b
    • Instruction ID: 97908ed3ed8292c65dd9d1e81144160ba85db4b2d882cee15c933aa8526d9a5f
    • Opcode Fuzzy Hash: d0e95e0bdf6359c02b911645d69179460b5126967ef7ec910e81b61f8ae5bb7b
    • Instruction Fuzzy Hash: 22E1BF2361DAC181EB609B25E4403EEF7A0FB95B44F849126EACD43B99DF3CE495CB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E088AD80 Relevance: .2, Instructions: 244COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e7ee3d643a3c9d84308e79e712096f5c3a40876c48c5ac4ac4af2b5ddb0efaa5
    • Instruction ID: 12108ff59f55d92bad5afbc4d7d2aacda82a45f20951bdeded2fdfdd32b4b998
    • Opcode Fuzzy Hash: e7ee3d643a3c9d84308e79e712096f5c3a40876c48c5ac4ac4af2b5ddb0efaa5
    • Instruction Fuzzy Hash: 68B1B232A14A858AE711DF36C44027DB771FF88B88B958232DE0D27794DF39E4A1C761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E086FAF0 Relevance: .2, Instructions: 169COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 163cf4253105cb67d069f8e629d34bb0617e27e0c3a9618f294728462168bba4
    • Instruction ID: f921fac278812ea973d5bb3ee084e91057909bc0879dd077cfbfc167ae83e84b
    • Opcode Fuzzy Hash: 163cf4253105cb67d069f8e629d34bb0617e27e0c3a9618f294728462168bba4
    • Instruction Fuzzy Hash: 1A61B37260864186EB54EF25E48136EF7A1FB88B80F445136EE4D97B5ADF3CE811CB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0844964 Relevance: .1, Instructions: 140COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9ca95789e93bd3c9d3ade36c0ca1c5e1ffaab8b8cec43365625eabbc50a691ae
    • Instruction ID: 15663fb68dcfe1c116dcd9cc780596791a97a53a13575b99d79298d77a623288
    • Opcode Fuzzy Hash: 9ca95789e93bd3c9d3ade36c0ca1c5e1ffaab8b8cec43365625eabbc50a691ae
    • Instruction Fuzzy Hash: CE513A167147919AEB04EFB1E5002E9B762FF28BA87806433EF4C43B59EB39E495C311
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08C0390 Relevance: .0, Instructions: 15COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 17e0dc97cce8be6edf95d12af8c1dba0092588794951c931147b5fdcef4a7a74
    • Instruction ID: 6f4dca445439516a64fb634c5656dc34643e34f0c0d9281ad79f4baf89dbe51f
    • Opcode Fuzzy Hash: 17e0dc97cce8be6edf95d12af8c1dba0092588794951c931147b5fdcef4a7a74
    • Instruction Fuzzy Hash: A1E0FE8391EBD10BE303AA740C211182F3196A380438E82ABCB95D32C3E50C6818932A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08C0370 Relevance: .0, Instructions: 2COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9dd186c077c61bf56ca7cca78b78ab3831236cddefce50df4072602d650e6d14
    • Instruction ID: 0370f16398d574c54393a7646049e9c3bfa5db6b65633321626a10225b0e3f3f
    • Opcode Fuzzy Hash: 9dd186c077c61bf56ca7cca78b78ab3831236cddefce50df4072602d650e6d14
    • Instruction Fuzzy Hash: EB900252B0D7C006D703C6341C119083E2260438043C9809AC39183583A40D0A698215
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08C0360 Relevance: .0, Instructions: 2COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8b244b4f70fad90b39670434564d88c45866e8bd85f7bd71bacdac0a2d37a02e
    • Instruction ID: f9b667eb0362b929d0e3e5936c02387a0609936c856fc6cc5d7e24d0327502d0
    • Opcode Fuzzy Hash: 8b244b4f70fad90b39670434564d88c45866e8bd85f7bd71bacdac0a2d37a02e
    • Instruction Fuzzy Hash:
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0810598 Relevance: .0, Instructions: 2COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 83517eb6cf338bc21991db560b62711a9da4a3a1e383193c0c98667c4a32f2fa
    • Instruction ID: 07be94d45dcc257a1644c461d8fc34cf9d18251b8c86f41793f59384f365fe14
    • Opcode Fuzzy Hash: 83517eb6cf338bc21991db560b62711a9da4a3a1e383193c0c98667c4a32f2fa
    • Instruction Fuzzy Hash: 93A00121908982D0E644AB40A851264E322BF91300BC01572E10DA52A8EE7CB4208B22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F2D08 Relevance: 31.6, APIs: 4, Strings: 14, Instructions: 99registryCOMMON
    Download Yara Rule
    APIs
    • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7E07F2DD3
    • RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7E081AFC3
    • SetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7E081AFF8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: EnvironmentVariable$Value
    • String ID: CommonFilesDir$CommonFilesDir (x86)$CommonProgramFiles$CommonProgramFiles(x86)$CommonProgramW6432$CommonW6432Dir$GetModuleFileNameW failed %d.$ProgramFiles$ProgramFiles(x86)$ProgramFilesDir$ProgramFilesDir (x86)$ProgramW6432$ProgramW6432Dir$Software\Microsoft\Windows\CurrentVersion
    • API String ID: 2902449149-4252908956
    • Opcode ID: d19cb9386a6c44b719a80682e7511099f9dd54d27cc9f00fa7e6dfb086e4dc26
    • Instruction ID: 860e4ac79a583cb8b17f1d9b17240c1194e2c63e3f76c4096878c67b8e56f4bd
    • Opcode Fuzzy Hash: d19cb9386a6c44b719a80682e7511099f9dd54d27cc9f00fa7e6dfb086e4dc26
    • Instruction Fuzzy Hash: 0B516D32A08F4199EB10AB64E8402ADB7A8FB48764FD40233CA5D077A4DF3CF565C761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0827890 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153windowthreadCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CurrentFormatMessageThread
    • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
    • API String ID: 2411632146-3173542853
    • Opcode ID: cdc322ca8443490073d7461ff290b3b810c4c4b12b6323568b1f387cb805b127
    • Instruction ID: 14880ee2ada788484126bb2a168464ed22dc01c85a0c2a0e5c1ec6f9fbdb7f5f
    • Opcode Fuzzy Hash: cdc322ca8443490073d7461ff290b3b810c4c4b12b6323568b1f387cb805b127
    • Instruction Fuzzy Hash: 6C616F61A09B4295EA28FB66A4007B9E7A0FF48B94FC45137DA8D03B54DF3CF5708762
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E087BCDC Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 145COMMON
    Download Yara Rule
    APIs
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E0875891), ref: 00007FF7E087BD44
    • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E0875891), ref: 00007FF7E087BD56
    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E0875891), ref: 00007FF7E087BD65
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E0875891), ref: 00007FF7E087BDAA
    • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E0875891), ref: 00007FF7E087BDBC
    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E0875891), ref: 00007FF7E087BDCB
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E0875891), ref: 00007FF7E087BDFA
    • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E0875891), ref: 00007FF7E087BE0C
    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E0875891), ref: 00007FF7E087BE1B
    • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E0875891), ref: 00007FF7E087BEA5
    • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E0875891), ref: 00007FF7E087BEBB
    • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E0875891), ref: 00007FF7E087BED1
    Strings
    • onecore\windows\core\console\conint\edpconsolepolicy.cpp, xrefs: 00007FF7E087BE80
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ErrorFreeLastTask
    • String ID: onecore\windows\core\console\conint\edpconsolepolicy.cpp
    • API String ID: 3486484475-1700090441
    • Opcode ID: 94d16bd44a969096ddd01fe79475cc1c4d24ff359c09eec205e35ab4fe330655
    • Instruction ID: 966f6ecf1881c7d4470b5ad35ebb28c78ced37eeafe9fb35b145fde883ea9756
    • Opcode Fuzzy Hash: 94d16bd44a969096ddd01fe79475cc1c4d24ff359c09eec205e35ab4fe330655
    • Instruction Fuzzy Hash: 52513032A04B51CAE700AB61E8443BDFBB1FF8AB85B895176CA4E53758CF38E455C721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08557F4 Relevance: 21.1, APIs: 14, Instructions: 139COMMON
    Download Yara Rule
    APIs
    • ?width@ios_base@std@@QEBA_JXZ.MSVCP_WIN ref: 00007FF7E0855823
    • ?width@ios_base@std@@QEBA_JXZ.MSVCP_WIN ref: 00007FF7E085583E
    • ?width@ios_base@std@@QEBA_JXZ.MSVCP_WIN ref: 00007FF7E0855859
    • ?flags@ios_base@std@@QEBAHXZ.MSVCP_WIN ref: 00007FF7E0855898
    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN ref: 00007FF7E08558C5
    • ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ.MSVCP_WIN ref: 00007FF7E08558DE
    • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP_WIN ref: 00007FF7E08558EF
    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN ref: 00007FF7E0855916
    • ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ.MSVCP_WIN ref: 00007FF7E085592F
    • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP_WIN ref: 00007FF7E0855940
    • ?width@ios_base@std@@QEAA_J_J@Z.MSVCP_WIN ref: 00007FF7E0855964
    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN ref: 00007FF7E0855985
    • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP_WIN ref: 00007FF7E085599A
    • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP_WIN ref: 00007FF7E08559D6
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: U?$char_traits@$D@std@@@std@@$?width@ios_base@std@@$?rdbuf@?$basic_ios@D@std@@@2@V?$basic_streambuf@$?fill@?$basic_ios@?sputc@?$basic_streambuf@$?flags@ios_base@std@@?setstate@?$basic_ios@?sputn@?$basic_streambuf@
    • String ID:
    • API String ID: 4125389999-0
    • Opcode ID: f9756d035ce2c2b98d2eeecdcc29ad19153cb104ba508e185438df4faed3ed94
    • Instruction ID: 2e215eee00ef89e47b8bdeca3e521be5f0c3a1e19ac3875c81c5ce7385193ea3
    • Opcode Fuzzy Hash: f9756d035ce2c2b98d2eeecdcc29ad19153cb104ba508e185438df4faed3ed94
    • Instruction Fuzzy Hash: EF510C22A08A46C6EB10AB15E460378FFA0FF8AF56B99D533CA0E47365CF3CE4558611
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0854E08 Relevance: 21.1, APIs: 14, Instructions: 138COMMON
    Download Yara Rule
    APIs
    • ?width@ios_base@std@@QEBA_JXZ.MSVCP_WIN ref: 00007FF7E0854E41
    • ?width@ios_base@std@@QEBA_JXZ.MSVCP_WIN ref: 00007FF7E0854E5C
    • ?width@ios_base@std@@QEBA_JXZ.MSVCP_WIN ref: 00007FF7E0854E77
    • ?flags@ios_base@std@@QEBAHXZ.MSVCP_WIN ref: 00007FF7E0854EB6
    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN ref: 00007FF7E0854EDB
    • ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ.MSVCP_WIN ref: 00007FF7E0854EF4
    • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP_WIN ref: 00007FF7E0854F05
    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN ref: 00007FF7E0854F25
    • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP_WIN ref: 00007FF7E0854F3A
    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN ref: 00007FF7E0854F5A
    • ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ.MSVCP_WIN ref: 00007FF7E0854F73
    • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP_WIN ref: 00007FF7E0854F84
    • ?width@ios_base@std@@QEAA_J_J@Z.MSVCP_WIN ref: 00007FF7E0854FAA
    • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP_WIN ref: 00007FF7E0854FD6
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: U?$char_traits@$D@std@@@std@@$?width@ios_base@std@@$?rdbuf@?$basic_ios@D@std@@@2@V?$basic_streambuf@$?fill@?$basic_ios@?sputc@?$basic_streambuf@$?flags@ios_base@std@@?setstate@?$basic_ios@?sputn@?$basic_streambuf@
    • String ID:
    • API String ID: 4125389999-0
    • Opcode ID: 6e2a4a113bce1778c96fd6ac7084957fab6c5defa97d799c8237e92369277812
    • Instruction ID: c2b7aa8578b14733a2c7356c8162443d35f10142a9f6302e009d1ca5c1945d84
    • Opcode Fuzzy Hash: 6e2a4a113bce1778c96fd6ac7084957fab6c5defa97d799c8237e92369277812
    • Instruction Fuzzy Hash: FA516532A09941C6EB10AB15D690338FBA1FF8AB95BD5E532DA1E47791CF3CE425C311
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F6C80 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 123COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: _o_terminate$ErrorLastmemset$DeleteObject_o_wcscpy_s
    • String ID: __DefaultTTFont__$onecore\windows\core\console\open\src\types\utils.cpp
    • API String ID: 1333036408-622446547
    • Opcode ID: bb973cd707dc0d373ff0efca89316ea8a22bcaad7960ee03043d2fce96075d64
    • Instruction ID: 14d28b8d7ad044ac18a562088e3e26d76590a1e0fff99cfbef788ecb731fc869
    • Opcode Fuzzy Hash: bb973cd707dc0d373ff0efca89316ea8a22bcaad7960ee03043d2fce96075d64
    • Instruction Fuzzy Hash: EB515832608B829BD718EF20E5447A9BBA4FB49754F948226DB9D13B54CF38F135CB21
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0854BD4 Relevance: 19.6, APIs: 13, Instructions: 127COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E08562B4: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN(?,?,00000000,00007FF7E085587C), ref: 00007FF7E08562D6
      • Part of subcall function 00007FF7E08562B4: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN(?,?,00000000,00007FF7E085587C), ref: 00007FF7E08562F4
      • Part of subcall function 00007FF7E08562B4: ?good@ios_base@std@@QEBA_NXZ.MSVCP_WIN(?,?,00000000,00007FF7E085587C), ref: 00007FF7E085631E
      • Part of subcall function 00007FF7E08562B4: ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN(?,?,00000000,00007FF7E085587C), ref: 00007FF7E0856338
      • Part of subcall function 00007FF7E08562B4: ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN(?,?,00000000,00007FF7E085587C), ref: 00007FF7E0856353
      • Part of subcall function 00007FF7E08562B4: ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN(?,?,00000000,00007FF7E085587C), ref: 00007FF7E085636E
      • Part of subcall function 00007FF7E08562B4: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP_WIN(?,?,00000000,00007FF7E085587C), ref: 00007FF7E085637D
      • Part of subcall function 00007FF7E08562B4: ?good@ios_base@std@@QEBA_NXZ.MSVCP_WIN(?,?,00000000,00007FF7E085587C), ref: 00007FF7E0856393
    • ?width@ios_base@std@@QEBA_JXZ.MSVCP_WIN(?,?,?,?,?,00007FF7E0856875), ref: 00007FF7E0854C15
    • ?width@ios_base@std@@QEBA_JXZ.MSVCP_WIN(?,?,?,?,?,00007FF7E0856875), ref: 00007FF7E0854C35
    • ?flags@ios_base@std@@QEBAHXZ.MSVCP_WIN(?,?,?,?,?,00007FF7E0856875), ref: 00007FF7E0854C4F
    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN(?,?,?,?,?,00007FF7E0856875), ref: 00007FF7E0854C7C
    • ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ.MSVCP_WIN(?,?,?,?,?,00007FF7E0856875), ref: 00007FF7E0854C95
    • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP_WIN(?,?,?,?,?,00007FF7E0856875), ref: 00007FF7E0854CA6
    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN(?,?,?,?,?,00007FF7E0856875), ref: 00007FF7E0854CD1
    • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP_WIN(?,?,?,?,?,00007FF7E0856875), ref: 00007FF7E0854CE3
    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN(?,?,?,?,?,00007FF7E0856875), ref: 00007FF7E0854D11
    • ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ.MSVCP_WIN(?,?,?,?,?,00007FF7E0856875), ref: 00007FF7E0854D2A
    • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP_WIN(?,?,?,?,?,00007FF7E0856875), ref: 00007FF7E0854D3B
    • ?width@ios_base@std@@QEAA_J_J@Z.MSVCP_WIN(?,?,?,?,?,00007FF7E0856875), ref: 00007FF7E0854D6F
    • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP_WIN(?,?,?,?,?,00007FF7E0856875), ref: 00007FF7E0854D8A
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: U?$char_traits@$D@std@@@std@@$D@std@@@2@$?rdbuf@?$basic_ios@V?$basic_streambuf@$?sputc@?$basic_streambuf@?tie@?$basic_ios@?width@ios_base@std@@V?$basic_ostream@$?fill@?$basic_ios@?good@ios_base@std@@$?flags@ios_base@std@@?flush@?$basic_ostream@?setstate@?$basic_ios@V12@
    • String ID:
    • API String ID: 4018470129-0
    • Opcode ID: 8848741addf6a6f853dec7a388f563ece79af925e54cdfbc8358374c40df991a
    • Instruction ID: 5440d7b1b4e103b7f57b7f30a46e080416ae80d291843cca863ae741d72f0bc5
    • Opcode Fuzzy Hash: 8848741addf6a6f853dec7a388f563ece79af925e54cdfbc8358374c40df991a
    • Instruction Fuzzy Hash: 1B518232A08A8286EB10AF14E450378FBA1FFC6F56B95A532CA1E47365CF3CE4158711
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0846448 Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 421COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xout_of_range@std@@
    • String ID: Invalid screen buffer size (0x%x, 0x%x)$VUUUUUUU$VUUUUUUU$invalid unordered_map<K, T> key$invalid vector<T> subscript$onecore\windows\core\console\open\src\host\screeninfo.cpp
    • API String ID: 1960685668-3002075300
    • Opcode ID: 0a6f2e3015521e3ba3835ee33860c521b94af97b5b3c12a25119d0359cca4b64
    • Instruction ID: 0a94fe99e505f78ca3dbd959c9536bad20d88b2f9a052e8ac09f4583d5968157
    • Opcode Fuzzy Hash: 0a6f2e3015521e3ba3835ee33860c521b94af97b5b3c12a25119d0359cca4b64
    • Instruction Fuzzy Hash: BC12D526A096C289DB64EF25A0403BEBBB0FB94B84F845033DE8E57755DE3CE461C712
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07FB010 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 322COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Init_thread_footer
    • String ID: input handle$onecore\windows\core\console\open\src\server\apidispatchers.cpp$onecore\windows\core\console\open\src\server\objecthandle.cpp$output handle$own
    • API String ID: 1385522511-896711049
    • Opcode ID: 830025a46a998af0142f839041354eed634dd40081c61289a98da091bdf95830
    • Instruction ID: 97cf8eda44f02bfbc2bd487de81b92debc1d8408c917a0fcee531c23d4c3c74e
    • Opcode Fuzzy Hash: 830025a46a998af0142f839041354eed634dd40081c61289a98da091bdf95830
    • Instruction Fuzzy Hash: 88F17E22B08A4689FB10EB64D4403B9B765BF487A8F804632DA2D177D9DF3CF565C362
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080A660 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 312COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Init_thread_footer
    • String ID: onecore\windows\core\console\open\src\host\input.cpp$onecore\windows\core\console\open\src\server\apidispatchers.cpp
    • API String ID: 1385522511-2142256027
    • Opcode ID: a000ba800c102f5875bdd06a0055532109bc1e1939082dff6af46997d62328c0
    • Instruction ID: 675c7eec916cb1078c949437487cc06e6ebe73f0be2b89f43e3307ac745c9163
    • Opcode Fuzzy Hash: a000ba800c102f5875bdd06a0055532109bc1e1939082dff6af46997d62328c0
    • Instruction Fuzzy Hash: 5BD18D36A08A4286FB11AB24D8403B9A7A0FB55B88FD45133DA0D477A5DF3CF865C722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0867D28 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 105COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E0867658: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP_WIN ref: 00007FF7E086768F
      • Part of subcall function 00007FF7E0867658: ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP_WIN ref: 00007FF7E08676AE
      • Part of subcall function 00007FF7E0854E08: ?width@ios_base@std@@QEBA_JXZ.MSVCP_WIN ref: 00007FF7E0854E41
      • Part of subcall function 00007FF7E0854E08: ?width@ios_base@std@@QEBA_JXZ.MSVCP_WIN ref: 00007FF7E0854E5C
      • Part of subcall function 00007FF7E0854E08: ?width@ios_base@std@@QEBA_JXZ.MSVCP_WIN ref: 00007FF7E0854E77
      • Part of subcall function 00007FF7E0854E08: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP_WIN ref: 00007FF7E0854FD6
    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@F@Z.MSVCP_WIN ref: 00007FF7E0867D7E
      • Part of subcall function 00007FF7E0854E08: ?flags@ios_base@std@@QEBAHXZ.MSVCP_WIN ref: 00007FF7E0854EB6
      • Part of subcall function 00007FF7E0854E08: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN ref: 00007FF7E0854EDB
      • Part of subcall function 00007FF7E0854E08: ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ.MSVCP_WIN ref: 00007FF7E0854EF4
      • Part of subcall function 00007FF7E0854E08: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP_WIN ref: 00007FF7E0854F05
      • Part of subcall function 00007FF7E0854E08: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN ref: 00007FF7E0854F25
      • Part of subcall function 00007FF7E0854E08: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP_WIN ref: 00007FF7E0854F3A
      • Part of subcall function 00007FF7E0854E08: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN ref: 00007FF7E0854F5A
      • Part of subcall function 00007FF7E0854E08: ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ.MSVCP_WIN ref: 00007FF7E0854F73
      • Part of subcall function 00007FF7E0854E08: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP_WIN ref: 00007FF7E0854F84
      • Part of subcall function 00007FF7E0854E08: ?width@ios_base@std@@QEAA_J_J@Z.MSVCP_WIN ref: 00007FF7E0854FAA
    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@F@Z.MSVCP_WIN ref: 00007FF7E0867DA4
    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@F@Z.MSVCP_WIN ref: 00007FF7E0867DCA
    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@F@Z.MSVCP_WIN ref: 00007FF7E0867DF0
    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@F@Z.MSVCP_WIN ref: 00007FF7E0867E21
    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@F@Z.MSVCP_WIN ref: 00007FF7E0867E4E
      • Part of subcall function 00007FF7E0859B6C: ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859BA6
      • Part of subcall function 00007FF7E0859B6C: ?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859BBA
      • Part of subcall function 00007FF7E0859B6C: ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859BCC
      • Part of subcall function 00007FF7E08592A8: memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,00007FF7E0855124), ref: 00007FF7E08592E9
    • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP_WIN ref: 00007FF7E0867EE3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@V01@$?width@ios_base@std@@V?$basic_streambuf@$?rdbuf@?$basic_ios@D@std@@@2@$?fill@?$basic_ios@?pptr@?$basic_streambuf@?sputc@?$basic_streambuf@$??0?$basic_ios@??0?$basic_iostream@??1?$basic_ios@?flags@ios_base@std@@?pbase@?$basic_streambuf@?setstate@?$basic_ios@?sputn@?$basic_streambuf@D@std@@@1@@memmove
    • String ID: ) RB:($) [${LT:(
    • API String ID: 3851257767-2145079954
    • Opcode ID: 08374050b828f8fb646aed72b435958b4247fcc2b6e59fb133af151844d00237
    • Instruction ID: 5ae6d4e21205d7d341b6ec55b19d85397046c416e8e9badb093447ecdc5f3cc3
    • Opcode Fuzzy Hash: 08374050b828f8fb646aed72b435958b4247fcc2b6e59fb133af151844d00237
    • Instruction Fuzzy Hash: 24515C22618993C6EB00BF24E8402B9B771FB85748FC05033E64E47A5ADF3CE955C761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0887D14 Relevance: 16.2, APIs: 7, Strings: 2, Instructions: 459COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E0888A3C: ?_Xout_of_range@std@@YAXPEBD@Z.MSVCP_WIN(?,?,?,?,00007FF7E0887B1E,?,?,?,00007FF7E0887BBD), ref: 00007FF7E0888A74
    • ?_Xout_of_range@std@@YAXPEBD@Z.MSVCP_WIN ref: 00007FF7E0887EF3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xout_of_range@std@@
    • String ID: invalid string position$onecore\windows\core\console\open\src\renderer\dx\customtextlayout.cpp
    • API String ID: 1960685668-2152613991
    • Opcode ID: 00b7e70ed14d76a47b0ddddda086195d3c5d267131cf16efac06d9e8224a32fa
    • Instruction ID: 271740cae48870ccd58c12240d9b5e24871df6af148a7ec9529fec8943df0f87
    • Opcode Fuzzy Hash: 00b7e70ed14d76a47b0ddddda086195d3c5d267131cf16efac06d9e8224a32fa
    • Instruction Fuzzy Hash: 1A12BD32609BC586DA60EB15E4847EEB3A4FB88780FC14036DA8D47B55DF3CE464CB21
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07FA0F0 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 368COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalSectiondefault_delete$ByteCharEnterInit_thread_footerLeaveMultiWidememset
    • String ID: invalid string position$onecore\windows\core\console\open\src\host\_stream.cpp
    • API String ID: 183490158-599477270
    • Opcode ID: 9447402e4fcbf744fbc35bbbcf38776492537029412d737a03e48353f46a8ae0
    • Instruction ID: 5294328a1c8992bd301762353769f9d7fd1e32d7aa21cb22463452e11092dc98
    • Opcode Fuzzy Hash: 9447402e4fcbf744fbc35bbbcf38776492537029412d737a03e48353f46a8ae0
    • Instruction Fuzzy Hash: 4FF19272A0D78286E620EB15A45036AF7A1FB99780F944137EACD53795DF3CF460CB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08057E0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,?,00007FF7E07FCF76,?,?,00000000,00000000,?,?,001E0078,00000000,?,001E007823290078,00007FF7E07F59D3), ref: 00007FF7E0805879
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,?,00007FF7E07FCF76,?,?,00000000,00000000,?,?,001E0078,00000000,?,001E007823290078,00007FF7E07F59D3), ref: 00007FF7E0805894
    • memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00007FF7E07FCF76,?,?,00000000,00000000,?,?,001E0078,00000000,?,001E007823290078,00007FF7E07F59D3), ref: 00007FF7E08058A9
    • memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00007FF7E07FCF76,?,?,00000000,00000000,?,?,001E0078,00000000,?,001E007823290078,00007FF7E07F59D3), ref: 00007FF7E08058B6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memmovememset
    • String ID: deque<T> too long
    • API String ID: 1288253900-309773918
    • Opcode ID: 6ac3ba3981665b315708dc7a052e643b31a8bb94a78c1fdb430e38880f7002c4
    • Instruction ID: ab0961eff14fba6e704bb87db485490033137d1bf21ba9f4b8452f30b3c936d2
    • Opcode Fuzzy Hash: 6ac3ba3981665b315708dc7a052e643b31a8bb94a78c1fdb430e38880f7002c4
    • Instruction Fuzzy Hash: 1B31D471704B8186EA14EB52F5411B9E3A1FB45BE07848236CF6E07B96CE7CF051C311
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F6EC4 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 100COMMON
    Download Yara Rule
    APIs
    • _o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,00007FF7E07F6E2E), ref: 00007FF7E07F6FC7
    • _o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,00007FF7E07F6E2E), ref: 00007FF7E081C413
    • _o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,00007FF7E07F6E2E), ref: 00007FF7E081C420
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FF7E07F6E2E), ref: 00007FF7E081C42E
    • DeleteObject.GDI32 ref: 00007FF7E081C43F
    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FF7E07F6E2E), ref: 00007FF7E081C44D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: _o_terminate$ErrorLast$DeleteObject
    • String ID: onecore\windows\core\console\open\src\types\utils.cpp$vvv$HV
    • API String ID: 3255449295-4251474025
    • Opcode ID: 98d900ee76abbb3aca156ff75b5eb35b316101948dad377900127df46ce86bb0
    • Instruction ID: 07178352c68bfa4a5258f219c325cbdcdbdb3d1aeb65545320e2d496077eebd9
    • Opcode Fuzzy Hash: 98d900ee76abbb3aca156ff75b5eb35b316101948dad377900127df46ce86bb0
    • Instruction Fuzzy Hash: B141F2B2C09A42CAEB616F25D44427CBEE0FB49B18F918537C21946790CF7DB569C712
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0827C30 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 96synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7E0822C3B), ref: 00007FF7E0827C42
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ObjectSingleWait
    • String ID: wil
    • API String ID: 24740636-1589926490
    • Opcode ID: 2412010e690b60513d44839e1241b0a1ded830746aa7e610ccf17685d510b888
    • Instruction ID: 7b1c1f047338626794205cceb29c838cc50422997230c64de58d0c9c5b01be8d
    • Opcode Fuzzy Hash: 2412010e690b60513d44839e1241b0a1ded830746aa7e610ccf17685d510b888
    • Instruction Fuzzy Hash: C2410031A0C68287F7606B36E400379E6A1EF85791FE08133DA4D46799DF3DF8658722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F2E2C Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 79COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E07F2E6F
    • CreateActCtxW.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000001,00007FF7E07F2DFB), ref: 00007FF7E07F2EC3
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7E081B018
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CreateErrorFileLastModuleName
    • String ID: 8$GetModuleFileNameW failed %d.$GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.$InitSideBySide failed create an activation context. Error: %d$d
    • API String ID: 1775755052-3069648676
    • Opcode ID: 2bf8e5f26a7e522e886feec0f199d7387dee6a369ebcef8fca90a8dd5463f742
    • Instruction ID: 1b2237c2774d0074748cacd584c08b482ac8ede57fd716ef621c6c386e2835c9
    • Opcode Fuzzy Hash: 2bf8e5f26a7e522e886feec0f199d7387dee6a369ebcef8fca90a8dd5463f742
    • Instruction Fuzzy Hash: 1E317F22A1968286EB20BB149444279F7A0FB5CB94FA4C236D76D03391DF7CB4B5C762
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0879CF8 Relevance: 15.1, APIs: 10, Instructions: 95COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E0867658: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP_WIN ref: 00007FF7E086768F
      • Part of subcall function 00007FF7E0867658: ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP_WIN ref: 00007FF7E08676AE
      • Part of subcall function 00007FF7E0854E08: ?width@ios_base@std@@QEBA_JXZ.MSVCP_WIN ref: 00007FF7E0854E41
      • Part of subcall function 00007FF7E0854E08: ?width@ios_base@std@@QEBA_JXZ.MSVCP_WIN ref: 00007FF7E0854E5C
      • Part of subcall function 00007FF7E0854E08: ?width@ios_base@std@@QEBA_JXZ.MSVCP_WIN ref: 00007FF7E0854E77
      • Part of subcall function 00007FF7E0854E08: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP_WIN ref: 00007FF7E0854FD6
    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP_WIN ref: 00007FF7E0879D3E
    • ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z.MSVCP_WIN ref: 00007FF7E0879D59
    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP_WIN ref: 00007FF7E0879D6F
    • ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP_WIN ref: 00007FF7E0879D87
    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP_WIN ref: 00007FF7E0879DBA
    • ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP_WIN ref: 00007FF7E0879DCD
    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP_WIN ref: 00007FF7E0879E02
    • ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP_WIN ref: 00007FF7E0879E15
    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP_WIN ref: 00007FF7E0879E4B
      • Part of subcall function 00007FF7E0859B6C: ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859BA6
      • Part of subcall function 00007FF7E0859B6C: ?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859BBA
      • Part of subcall function 00007FF7E0859B6C: ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859BCC
    • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP_WIN ref: 00007FF7E0879E72
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@V01@$?setw@std@@?width@ios_base@std@@J@1@_Smanip@_U?$_$?pptr@?$basic_streambuf@V21@@Vios_base@1@$??0?$basic_ios@??0?$basic_iostream@??1?$basic_ios@?fill@?$basic_ios@?pbase@?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@@V?$basic_streambuf@
    • String ID:
    • API String ID: 1081597296-0
    • Opcode ID: 0d1a008b47d1a31075911c6a7d4a737539e9c08f65b9511d43e785cfe1ae63aa
    • Instruction ID: 6b3d7deac2b1d0024cbc05d5dbd5fc78d38d74b4f163562728d92aa7b30ffebd
    • Opcode Fuzzy Hash: 0d1a008b47d1a31075911c6a7d4a737539e9c08f65b9511d43e785cfe1ae63aa
    • Instruction Fuzzy Hash: 43413C32604A81D6EB00EB15E8502B9FB71FBC9B45BD59032DA4E43729DF3CE919C721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0800AF0 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 254COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID: VUUUUUUU$invalid unordered_map<K, T> key$invalid vector<T> subscript$onecore\windows\core\console\open\src\types\viewport.cpp$vector<T> too long
    • API String ID: 0-2488907146
    • Opcode ID: a308d393284eca5e7c7cd858f958883a907639ef86a52b9d33daf958d4fb3120
    • Instruction ID: 78c2b461cb2a7e3832d169b0540d520c8e1070577946c998789a464dc2cdae47
    • Opcode Fuzzy Hash: a308d393284eca5e7c7cd858f958883a907639ef86a52b9d33daf958d4fb3120
    • Instruction Fuzzy Hash: D9B1CF22A08B5586EB10AF65D4402BCB7B1FB19798B804132DF4E17B96DF38F4B5C721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07FC540 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 162COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID: onecore\windows\core\console\open\src\host\_stream.cpp$onecore\windows\core\console\open\src\host\input.cpp
    • API String ID: 3168844106-1286246513
    • Opcode ID: ff9247dfb89cd798fdd638c3022b504905704d822479bdbe10e62340809997b8
    • Instruction ID: 2121550312335bc456412247d7407f89ddf49948f4689af57ca60d0a399e71c0
    • Opcode Fuzzy Hash: ff9247dfb89cd798fdd638c3022b504905704d822479bdbe10e62340809997b8
    • Instruction Fuzzy Hash: 7951D331A0864286FA61AB25E45037AEB90FF95780FD09133DE4D437A9DF3CF825C622
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E082D49C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
    Download Yara Rule
    APIs
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000000,00000000,00007FF7E0869FD8,?,?,00000000,00007FF7E0879611,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7E082D54B
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000000,00000000,00007FF7E0869FD8,?,?,00000000,00007FF7E0879611,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7E082D562
    • memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,00000000,00007FF7E0869FD8,?,?,00000000,00007FF7E0879611,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7E082D577
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000000,00000000,00007FF7E0869FD8,?,?,00000000,00007FF7E0879611,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7E082D58E
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000000,00000000,00007FF7E0869FD8,?,?,00000000,00007FF7E0879611,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7E082D5A7
    • memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,00000000,00007FF7E0869FD8,?,?,00000000,00007FF7E0879611,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7E082D5B5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memmove$memset
    • String ID: deque<T> too long
    • API String ID: 3790616698-309773918
    • Opcode ID: 85044e2ca63d2213f09870668d33ecbeaaaa3a2f00211c4601c7991c5d5b367b
    • Instruction ID: 305ce043088dacc69bf8470fbfd2b1e5817c131a00e70df879d17f4513481b5b
    • Opcode Fuzzy Hash: 85044e2ca63d2213f09870668d33ecbeaaaa3a2f00211c4601c7991c5d5b367b
    • Instruction Fuzzy Hash: 9831E3A2704B8286DE14EB66F9111A9E751EB45BE0B888236DF7D0BBD1CE7CF051C310
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0833C28 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 106COMMON
    Download Yara Rule
    APIs
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000,00007FF7E0830A76), ref: 00007FF7E0833CD4
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000,00007FF7E0830A76), ref: 00007FF7E0833CEB
    • memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FF7E0830A76), ref: 00007FF7E0833D00
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000,00007FF7E0830A76), ref: 00007FF7E0833D17
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000,00007FF7E0830A76), ref: 00007FF7E0833D30
    • memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FF7E0830A76), ref: 00007FF7E0833D3E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memmove$memset
    • String ID: deque<T> too long
    • API String ID: 3790616698-309773918
    • Opcode ID: c94d586eeb9a8f885b15f80766213bc52aafb6313ccda9610c7c6419d30e33c7
    • Instruction ID: 440b70db8b7015e77d1753978f01ff808287242fc623ff6b51fd1a2f6e0ae695
    • Opcode Fuzzy Hash: c94d586eeb9a8f885b15f80766213bc52aafb6313ccda9610c7c6419d30e33c7
    • Instruction Fuzzy Hash: 9131D5A2704B8182EA14EB56F5411A9E751EB85FE0B888236DF7E1BBD5CE7CF051C311
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0877AC4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 102filethreadCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Current$Process$CriticalDuplicateEnterErrorFileHandleLastReadSectionThread
    • String ID: onecore\windows\core\console\open\src\interactivity\onecore\coniosrvcomm.cpp
    • API String ID: 3595956420-2051704093
    • Opcode ID: 09521f832c68216bbbe0019030e12fe47b43bbeedab1727718d1cee584749ec7
    • Instruction ID: e6bd567f4981c5852e1f9516a0bffa77e0aee9fe2afecf39d3a356f121657bdb
    • Opcode Fuzzy Hash: 09521f832c68216bbbe0019030e12fe47b43bbeedab1727718d1cee584749ec7
    • Instruction Fuzzy Hash: 3241732250C78287E710AB61E44437EFBA0FB99790F945136DA8D43B59DF3CE064CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0859530 Relevance: 13.6, APIs: 9, Instructions: 112COMMON
    Download Yara Rule
    APIs
    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859568
    • ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E085957A
    • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP_WIN ref: 00007FF7E0859598
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: D@std@@@std@@U?$char_traits@$?epptr@?$basic_streambuf@?pptr@?$basic_streambuf@Pninc@?$basic_streambuf@
    • String ID:
    • API String ID: 4060314879-0
    • Opcode ID: afc7f0d0d386d9fa25e3d37f0674254394d7a8f0372d0f41bf728260cb42a3e5
    • Instruction ID: 51bbb3383df4ffc732c39b64ce72c4e1fbc9edf9bf42ea45644917aaa3b7f4a0
    • Opcode Fuzzy Hash: afc7f0d0d386d9fa25e3d37f0674254394d7a8f0372d0f41bf728260cb42a3e5
    • Instruction Fuzzy Hash: C3418E31A08A9186EA01AB269504378FBE0FB4AF90BD58632CE5E17791EF3CF425C311
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08030E8 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 231COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: default_delete$CriticalEnterSection
    • String ID: onecore\windows\core\console\open\src\host\directio.cpp
    • API String ID: 739439809-2458865805
    • Opcode ID: fb653188433389e3fdcb372f0ed61a365c9514b905ac601cc41ce7c64e13b2cd
    • Instruction ID: a7757cbdf08b22fcebaf71ead8e3eefb2fb1ef5ebb43a88bc5c39f82d2f12b6a
    • Opcode Fuzzy Hash: fb653188433389e3fdcb372f0ed61a365c9514b905ac601cc41ce7c64e13b2cd
    • Instruction Fuzzy Hash: 6391642260DB8191FA20FB25E4503BEE7A4FBA6744F945032DA8D4375ADE3CF465C721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0804E6C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 198COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memmove
    • String ID: onecore\windows\core\console\open\src\server\apidispatchers.cpp$onecore\windows\core\console\open\src\server\objecthandle.cpp
    • API String ID: 2162964266-1968334596
    • Opcode ID: eca5536e85223d47c90db6dab28a097eb88be671ed860a2cc12f2f0ad9a3866a
    • Instruction ID: fff106dd6bc660af453e30438ae5070defab86e7611c94e57d67eec324a512a0
    • Opcode Fuzzy Hash: eca5536e85223d47c90db6dab28a097eb88be671ed860a2cc12f2f0ad9a3866a
    • Instruction Fuzzy Hash: 2D8163A1B08A4292FA14BB15E4503B9A3A1FB44BE4F945633DA1D077D5DF7CF861C321
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080A280 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 189COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CloseCriticalHandleLeaveSectionXout_of_range@std@@
    • String ID: invalid string_view position$onecore\windows\core\console\open\src\buffer\out\textcolor.cpp$onecore\windows\core\console\open\src\host\input.cpp
    • API String ID: 3449835143-4230967921
    • Opcode ID: f39fa539044adcd5bd4e5639b892f0b10d3e1aa357427bdc3e79ee972bb53b35
    • Instruction ID: b7caf68f44b90923a6c16b2cbebcb2015676c6046196b18c5e6bce8dac5051ee
    • Opcode Fuzzy Hash: f39fa539044adcd5bd4e5639b892f0b10d3e1aa357427bdc3e79ee972bb53b35
    • Instruction Fuzzy Hash: 6871AE26A0964281FA24BB69D050379E790FF9A780FC06533DA4E437A5CE3DF865C732
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0803ABC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 130COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Name$FileFindFullImagePathProcessQuery
    • String ID: d
    • API String ID: 2220688768-2564639436
    • Opcode ID: 81fb39bd0dc53461950f0586e4b15195c34def60f00a58d33a52ab5d0e90171e
    • Instruction ID: f84ab0db609bd999cf8ebd26f8ab7d070dfe3384dcfc8fdf6cc519a43c237cce
    • Opcode Fuzzy Hash: 81fb39bd0dc53461950f0586e4b15195c34def60f00a58d33a52ab5d0e90171e
    • Instruction Fuzzy Hash: D751A472608B8185EB10AF25D4503BDB7A0FB58BA8F944236DB8D07799EF3CE494C761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E082B7B8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123COMMON
    Download Yara Rule
    APIs
    • ?_Xout_of_range@std@@YAXPEBD@Z.MSVCP_WIN(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E0805756), ref: 00007FF7E082B7EA
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E0805756), ref: 00007FF7E082B82F
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E0805756), ref: 00007FF7E082B86B
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E0805756), ref: 00007FF7E082B8ED
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E0805756), ref: 00007FF7E082B904
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E0805756), ref: 00007FF7E082B91C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memmove$Xout_of_range@std@@
    • String ID: invalid string position
    • API String ID: 685110151-1799206989
    • Opcode ID: a9f407e3d603e98a637268d5b2d9e2bd9286a8c187078849d5f01c6329f597d8
    • Instruction ID: 62083c3f18036e88807b971bcf31640dd3dd1bc6fdfcbedf37ac0603c316ec64
    • Opcode Fuzzy Hash: a9f407e3d603e98a637268d5b2d9e2bd9286a8c187078849d5f01c6329f597d8
    • Instruction Fuzzy Hash: 8741CE72B19B8695DA10EF22E4442A9A36AFB44BC4BD80137DE4E07B51DF7CF266C311
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08061B0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105COMMON
    Download Yara Rule
    APIs
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,?,00007FF7E080612C,?,?,?,00007FF7E0840167), ref: 00007FF7E080627A
    • memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00007FF7E080612C,?,?,?,00007FF7E0840167), ref: 00007FF7E080628F
    • memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00007FF7E080612C,?,?,?,00007FF7E0840167), ref: 00007FF7E080629C
    • ?_Xlength_error@std@@YAXPEBD@Z.MSVCP_WIN(?,00000000,?,00007FF7E080612C,?,?,?,00007FF7E0840167), ref: 00007FF7E0822598
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memset$Xlength_error@std@@memmove
    • String ID: deque<T> too long
    • API String ID: 4008601576-309773918
    • Opcode ID: 961046d1b9cf29daf2c58389ae555ee7697ecccdda03337787a79f47058cf3f6
    • Instruction ID: 3a400021b31fc2bdffbfc96cc8df9778d1c64d3d1fc538c1831643e7d5e8f36e
    • Opcode Fuzzy Hash: 961046d1b9cf29daf2c58389ae555ee7697ecccdda03337787a79f47058cf3f6
    • Instruction Fuzzy Hash: A531C661B04A8282EA14EB52F5111A9E351FB45BE4B848632DF7D0BBD6CF7CF061C311
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F6E08 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON
    Download Yara Rule
    APIs
    • _o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7E07F6EB1
    • _o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,00007FF7E07F6E2E), ref: 00007FF7E081C413
    • _o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,00007FF7E07F6E2E), ref: 00007FF7E081C420
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FF7E07F6E2E), ref: 00007FF7E081C42E
    • DeleteObject.GDI32 ref: 00007FF7E081C43F
    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FF7E07F6E2E), ref: 00007FF7E081C44D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: _o_terminate$ErrorLast$DeleteObject
    • String ID: onecore\windows\core\console\open\src\types\utils.cpp
    • API String ID: 3255449295-2938961315
    • Opcode ID: f7a404fbac1230c2e51adbc29ef9f42c9f5e27123eeb997c529b45ea0d62d0cd
    • Instruction ID: f65bc345868a84126f21e1726f45880dc7a81e5bccbc791fe92c93d507cad278
    • Opcode Fuzzy Hash: f7a404fbac1230c2e51adbc29ef9f42c9f5e27123eeb997c529b45ea0d62d0cd
    • Instruction Fuzzy Hash: D54190B6D086428AE754AB54D0446B8FB60FB49B14F909233CA4D13B54DF3CF4B0CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E088A5C4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 85registryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: QueryValue$CloseOpen
    • String ID: DisplayInitDelay$FontSize$SYSTEM\CurrentControlSet\Control\ConKbd
    • API String ID: 1586453840-3302960082
    • Opcode ID: 50dff6cbb8965549bc5760e955ddb5c12dfafe7aef7bec54db47dae549adeebd
    • Instruction ID: b26419c9729d178d534725f769803bd09ed2047cdd47e24c5d69ab17ba1cac27
    • Opcode Fuzzy Hash: 50dff6cbb8965549bc5760e955ddb5c12dfafe7aef7bec54db47dae549adeebd
    • Instruction Fuzzy Hash: 3F3162366046528FE760DF24D4406A9B7A4FB1875CBC85236EA0D06B98EF3CE4A4CB65
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08884E4 Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 274COMMON
    Download Yara Rule
    APIs
    • memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7E088639F), ref: 00007FF7E08885D1
    • memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7E088639F), ref: 00007FF7E0888639
    • memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7E088639F), ref: 00007FF7E088869A
    • memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E0888762
    • memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E08887C0
      • Part of subcall function 00007FF7E08857A4: ?_Xlength_error@std@@YAXPEBD@Z.MSVCP_WIN(?,?,?,?,?,?,?,00007FF7E088639F), ref: 00007FF7E08857D8
      • Part of subcall function 00007FF7E08857A4: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,00007FF7E088639F), ref: 00007FF7E0885852
      • Part of subcall function 00007FF7E08857A4: memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF7E088639F), ref: 00007FF7E0885864
    • memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E0888821
    Strings
    • onecore\windows\core\console\open\src\renderer\dx\customtextlayout.cpp, xrefs: 00007FF7E08886F7
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memset$Xlength_error@std@@memmove
    • String ID: onecore\windows\core\console\open\src\renderer\dx\customtextlayout.cpp
    • API String ID: 4008601576-174823080
    • Opcode ID: cfa9b065acd7a3fa1abe35d91f0c1e13eb52256e71e5777eb52c680f5287a7d6
    • Instruction ID: ee1d8fbeaabf5d3edad2d89ec64ccbb9cec145ad77c69289066b73cf51c93225
    • Opcode Fuzzy Hash: cfa9b065acd7a3fa1abe35d91f0c1e13eb52256e71e5777eb52c680f5287a7d6
    • Instruction Fuzzy Hash: 43A1C766B09A8A81DE14FB56D6482BEE356EB48BC0BD59433DE5E0B741DE7CF060C321
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0881FC0 Relevance: 12.1, APIs: 8, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Rect$EmptyIntersectOffsetSubtract
    • String ID:
    • API String ID: 357338179-0
    • Opcode ID: b08e633d56a0d33f6675435537e79c243b787c62dcb873a71ccbdadf1697e1cc
    • Instruction ID: 43025f7f3bc516e83f7be73d9a406497a7d68964587e2d5aebc5eef0887850c9
    • Opcode Fuzzy Hash: b08e633d56a0d33f6675435537e79c243b787c62dcb873a71ccbdadf1697e1cc
    • Instruction Fuzzy Hash: 52418F23528B82C7D6509F24E4406BAF770FBDAB41F81B132EA8E56614EF3CE559CB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08562B4 Relevance: 12.1, APIs: 8, Instructions: 66COMMON
    Download Yara Rule
    APIs
    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN(?,?,00000000,00007FF7E085587C), ref: 00007FF7E08562D6
    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN(?,?,00000000,00007FF7E085587C), ref: 00007FF7E08562F4
    • ?good@ios_base@std@@QEBA_NXZ.MSVCP_WIN(?,?,00000000,00007FF7E085587C), ref: 00007FF7E085631E
    • ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN(?,?,00000000,00007FF7E085587C), ref: 00007FF7E0856338
    • ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN(?,?,00000000,00007FF7E085587C), ref: 00007FF7E0856353
    • ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN(?,?,00000000,00007FF7E085587C), ref: 00007FF7E085636E
    • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP_WIN(?,?,00000000,00007FF7E085587C), ref: 00007FF7E085637D
    • ?good@ios_base@std@@QEBA_NXZ.MSVCP_WIN(?,?,00000000,00007FF7E085587C), ref: 00007FF7E0856393
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: U?$char_traits@$D@std@@@std@@$D@std@@@2@$?tie@?$basic_ios@V?$basic_ostream@$?good@ios_base@std@@?rdbuf@?$basic_ios@V?$basic_streambuf@$?flush@?$basic_ostream@V12@
    • String ID:
    • API String ID: 2615938766-0
    • Opcode ID: 36409a7c97e633ceded7e7cfc77b6a13b5861a99479c5fe31fb273c57bc0fb2b
    • Instruction ID: 44ab23987e09919ab975f4ea66cd3ea747acb0e7c3f58ba40fa9ee177a32da1d
    • Opcode Fuzzy Hash: 36409a7c97e633ceded7e7cfc77b6a13b5861a99479c5fe31fb273c57bc0fb2b
    • Instruction Fuzzy Hash: 9631A532605A86C6DB14AF15E594378BBA0FF8AF86789D432CA0E47325CF38E464C321
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080B9F0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 210COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID: !$onecore\windows\core\console\open\src\renderer\gdi\paint.cpp
    • API String ID: 0-1593173792
    • Opcode ID: 40f5a708ce0fecfc1fa9b217ee2e852d25cae484e93f8062a421551220fd1aa8
    • Instruction ID: 5c26081302b688643d2f3e53e626bad1169338e5587009555a150bcab6aa1a12
    • Opcode Fuzzy Hash: 40f5a708ce0fecfc1fa9b217ee2e852d25cae484e93f8062a421551220fd1aa8
    • Instruction Fuzzy Hash: B681A632B09A528AF750AB61D4407BDAAA0FB49B88F945036DE0D67B54DF3CF464C722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07FC7A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 206COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalSection$EnterLeavememmove
    • String ID: invalid deque<T> subscript
    • API String ID: 572680541-2228476695
    • Opcode ID: 99eac763fc95b2756f9ad0f8888b8a9e3be958ad2c79219ecddb8371fd6e30e9
    • Instruction ID: 82106bbd276b0e1b0a03cdaeb5527381cc388c02716262c7e5a07858dd88ab08
    • Opcode Fuzzy Hash: 99eac763fc95b2756f9ad0f8888b8a9e3be958ad2c79219ecddb8371fd6e30e9
    • Instruction Fuzzy Hash: 27916D266196C586EA60EF15D0503BAB360FF89B40F849133DA8E83765DF3CF465DB21
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0885DB4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 195COMMON
    Download Yara Rule
    APIs
    Strings
    • onecore\windows\core\console\open\src\renderer\dx\customtextlayout.cpp, xrefs: 00007FF7E088600F
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: _o_terminate
    • String ID: onecore\windows\core\console\open\src\renderer\dx\customtextlayout.cpp
    • API String ID: 882196631-174823080
    • Opcode ID: 686fcee5a475943731644fbff7381f2511805cbaceacf462176a68265d3b6b01
    • Instruction ID: e9e4b209c08f198724b2d74310b7e0ece7385422380e3c4bae1c4aa3a57fb5c3
    • Opcode Fuzzy Hash: 686fcee5a475943731644fbff7381f2511805cbaceacf462176a68265d3b6b01
    • Instruction Fuzzy Hash: 3E913972604F4581DA10EF15E844BA8B7A8FB48B88FE68136CE9D17720DF38E4B4C365
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0869CC4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 163COMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000,?,00007FF7E082126E), ref: 00007FF7E0869D70
    • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000,?,00007FF7E082126E), ref: 00007FF7E0869D83
    • DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7E0869DAD
    • ?_Xout_of_range@std@@YAXPEBD@Z.MSVCP_WIN(?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000,?,00007FF7E082126E), ref: 00007FF7E0869E5F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CurrentProcess$DuplicateHandleXout_of_range@std@@
    • String ID: invalid deque<T> subscript$onecore\windows\core\console\open\src\server\processlist.cpp
    • API String ID: 4104642312-902665438
    • Opcode ID: 17ea3c6a19a46cce9ace851915c7313c1a9113965640edfa47d938889b3cc997
    • Instruction ID: 40e858e857cce8880161648f0ad6d85814a197068a64759908b81d9e717704f8
    • Opcode Fuzzy Hash: 17ea3c6a19a46cce9ace851915c7313c1a9113965640edfa47d938889b3cc997
    • Instruction Fuzzy Hash: B461AE36A09B8182EB10EF11E4403ADB7A4FB89B90F968236DE8D53795DF7CE461C711
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0805E60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132timeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E07F6C80: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E07F6D5B
      • Part of subcall function 00007FF7E07F6C80: _o_wcscpy_s.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7E07F6D6F
      • Part of subcall function 00007FF7E07F6C80: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E07F6D88
    • _Mtx_init_in_situ.MSVCP_WIN ref: 00007FF7E0806052
    • CreateTimerQueue.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0 ref: 00007FF7E080607A
    • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E08060C3
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,?,00007FF7E080612C,?,?,?,00007FF7E0840167), ref: 00007FF7E0822554
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,?,00007FF7E080612C,?,?,?,00007FF7E0840167), ref: 00007FF7E082256D
    Strings
    • onecore\windows\core\console\open\src\host\cursorblinker.cpp, xrefs: 00007FF7E0822538
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memmovememset$CreateCriticalInitializeMtx_init_in_situQueueSectionTimer_o_wcscpy_s
    • String ID: onecore\windows\core\console\open\src\host\cursorblinker.cpp
    • API String ID: 2788725267-1313982512
    • Opcode ID: 16d147cef07c3e6a4aa407ec7be356e50af53395e100cf84ab51a3e0e49dea01
    • Instruction ID: e0c9728351ac24a20f6ed05b87b25a4c17fc170d69b3f8bc63a327d508f40d47
    • Opcode Fuzzy Hash: 16d147cef07c3e6a4aa407ec7be356e50af53395e100cf84ab51a3e0e49dea01
    • Instruction Fuzzy Hash: 5671E832A09F81AAD34C9F20EA903E9B7A5FB44750F985229C7AC43350DF38B1B0CB55
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0872EE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Window$Long
    • String ID:
    • API String ID: 847901565-3916222277
    • Opcode ID: 39c85e282bbbc4e71f4dd69814b2e0e27a11d159b6e4f201555ae21131f0cd15
    • Instruction ID: b43621bf08c25ffd1519835821cde352a217a6fbb9e0dac9b69526cd4df8a0b1
    • Opcode Fuzzy Hash: 39c85e282bbbc4e71f4dd69814b2e0e27a11d159b6e4f201555ae21131f0cd15
    • Instruction Fuzzy Hash: D131E562B18B4186D7149B39A844238BF60FB8ABE4F549332DD2E577A5CF3CE091CB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0854788 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7E0822F9C), ref: 00007FF7E085482B
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7E0822F9C), ref: 00007FF7E085484E
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7E0822F9C), ref: 00007FF7E0854870
      • Part of subcall function 00007FF7E0809654: EventWriteTransfer.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FF7E08096D7
    • FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7E0822F9C), ref: 00007FF7E0854899
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Library$AddressErrorEventFreeLastLoadProcTransferWrite
    • String ID: ConhostV1.dll$ConsoleCreateIoThread
    • API String ID: 331234469-2092506167
    • Opcode ID: 9dc76ab2e295bd126d566f984959e07fb7fce04886f0030e31297bbbd108f9d4
    • Instruction ID: 389a68138f161d6a64590bc8f3ed1840dd3b3b486d8bb6948290b9cd20d7d295
    • Opcode Fuzzy Hash: 9dc76ab2e295bd126d566f984959e07fb7fce04886f0030e31297bbbd108f9d4
    • Instruction Fuzzy Hash: 08315B31A18B8286FB40AB11E844379B6A5FB88B80FD59136D90D47760DF3CF865C762
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0875768 Relevance: 10.6, APIs: 7, Instructions: 71clipboardCOMMON
    Download Yara Rule
    APIs
    • OpenClipboard.USER32 ref: 00007FF7E087579D
    • GetClipboardData.USER32 ref: 00007FF7E08757B6
    • GlobalLock.API-MS-WIN-CORE-HEAP-OBSOLETE-L1-1-0(?,?,?,?,?,00007FF7E08243B0), ref: 00007FF7E08757D1
    • GlobalSize.API-MS-WIN-CORE-HEAP-OBSOLETE-L1-1-0(?,?,?,?,?,00007FF7E08243B0), ref: 00007FF7E08757E3
    • GlobalUnlock.API-MS-WIN-CORE-HEAP-OBSOLETE-L1-1-0(?,?,?,?,?,00007FF7E08243B0), ref: 00007FF7E0875894
      • Part of subcall function 00007FF7E0810000: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803769,?,?,?,?,00007FF7E081B159), ref: 00007FF7E0810010
      • Part of subcall function 00007FF7E084937C: LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E08493F1
    • _Init_thread_footer.LIBCMT ref: 00007FF7E0875856
      • Part of subcall function 00007FF7E080FF98: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803790,?,?,?,?,00007FF7E081B159), ref: 00007FF7E080FFA8
      • Part of subcall function 00007FF7E080FF98: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803790,?,?,?,?,00007FF7E081B159), ref: 00007FF7E080FFE8
    • CloseClipboard.USER32 ref: 00007FF7E08758A0
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ClipboardCriticalGlobalSection$Enter$CloseDataInit_thread_footerLeaveLoadLockOpenSizeStringUnlock_onexit
    • String ID:
    • API String ID: 1746292183-0
    • Opcode ID: c2aa3001176dba1493289d9fb03642c26da2384a5352e1e2ce46fd7bee29e7db
    • Instruction ID: 0871b3ce9b0b476632f02e39c79d9f318fb20f6af26d6ff256094174d726a68d
    • Opcode Fuzzy Hash: c2aa3001176dba1493289d9fb03642c26da2384a5352e1e2ce46fd7bee29e7db
    • Instruction Fuzzy Hash: 58313225A09A4286EB50BB21E844379E7A1FF89B95FC84133D94E42365DF3CF464CB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0859C70 Relevance: 10.6, APIs: 7, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859C82
    • ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859C9D
    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859CB6
    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859CE4
    • ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859CF6
    • ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z.MSVCP_WIN ref: 00007FF7E0859D0E
    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859D1D
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?eback@?$basic_streambuf@?egptr@?$basic_streambuf@?pptr@?$basic_streambuf@?setg@?$basic_streambuf@D00@
    • String ID:
    • API String ID: 1210260451-0
    • Opcode ID: 954d59f9f1108cd55123d8427b80449b28120059a508f47fe3b0b788f3727b58
    • Instruction ID: a46c3502776de5a03455f61abec8e81cb495512978faeb65b6dd8de57f33faff
    • Opcode Fuzzy Hash: 954d59f9f1108cd55123d8427b80449b28120059a508f47fe3b0b788f3727b58
    • Instruction Fuzzy Hash: 5C116321A09A8182EA107B11E60427CFBA0FB4AFC1BC89135DE5E17755CF3CF861C721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08591C8 Relevance: 10.6, APIs: 7, Instructions: 52COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN(?,?,?,00007FF7E0856464,?,?,?,00007FF7E0867796,?,?,00000002,00007FF7E0879E6E), ref: 00007FF7E08591DB
    • ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN(?,?,?,00007FF7E0856464,?,?,?,00007FF7E0867796,?,?,00000002,00007FF7E0879E6E), ref: 00007FF7E08591F0
    • ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN(?,?,?,00007FF7E0856464,?,?,?,00007FF7E0867796,?,?,00000002,00007FF7E0879E6E), ref: 00007FF7E08591FF
    • ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN(?,?,?,00007FF7E0856464,?,?,?,00007FF7E0867796,?,?,00000002,00007FF7E0879E6E), ref: 00007FF7E0859212
    • ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN(?,?,?,00007FF7E0856464,?,?,?,00007FF7E0867796,?,?,00000002,00007FF7E0879E6E), ref: 00007FF7E0859225
    • ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z.MSVCP_WIN(?,?,?,00007FF7E0856464,?,?,?,00007FF7E0867796,?,?,00000002,00007FF7E0879E6E), ref: 00007FF7E0859249
    • ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z.MSVCP_WIN(?,?,?,00007FF7E0856464,?,?,?,00007FF7E0867796,?,?,00000002,00007FF7E0879E6E), ref: 00007FF7E085925E
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: D@std@@@std@@U?$char_traits@$?eback@?$basic_streambuf@$?egptr@?$basic_streambuf@?epptr@?$basic_streambuf@?pptr@?$basic_streambuf@?setg@?$basic_streambuf@?setp@?$basic_streambuf@D00@
    • String ID:
    • API String ID: 2626452370-0
    • Opcode ID: fd9a0a9e50be676fdc655645c5d94e1191374bc7ce2073a7e0c082820c18252a
    • Instruction ID: aeab9f16289c42e0d5e12a98ab8562c4d35163b55bb3a1cf83d5e0b9eff7bb9e
    • Opcode Fuzzy Hash: fd9a0a9e50be676fdc655645c5d94e1191374bc7ce2073a7e0c082820c18252a
    • Instruction Fuzzy Hash: CC119432A04A86CBE7006B25F414339FB90FF8FB52F98A131CA1E16755CF3CA458C621
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0852C14 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • _o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,00000000,00000000,?,00007FF7E081C63D), ref: 00007FF7E0852C29
    • _o_wcstol.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,00000000,00000000,?,00007FF7E081C63D), ref: 00007FF7E0852C53
    • ?_Xinvalid_argument@std@@YAXPEBD@Z.MSVCP_WIN(?,?,?,?,00000000,00000000,?,00007FF7E081C63D), ref: 00007FF7E0852C70
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xinvalid_argument@std@@_o__errno_o_wcstol
    • String ID: invalid stoi argument$stoi argument out of range
    • API String ID: 503588107-1606216832
    • Opcode ID: 67582d527fe91d97a67b2888f1fb616bbf3593617620bb60c456d336b9453458
    • Instruction ID: 9b07d9e199765dbc46d7a6dce9363cff7cb67d75dae4854a1fb6cda594349097
    • Opcode Fuzzy Hash: 67582d527fe91d97a67b2888f1fb616bbf3593617620bb60c456d336b9453458
    • Instruction Fuzzy Hash: A4115232618A41C2D714AF51F544278F760FB9AB91FC89072DA4E07B55CF3CE860C751
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E087706C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46COMMON
    Download Yara Rule
    APIs
    • CancelSynchronousIo.API-MS-WIN-CORE-IO-L1-1-1(?,?,00000000,00007FF7E086E794), ref: 00007FF7E087708C
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00000000,00007FF7E086E794), ref: 00007FF7E08770B4
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00000000,00007FF7E086E794), ref: 00007FF7E08770D2
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00000000,00007FF7E086E794), ref: 00007FF7E08770EB
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00000000,00007FF7E086E794), ref: 00007FF7E0877104
    Strings
    • onecore\windows\core\console\open\src\interactivity\onecore\coniosrvcomm.cpp, xrefs: 00007FF7E08770A1
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CloseHandle$CancelSynchronous
    • String ID: onecore\windows\core\console\open\src\interactivity\onecore\coniosrvcomm.cpp
    • API String ID: 2419186852-2051704093
    • Opcode ID: f0c711347f30bb761f83e148b4daf10671029e9a6abbbb227eda6878ea483b3e
    • Instruction ID: ce6baddd547f65318cf13079c41fe79c96a42c34d964504e088bb6b438ac6ccd
    • Opcode Fuzzy Hash: f0c711347f30bb761f83e148b4daf10671029e9a6abbbb227eda6878ea483b3e
    • Instruction Fuzzy Hash: 25110B32504E4286EB14AF20E550378F7B4FB89F54BD94332CA6E46798DF38E464C761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0843B18 Relevance: 9.2, APIs: 6, Instructions: 178COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: default_delete
    • String ID:
    • API String ID: 3712186324-0
    • Opcode ID: 70836816703c6a91851eb3ebbb52bad29745bb23c46fe12cbc0c8e7f110563d6
    • Instruction ID: 9bd803748b0e02b03554795917cfcb52a091e66226bb180a0f2203aa2778412b
    • Opcode Fuzzy Hash: 70836816703c6a91851eb3ebbb52bad29745bb23c46fe12cbc0c8e7f110563d6
    • Instruction Fuzzy Hash: C471B422A1C68249EB60EB11E04577EE3A0FFA5B84F944136EA8D07B86DF3CE455C712
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E086B6A0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 382COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID: onecore\windows\core\console\open\src\server\apidispatchers.cpp
    • API String ID: 0-3284698556
    • Opcode ID: 55aa0084a83d509916466cce73bd9debf9246c94179de1583d0194787e6a045f
    • Instruction ID: f45ae6e178c0b85c61b2c47fb740ce58ae4103a8e2c852d932b03441f8437ad8
    • Opcode Fuzzy Hash: 55aa0084a83d509916466cce73bd9debf9246c94179de1583d0194787e6a045f
    • Instruction Fuzzy Hash: A5F1A176B08B968AEB109B64E8403FC67A1FB8478CF958032DE4D57759DF38E5A1C321
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08598B0 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
    Download Yara Rule
    APIs
    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E08598D8
    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E08598EA
    • ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E085990B
    • ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z.MSVCP_WIN ref: 00007FF7E08599C4
    • ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E08599DE
    • ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z.MSVCP_WIN ref: 00007FF7E08599F6
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: D@std@@@std@@U?$char_traits@$D00@$?eback@?$basic_streambuf@?epptr@?$basic_streambuf@?gptr@?$basic_streambuf@?pptr@?$basic_streambuf@?setg@?$basic_streambuf@?setp@?$basic_streambuf@
    • String ID:
    • API String ID: 2849800682-0
    • Opcode ID: 9f776588e57b1de3c2b79c687690192d845ba969c5bd1f8c9f3aee907e9b27ad
    • Instruction ID: d4580017cd8823976846772e3de5e932552c14a41b0609953480ffc2e2c902f4
    • Opcode Fuzzy Hash: 9f776588e57b1de3c2b79c687690192d845ba969c5bd1f8c9f3aee907e9b27ad
    • Instruction Fuzzy Hash: 3D41D132A09B9186EA566B12990837AEAD0EF49FD4FC84136CD9D17794DF3CF460C222
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08069CC Relevance: 9.1, APIs: 6, Instructions: 114COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: MonitorRect$FromInfoWindow$EmptyEqual
    • String ID:
    • API String ID: 1512513361-0
    • Opcode ID: 8461f421c73a057cc16f1a1f7ff4a400b3bd8bb5649a2bb3e93a0b85775b1560
    • Instruction ID: 960dce742a6e063cf4cfbabbc833326c87ae676d921646e7524370c3ed698a36
    • Opcode Fuzzy Hash: 8461f421c73a057cc16f1a1f7ff4a400b3bd8bb5649a2bb3e93a0b85775b1560
    • Instruction Fuzzy Hash: AE517732A08B428AEB00AF65D8402BCB7B0FB59B88B859136DE0D13714EF38E5A5C751
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08743EC Relevance: 9.1, APIs: 6, Instructions: 105windowCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: EnableItemMenu
    • String ID:
    • API String ID: 1841910628-0
    • Opcode ID: a69b66f216c0165ed59490d104911a34f2bbfc73e2be31879352639ba26c9cb0
    • Instruction ID: cc9034359afdd028dd3af8aca3db34b97913320c3ba2202bd040337ef524495c
    • Opcode Fuzzy Hash: a69b66f216c0165ed59490d104911a34f2bbfc73e2be31879352639ba26c9cb0
    • Instruction Fuzzy Hash: CB41D722A0D7D246E7216B14A418738EFA0EF86B84FDC6036CD4943786CF3CB454DB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0859A40 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
    Download Yara Rule
    APIs
    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859A6C
    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859A7E
    • ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859A9F
    • ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z.MSVCP_WIN ref: 00007FF7E0859AF0
    • ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859B0A
    • ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z.MSVCP_WIN ref: 00007FF7E0859B22
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: D@std@@@std@@U?$char_traits@$D00@$?eback@?$basic_streambuf@?epptr@?$basic_streambuf@?gptr@?$basic_streambuf@?pptr@?$basic_streambuf@?setg@?$basic_streambuf@?setp@?$basic_streambuf@
    • String ID:
    • API String ID: 2849800682-0
    • Opcode ID: 3078223af781b2fb2acaa49924e7c6a51ca2107b40ef13fa0c06e8dd46a6646c
    • Instruction ID: 0667c309478fd75c5608410ec6d36235d5968ee4a68fb1dce67b469fa18d8469
    • Opcode Fuzzy Hash: 3078223af781b2fb2acaa49924e7c6a51ca2107b40ef13fa0c06e8dd46a6646c
    • Instruction Fuzzy Hash: 3B319421A05F9186EA55AF12E504379F6A0FB49FA0F884136CE5D07794DF3CE461C322
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08845A8 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 329COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E0884520: GetUserDefaultLocaleName.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7E0884554
    • _o_roundf.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7E0884798
    • ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7E08847ED
    • ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7E08847FA
      • Part of subcall function 00007FF7E07F6A74: _o_wcscpy_s.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000,00007FF7E07F69DC), ref: 00007FF7E07F6A94
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ceilf$DefaultLocaleNameUser_o_roundf_o_wcscpy_s
    • String ID: $onecore\windows\core\console\open\src\renderer\dx\dxrenderer.cpp
    • API String ID: 1877041966-2592510457
    • Opcode ID: 0b81f494d37291cdbc9bf6cd68331e73fe9c1b440e56e7df9adee94f622094d9
    • Instruction ID: 0fcec4dd7191a1a3cb4d927f87ad69293dea13c8a5c4e46705c7c3d011160b11
    • Opcode Fuzzy Hash: 0b81f494d37291cdbc9bf6cd68331e73fe9c1b440e56e7df9adee94f622094d9
    • Instruction Fuzzy Hash: 63E19F22618A8591E611AB35E4407EAF360FFD9784F806233EA8DA3B65DF3CF455CB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08143EC Relevance: 9.1, APIs: 6, Instructions: 76COMMON
    Download Yara Rule
    APIs
    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FF7E0814526,?,?,?,?,00007FF7E08133BC), ref: 00007FF7E081440D
    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FF7E0814526,?,?,?,?,00007FF7E08133BC), ref: 00007FF7E081442D
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FF7E0814526,?,?,?,?,00007FF7E08133BC), ref: 00007FF7E081444D
    • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FF7E0814526,?,?,?,?,00007FF7E08133BC), ref: 00007FF7E081445C
    • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FF7E0814526,?,?,?,?,00007FF7E08133BC), ref: 00007FF7E08144B4
    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FF7E0814526,?,?,?,?,00007FF7E08133BC), ref: 00007FF7E08144D9
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Lock$AcquireCriticalExclusiveReleaseSectionShared$EnterLeave
    • String ID:
    • API String ID: 3221859647-0
    • Opcode ID: 0fb2b8643c1750d9ec6887a9461d2bf4b50a3b6f18594da4b3aa1edbeccf63a9
    • Instruction ID: 906bd6c439f84ba52a2482bf5f083b763f1b01660d8989b20b92ae029f2df87a
    • Opcode Fuzzy Hash: 0fb2b8643c1750d9ec6887a9461d2bf4b50a3b6f18594da4b3aa1edbeccf63a9
    • Instruction Fuzzy Hash: 50319F22B09A5186EA11AF11E500379EB60FF89F90BC9A132DE0E1BB05DF3CF4958725
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F3F74 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: LoadMetricsSystem$IconImage
    • String ID:
    • API String ID: 1419466641-0
    • Opcode ID: a3b2a5e09a3be08ed5a21d5fbe8d6cea0f2e8cc6b2f763d5809ee226f82dcbdf
    • Instruction ID: 2f5cad3b37132c1da52fd1f3850412d703f72c01f251146ae7b0d9734a4a944f
    • Opcode Fuzzy Hash: a3b2a5e09a3be08ed5a21d5fbe8d6cea0f2e8cc6b2f763d5809ee226f82dcbdf
    • Instruction Fuzzy Hash: 4421AF32A08B8287E7156B25A00033AEAF1FF8C785F958136DA4E43795DF3DF4618722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0859B6C Relevance: 9.1, APIs: 6, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859BA6
    • ?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859BBA
    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859BCC
    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859BEC
    • ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859C00
    • ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859C12
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: D@std@@@std@@U?$char_traits@$?pptr@?$basic_streambuf@$?eback@?$basic_streambuf@?egptr@?$basic_streambuf@?gptr@?$basic_streambuf@?pbase@?$basic_streambuf@
    • String ID:
    • API String ID: 2812601886-0
    • Opcode ID: 76a16eaecf9adbb4869d35939d9fdd9d41bd77e51ab5bb702147e18b6369a4b4
    • Instruction ID: 3e806f7ab149d92b40c4c5d9908533f53102ab8f318a317feacc5c2f3ba8afeb
    • Opcode Fuzzy Hash: 76a16eaecf9adbb4869d35939d9fdd9d41bd77e51ab5bb702147e18b6369a4b4
    • Instruction Fuzzy Hash: 2321F932A0878186EB046F15E55437CBBA1FB4AF80F988179CA4D17751CF7CE8A5C752
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08748EC Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 288windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: InfoMessagePostWindowmemmove
    • String ID: __DefaultTTFont__$onecore\windows\core\console\open\src\interactivity\win32\menu.cpp
    • API String ID: 1336903424-1124889736
    • Opcode ID: 0d2c16886e010c375ceff02216363e3df32eabc2f377190ad1ddcdc8c4a8b1ab
    • Instruction ID: 3768d5c835961d87a128b1699af6d2e54feed18b48027bbcaf41479ae00a43e6
    • Opcode Fuzzy Hash: 0d2c16886e010c375ceff02216363e3df32eabc2f377190ad1ddcdc8c4a8b1ab
    • Instruction Fuzzy Hash: CEE19926B082829AE704EB65D4407ADBBB1FB58744F840036DE0D97B56DF38F4B4CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E084336C Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 273COMMON
    Download Yara Rule
    APIs
    Strings
    • onecore\windows\core\console\open\src\host\stream.cpp, xrefs: 00007FF7E084341E
    • onecore\windows\core\console\open\src\server\objecthandle.cpp, xrefs: 00007FF7E0843380
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: default_delete
    • String ID: onecore\windows\core\console\open\src\host\stream.cpp$onecore\windows\core\console\open\src\server\objecthandle.cpp
    • API String ID: 3712186324-1446427362
    • Opcode ID: 7a45ce00970e47c52ad0009c808c3e5fa5b616802f2505975e52181b171fea42
    • Instruction ID: 516803c9186fe322ccc222ff1c1d2d92d88afdc928239efa3677731fcf2849c0
    • Opcode Fuzzy Hash: 7a45ce00970e47c52ad0009c808c3e5fa5b616802f2505975e52181b171fea42
    • Instruction Fuzzy Hash: 0EB1D32260968285EA61AF21D04037AE7A0FFA1F84F958033DE4D67795DF3CF865D722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0841384 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 266COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID: Access attempted beyond valid size.$invalid array<T, N> subscript
    • API String ID: 0-3498661005
    • Opcode ID: 3af32187d5bfc8bfc847fc2421240af4388805316c144439daf0c6700f513cf8
    • Instruction ID: b6041d48b216331322064c2091916c96e0c3dde59eecdb96ba972b4f131a8a9c
    • Opcode Fuzzy Hash: 3af32187d5bfc8bfc847fc2421240af4388805316c144439daf0c6700f513cf8
    • Instruction Fuzzy Hash: D1D1A622918AC685EB11DF64E4412FDF770FB95348F805222EB8D17A6AEF7CE695C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08160D4 Relevance: 9.0, APIs: 7, Instructions: 208memoryCOMMON
    Download Yara Rule
    APIs
    • memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF7E0815C34), ref: 00007FF7E0816112
      • Part of subcall function 00007FF7E0815C88: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,00007FF7E0814857), ref: 00007FF7E0815CB3
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF7E0815C34), ref: 00007FF7E08161B1
    • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF7E0815C34), ref: 00007FF7E08161C5
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF7E0815C34), ref: 00007FF7E08161D1
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF7E0815C34), ref: 00007FF7E08161E5
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF7E0815C34), ref: 00007FF7E0816399
    • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF7E0815C34), ref: 00007FF7E08163AD
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Heap$Process$Free$AddressAllocProcmemset
    • String ID:
    • API String ID: 2515388404-0
    • Opcode ID: 4c27764ffaf48febe6b084884596d5765b9a398c846ade67ae7245ecb8db0036
    • Instruction ID: 4d5a2f94470deb787967114fb392500fd5f56c3ea9a27c743b6baece5c21ea8a
    • Opcode Fuzzy Hash: 4c27764ffaf48febe6b084884596d5765b9a398c846ade67ae7245ecb8db0036
    • Instruction Fuzzy Hash: 45919032A04B528AEB20DF65E4006ADBBB0FB49B48B844536DF8E53B55DF3CE464C721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E084F670 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 198COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: default_delete$memmove
    • String ID: onecore\windows\core\console\open\src\host\readdataraw.cpp
    • API String ID: 1454313208-2856902044
    • Opcode ID: 3f952c808f3a5d9977e1dfadac96ec167f8a572ac05e3383780fae57e0c1ea80
    • Instruction ID: 252eb06f458a920dfeec3908cd42f791661959ccc02f6e6336741c1bbdd2a711
    • Opcode Fuzzy Hash: 3f952c808f3a5d9977e1dfadac96ec167f8a572ac05e3383780fae57e0c1ea80
    • Instruction Fuzzy Hash: D681D52261C68189EB61EB21D04137EFB90FB55B95F85413ADA8D0779BCF3CE460C712
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0808C64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 181COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ErrorLastOpenSemaphore
    • String ID: _p0$wil
    • API String ID: 1909229842-1814513734
    • Opcode ID: 2268b22ae84e5958d74ae46bf5b8446627f93ea05c0a2da666ec465def3f7ce9
    • Instruction ID: 686cadfa891a4a74fa010909d2ce0c66b77893b184e7f192ee5713bdb982a16d
    • Opcode Fuzzy Hash: 2268b22ae84e5958d74ae46bf5b8446627f93ea05c0a2da666ec465def3f7ce9
    • Instruction Fuzzy Hash: 1D71D462B19A8295FF65EB2594103B9A2E0FF94B84FC44133DA4E07795DE3CF964C321
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080503C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 174COMMON
    Download Yara Rule
    APIs
    • _o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,00000000,?,001E0078,00007FF7E081BF2D), ref: 00007FF7E08221F2
    • ?_Xlength_error@std@@YAXPEBD@Z.MSVCP_WIN(?,?,?,?,00000000,?,001E0078,00007FF7E081BF2D), ref: 00007FF7E0822206
    • _o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,00007FF7E0854A9B,?,?,?,00007FF7E082B657), ref: 00007FF7E0822228
      • Part of subcall function 00007FF7E080FD8C: _o_malloc.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000,00007FF7E080393E,?,?,?,?,00007FF7E082A040,?,?,?,?,?,?,?), ref: 00007FF7E080FDA6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: _o_terminate$Xlength_error@std@@_o_malloc
    • String ID: list<T> too long$onecore\windows\core\console\open\src\host\screeninfo.cpp
    • API String ID: 1587979356-3049636842
    • Opcode ID: 2a72b04dd71178c7f887f5a12763b0528f33d0916cf241c28ebcbb85c1543813
    • Instruction ID: 1e7d1aad0fb9123a9ff99d2df33ce944bf24293be1a49bcee136c777e4a3a67c
    • Opcode Fuzzy Hash: 2a72b04dd71178c7f887f5a12763b0528f33d0916cf241c28ebcbb85c1543813
    • Instruction Fuzzy Hash: 35716D36908B5281E724EF25E4403BAB7A0FB64B58F954136DA8C17765DF3CF8A1C325
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E085ADD8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119COMMON
    Download Yara Rule
    APIs
    • ?_Xlength_error@std@@YAXPEBD@Z.MSVCP_WIN(?,00000101,?,00007FF7E085AD9B,?,?,?,?,?,?,?,?,00007FF7E085ABF2,?,?,00000001), ref: 00007FF7E085AE0A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xlength_error@std@@
    • String ID: UUUUUUUU$VUUUUUUU$VUUUUUUU$vector<T> too long
    • API String ID: 1004598685-446613321
    • Opcode ID: 9717c9da8d60016bd69831e33968d632646f48a00e23cc84574f81e93b032ba8
    • Instruction ID: 35647bd254e9d80550d31ac05319b53eb67e3c13111f70e451e4cba73574fb62
    • Opcode Fuzzy Hash: 9717c9da8d60016bd69831e33968d632646f48a00e23cc84574f81e93b032ba8
    • Instruction Fuzzy Hash: CE41BE62B05A9482DE14CF1AE554269F765FB98FD0B948133DE9D4BB94DE3CE461C300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07FC6D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: default_delete
    • String ID: invalid deque<T> subscript$onecore\windows\core\console\open\src\host\_stream.cpp
    • API String ID: 3712186324-3945297005
    • Opcode ID: 0563db78b98e92c24f906bf9c285beae0941d57e5438626cf47b06e23704ec9c
    • Instruction ID: cbc58ee7d353f2ec811b88f0dcdae19ed71f63704d30c7bff12257bec9ecf68b
    • Opcode Fuzzy Hash: 0563db78b98e92c24f906bf9c285beae0941d57e5438626cf47b06e23704ec9c
    • Instruction Fuzzy Hash: 26316D71A08B5286EA50AB59E4442AAF3A4FF98B80FD44132EA8D53759CF7CF474C721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0807244 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82COMMON
    Download Yara Rule
    APIs
    • memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E08072C4
    • memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7E08072EB
    • _time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7E0807326
      • Part of subcall function 00007FF7E080D800: EventRegister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0(?,?,?,?,?,?,000001C82450C120,00007FF7E080733E), ref: 00007FF7E080D84C
      • Part of subcall function 00007FF7E080D800: EventSetInformation.API-MS-WIN-EVENTING-PROVIDER-L1-1-0(?,?,?,?,?,?,000001C82450C120,00007FF7E080733E), ref: 00007FF7E080D871
      • Part of subcall function 00007FF7E08073CC: EventActivityIdControl.API-MS-WIN-EVENTING-PROVIDER-L1-1-0(?,?,?,?,00007FF7E0807343), ref: 00007FF7E08073E5
      • Part of subcall function 00007FF7E0809654: EventWriteTransfer.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FF7E08096D7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Event$memset$ActivityControlInformationRegisterTransferWrite_time64
    • String ID: bash.exe
    • API String ID: 1899261239-706137074
    • Opcode ID: 2aca6ba8a165d0e14e754e04ea226aabb8ec41ebf91112347fb57d24d2fb9d09
    • Instruction ID: 30896e80d0e43eea36d4c0b923e615ae43167bb8ee6526fd722b0e26da00c767
    • Opcode Fuzzy Hash: 2aca6ba8a165d0e14e754e04ea226aabb8ec41ebf91112347fb57d24d2fb9d09
    • Instruction Fuzzy Hash: 75411328A1CA4295FA10BB14F8513B9B3A0FF58354FC0523BE58C427A6DF3CB0658B23
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0828910 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: AddressExceptionHandleModuleProcThrow
    • String ID: RaiseFailFastException$kernelbase.dll
    • API String ID: 1273124314-919018592
    • Opcode ID: 774e1f01f8ff696480aafbb6591747e7c7e73f6ffecc91957a92168d70910420
    • Instruction ID: 54f51567864b5fefe8a2fa14368263080477c3a4f18b87d8736c2489c11788d0
    • Opcode Fuzzy Hash: 774e1f01f8ff696480aafbb6591747e7c7e73f6ffecc91957a92168d70910420
    • Instruction Fuzzy Hash: 0C115421E18B8181EA50AB11F8403B9E760FF9DB80FD49232E98D17B15EF3CE5A4C711
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0805A30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,00000000,00007FF7E08059C2,?,?,00000000,00007FF7E07F3895), ref: 00007FF7E0805A8F
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,00000000,00007FF7E08059C2,?,?,00000000,00007FF7E07F3895), ref: 00007FF7E0805AB2
    • GetSystemMetrics.USER32 ref: 00007FF7E08224F0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: AddressProc$MetricsSystem
    • String ID: GetDpiMetrics$GetSystemMetricsForDpi
    • API String ID: 1058010697-1926441701
    • Opcode ID: 870d910ea766203a309d06d1c08e010de39d5cc7c575f33755eef3d616031376
    • Instruction ID: 1dfa4ad53902b1bbf9152080d822d5439e79d10d517f40f157906c7589545bde
    • Opcode Fuzzy Hash: 870d910ea766203a309d06d1c08e010de39d5cc7c575f33755eef3d616031376
    • Instruction Fuzzy Hash: 32112B21F09B5296FB146B14E880339E7A1BB59B44FC89137C90E46761CF3CF864C722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F3C20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35libraryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ErrorLastLibrary$FreeLoad
    • String ID: uxtheme.dll
    • API String ID: 1452865118-291804724
    • Opcode ID: 5c428ecbb47be5985d29b916de15f634b6a37ca79d304ddba89552af80ba823d
    • Instruction ID: abef50bb62fa484fd17a00414aa890fb0ee435ce2e741f999ae46252a22e018b
    • Opcode Fuzzy Hash: 5c428ecbb47be5985d29b916de15f634b6a37ca79d304ddba89552af80ba823d
    • Instruction Fuzzy Hash: FD010C31A08B81CAE7006F11E440379FA64FB8DB81F989171DA4E07759DF3CE4658710
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E086E0D4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,00007FF7E086E1D3), ref: 00007FF7E086E0F9
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,00007FF7E086E1D3), ref: 00007FF7E086E130
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: NtOpenFile$ntdll.dll$onecore\windows\core\console\open\src\server\winntcontrol.cpp
    • API String ID: 2574300362-2293150788
    • Opcode ID: b1bd1531d35623811a58369ad4a83d88b4027a4ed46e59b38f6004a85d40806c
    • Instruction ID: d9a690c78d699bdadcc8190559907997e7ab5a826e32ee55d96cb6a2b2de6e1f
    • Opcode Fuzzy Hash: b1bd1531d35623811a58369ad4a83d88b4027a4ed46e59b38f6004a85d40806c
    • Instruction Fuzzy Hash: 96012935A18B4686EA10EB45E8807A4B7A0FB88741FD88537C95D13728EF3CF1648761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F9934 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 189COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID: Escape$Ground$OscTermination$Print
    • API String ID: 0-1586554955
    • Opcode ID: 4cc34e71eff768f83918a14d0fca74ebbe29ed5f1df80cc9af0f2e12c871b7b1
    • Instruction ID: 1055dc81730370dd16025644984156eeddba37bce80b9885be6addd2c63494b7
    • Opcode Fuzzy Hash: 4cc34e71eff768f83918a14d0fca74ebbe29ed5f1df80cc9af0f2e12c871b7b1
    • Instruction Fuzzy Hash: 9E716F2190C61285ED14F71591A537DE356BF8A385FD1413BD68E47B9ACE7CF8318222
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080A960 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 128COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID: onecore\windows\core\console\open\src\host\input.cpp
    • API String ID: 3168844106-1659879473
    • Opcode ID: 903bdddec1fee752dc86eb549503d78c47410d9580e8d545422b19b67da23a25
    • Instruction ID: 04a06497c5210100f2291fe662b7ffbbb77c23e9b5f1b5b6d24825a43e12acd3
    • Opcode Fuzzy Hash: 903bdddec1fee752dc86eb549503d78c47410d9580e8d545422b19b67da23a25
    • Instruction Fuzzy Hash: 1341BF35B0860286E621AB25E554379EBA0FF56B80FD45133DE1D437A5EF3CF825CA22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080A2E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 116COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalSection$Leave$CloseEnterHandle
    • String ID: onecore\windows\core\console\open\src\host\input.cpp
    • API String ID: 409575328-1659879473
    • Opcode ID: 068db45a7ee2fc14f8ff2381333a4a6c0b2df748c2d12f0909ade1dab273298f
    • Instruction ID: e30a5b7145aab049ed12ae3f8c0963105ca9747f9ea69dcec54a945c5a3198d2
    • Opcode Fuzzy Hash: 068db45a7ee2fc14f8ff2381333a4a6c0b2df748c2d12f0909ade1dab273298f
    • Instruction Fuzzy Hash: F4417E35A0964286E621AB25E400779EBA0FF55B84FD06133DD0D437A5CF3CF825CA32
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0850278 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 112COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E0842F00: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000028,00007FF7E08502AF,?,?,?,?,00000000,?,00000000,00007FF7E08501BC), ref: 00007FF7E0842F2D
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,00000000,?,00000000,00007FF7E08501BC), ref: 00007FF7E08502BC
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,00000000,?,00000000,00007FF7E08501BC), ref: 00007FF7E08502CF
    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,00000000,?,00000000,00007FF7E08501BC), ref: 00007FF7E0850329
    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,00000000,?,00000000,00007FF7E08501BC), ref: 00007FF7E0850385
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ByteCharMultiWidememmove$memset
    • String ID: onecore\windows\core\console\open\src\host\utf8towidecharparser.cpp
    • API String ID: 2437670355-2572910317
    • Opcode ID: d424c25434414199a8bc6626623e542bff93f4cf6804d30ee96411a2788f549d
    • Instruction ID: 83c20bbe1a61a7c20d0f833e2b5e246ca0f8d7ddb822faff15202563c3dcadd8
    • Opcode Fuzzy Hash: d424c25434414199a8bc6626623e542bff93f4cf6804d30ee96411a2788f549d
    • Instruction Fuzzy Hash: 9C416D72A0C68287E610EB52E5406AEF7A1FB84B80F848036EA4D57B55DF3CF871CB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0878370 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memset$AlpcPortReceiveSendWait_o__errno_o__invalid_parameter_noinfomemmove
    • String ID:
    • API String ID: 3940503590-0
    • Opcode ID: 2b4a2d6b13f83a7f593e17790240c5dafbde43e958407915a9e3ce93dd326837
    • Instruction ID: a082699b1a796f1970c2870356051ac4ca8aca548233ead9aa69ad646d4a6e35
    • Opcode Fuzzy Hash: 2b4a2d6b13f83a7f593e17790240c5dafbde43e958407915a9e3ce93dd326837
    • Instruction Fuzzy Hash: E921E232B4D746C2E620AB65E44436AF3A0FF45B80B885036DB8D83B4ACF7DF4918725
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0837980 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • default_delete.LIBCPMT ref: 00007FF7E08379B6
    • _Mtx_destroy_in_situ.MSVCP_WIN(?,?,?,00007FF7E0838DFD,?,?,?,00007FF7E080F390), ref: 00007FF7E08379C0
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,00007FF7E0838DFD,?,?,?,00007FF7E080F390), ref: 00007FF7E08379DB
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,00007FF7E0838DFD,?,?,?,00007FF7E080F390), ref: 00007FF7E08379F6
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,00007FF7E0838DFD,?,?,?,00007FF7E080F390), ref: 00007FF7E0837A11
      • Part of subcall function 00007FF7E0837A38: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00000000,00007FF7E0822F39), ref: 00007FF7E0837A63
      • Part of subcall function 00007FF7E0837A38: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00000000,00007FF7E0822F39), ref: 00007FF7E0837A7D
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CloseHandle$Mtx_destroy_in_situdefault_delete
    • String ID:
    • API String ID: 1176461943-0
    • Opcode ID: 6e1be804b6b4fa53dda71a057ea5a0f9106ea20e77364808e4c025cf8417f651
    • Instruction ID: 29a7fbaaea265734c72c83e8d7092696dd056bbf234cd28f10b99ee202072d76
    • Opcode Fuzzy Hash: 6e1be804b6b4fa53dda71a057ea5a0f9106ea20e77364808e4c025cf8417f651
    • Instruction Fuzzy Hash: 9011EC21605A4286EA106B65D44077CE7A0FF86B75BD45732CA7D473D4DF3CE468C362
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08165D4 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
    Download Yara Rule
    APIs
    • _o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E0827C0D), ref: 00007FF7E08165FA
    • _o__invalid_parameter_noinfo.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E0827C0D), ref: 00007FF7E081660D
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: _o__errno_o__invalid_parameter_noinfo
    • String ID:
    • API String ID: 2671245207-0
    • Opcode ID: 24415926d3ee476f0c58ec62fe3a4579c29719075c8639ff521ee5c3ce8230c2
    • Instruction ID: 404723577e6093cedf70ccb4cf7143f3f2c54c516676897edf318cbe9cb5fdc1
    • Opcode Fuzzy Hash: 24415926d3ee476f0c58ec62fe3a4579c29719075c8639ff521ee5c3ce8230c2
    • Instruction Fuzzy Hash: 65018061E0D64382FA503B51A5403B9E7509F69BD4FD48436EE8E1778BCE3CB8714622
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08893C0 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ConditionMask$InfoVerifyVersionmemset
    • String ID:
    • API String ID: 375572348-0
    • Opcode ID: f47bddfb2f8a75bb9cda1a97ffca19ea07f3ac28074e03505e6b1a483f031f92
    • Instruction ID: 7996331b58114e4b7c5767d79763077455fcc6284f7cad09268f68ec4a54c115
    • Opcode Fuzzy Hash: f47bddfb2f8a75bb9cda1a97ffca19ea07f3ac28074e03505e6b1a483f031f92
    • Instruction Fuzzy Hash: AA113D3260868187E720DF21E4513EAF7A1FB8DB05F819225CA4D4B715EF3CE519CB65
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08656D8 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
    Download Yara Rule
    APIs
    • SignalObjectAndWait.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF7E0865703
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7E0865713
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00000001,00007FF7E0841D94,?,?,?,00007FF7E0841D6A), ref: 00007FF7E086572D
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00000001,00007FF7E0841D94,?,?,?,00007FF7E0841D6A), ref: 00007FF7E0865747
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00000001,00007FF7E0841D94,?,?,?,00007FF7E0841D6A), ref: 00007FF7E0865761
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CloseHandle$ObjectSignalWait
    • String ID:
    • API String ID: 1085041809-0
    • Opcode ID: b7582d90487d11762a75e502340f8b40b2efef550ba094f475c9484f4599503a
    • Instruction ID: d9009c090d88b70463d38f7111d7ebc53f5420c81b16a5a3e7ba2e7763b88b81
    • Opcode Fuzzy Hash: b7582d90487d11762a75e502340f8b40b2efef550ba094f475c9484f4599503a
    • Instruction Fuzzy Hash: F2113A36605B42C6EB059F60E455338B7B0FF8AF49F959632CA5D0A358CF38E469C361
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E083FE18 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 294COMMON
    Download Yara Rule
    APIs
    Strings
    • onecore\windows\core\console\open\src\host\inputbuffer.cpp, xrefs: 00007FF7E083FE74
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: default_delete
    • String ID: onecore\windows\core\console\open\src\host\inputbuffer.cpp
    • API String ID: 3712186324-425006629
    • Opcode ID: 0ee274926705595e3af977bcfb282ae1a1d3d9a48d04c946438012163d37ac10
    • Instruction ID: 4889811e37adb337da987a57bef5ee6cbccbadfe3d14899b657f0e95cb03937c
    • Opcode Fuzzy Hash: 0ee274926705595e3af977bcfb282ae1a1d3d9a48d04c946438012163d37ac10
    • Instruction Fuzzy Hash: D8D15032A09B4585FB10EB61D4502AEB3B5FB84B88F904033EA8D577A9DF3CE925C751
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0883808 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 285COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ClientRect
    • String ID: $W$onecore\windows\core\console\open\src\renderer\dx\dxrenderer.cpp
    • API String ID: 846599473-1401837405
    • Opcode ID: 9b15fd788ad6baeaee8bf4d232ace6384cda657d030338d1cbd337fd37c0ceb7
    • Instruction ID: e850bf720b29d3ac500f2a95a3601a9f3d4dc48ab4ff0ccaa0fbece028a55125
    • Opcode Fuzzy Hash: 9b15fd788ad6baeaee8bf4d232ace6384cda657d030338d1cbd337fd37c0ceb7
    • Instruction Fuzzy Hash: 99C1C132608B8286E760EF25E4407AAB7A4FB89780FD15136DA8D57B55DF3CE054CB21
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0845E08 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 246COMMON
    Download Yara Rule
    APIs
    Strings
    • onecore\windows\core\console\open\src\buffer\out\outputcellrect.cpp, xrefs: 00007FF7E0845EEB
    • onecore\windows\core\console\open\src\host\screeninfo.cpp, xrefs: 00007FF7E0845E77
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: _o_terminate
    • String ID: onecore\windows\core\console\open\src\buffer\out\outputcellrect.cpp$onecore\windows\core\console\open\src\host\screeninfo.cpp
    • API String ID: 882196631-1126056439
    • Opcode ID: 279b55d1be5724a1524f555df0d655f4f23f42a9b558cd391aad1a2978c89c25
    • Instruction ID: bcf8bdb78a023d05d3a26ce0eb1fc81e12b3a572043bc64de4d4e53f19fa2a2c
    • Opcode Fuzzy Hash: 279b55d1be5724a1524f555df0d655f4f23f42a9b558cd391aad1a2978c89c25
    • Instruction Fuzzy Hash: 07B19F22A08BC189EB10EF25E8403EDB7B0FB95754F905132EA8D47B5AEF38E565C711
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0832730 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 240COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E083277F
    • _o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7E0832AFA
      • Part of subcall function 00007FF7E0802BCC: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000001,?,00000000,00007FF7E0875ED6,?,?,?,?,00000000,00007FF7E0824487), ref: 00007FF7E0802BFC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave_o_terminate
    • String ID: onecore\windows\core\console\open\src\host\alias.cpp
    • API String ID: 1404396024-1127424212
    • Opcode ID: f62e0f3bf0319b34bd3184a3e4d40a0347be2cc2d5b9b66fd73008aaf06889ab
    • Instruction ID: 86fe86570d62db4c33a5ad54769a292b9b7edbfa0b376b6429d87b5223c22c1a
    • Opcode Fuzzy Hash: f62e0f3bf0319b34bd3184a3e4d40a0347be2cc2d5b9b66fd73008aaf06889ab
    • Instruction Fuzzy Hash: DCB1863260DAC286EA20BB24E4503AAE360FBD9744F909533EA8D53B59DF3CF554CB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0836100 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 233COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E083614F
    • _o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7E0836423
      • Part of subcall function 00007FF7E0802BCC: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000001,?,00000000,00007FF7E0875ED6,?,?,?,?,00000000,00007FF7E0824487), ref: 00007FF7E0802BFC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave_o_terminate
    • String ID: onecore\windows\core\console\open\src\host\history.cpp
    • API String ID: 1404396024-3034099481
    • Opcode ID: 40df7c4616b1eedb3490bcb172abd129cad79aa6ad56f816d74ff3b8dd8774af
    • Instruction ID: 24c4b12de5cda63a9bba779a5a4b172aa5c8a41f5c05d2030d454b1413c57da0
    • Opcode Fuzzy Hash: 40df7c4616b1eedb3490bcb172abd129cad79aa6ad56f816d74ff3b8dd8774af
    • Instruction Fuzzy Hash: 4BA1A922A1DA8282EA50BB24E4503BAE360FFD9744F909533EA8D53B59DF7CF464C711
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0831C50 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 195COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E0831C9B
    • _o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7E0831F12
      • Part of subcall function 00007FF7E0802BCC: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000001,?,00000000,00007FF7E0875ED6,?,?,?,?,00000000,00007FF7E0824487), ref: 00007FF7E0802BFC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave_o_terminate
    • String ID: onecore\windows\core\console\open\src\host\alias.cpp
    • API String ID: 1404396024-1127424212
    • Opcode ID: c1bcddcb767d151dc5a7a09ee8f79d14cce3493aa5340d7b17eaeef69a30902a
    • Instruction ID: cf2f367c5c37d10a0ed5729f51e6572e5311c0781fac049bf174799987eacdc9
    • Opcode Fuzzy Hash: c1bcddcb767d151dc5a7a09ee8f79d14cce3493aa5340d7b17eaeef69a30902a
    • Instruction Fuzzy Hash: 8F818E21A0DA8282EA50BB25E4503BAE3A0FFD9B54F805533EA8D53756DF7CF460C721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F9490 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 171COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: InvertRect$ScrollWindow
    • String ID: onecore\windows\core\console\open\src\renderer\gdi\paint.cpp
    • API String ID: 2048803274-3409953778
    • Opcode ID: d0b8c9b47d5f615f309a6a7c09df019e1ce5aa864076f98dd404c2d1a3f6cf98
    • Instruction ID: 16c6cfb193d53402969bf4d68fbb2d11c150c337342a3e33ae81e19b50e0486a
    • Opcode Fuzzy Hash: d0b8c9b47d5f615f309a6a7c09df019e1ce5aa864076f98dd404c2d1a3f6cf98
    • Instruction Fuzzy Hash: A471B232B08B828AEB10DF25D4406BDA761FB48B98F949236DE0D97B54DF38F4A1C751
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0807AF8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CreateSemaphore
    • String ID: _p0$wil
    • API String ID: 1078844751-1814513734
    • Opcode ID: 5363f88a2a4c080c93fda53401a3d290b8b620af0846554e3479f07cc01c28c2
    • Instruction ID: 29c64086c62700c956da4a2f7168bb098a74626a5558aced3ddd95c6daf42eb8
    • Opcode Fuzzy Hash: 5363f88a2a4c080c93fda53401a3d290b8b620af0846554e3479f07cc01c28c2
    • Instruction Fuzzy Hash: 1151D262F1964686FE25AF2494543BAE3D0BF84B94FD44536DA8D07784EF3CF4258321
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E086AB64 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136COMMON
    Download Yara Rule
    APIs
    • memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,00007FF7E086B1BF,?,?,00000000,?,00000000,00007FF7E08210DF), ref: 00007FF7E086ABF5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memset
    • String ID: list<T> too long$onecore\windows\core\console\open\src\server\waitblock.cpp
    • API String ID: 2221118986-3756024062
    • Opcode ID: 641b59db7f65a3ab08e139c3f2af9518f3cb42f67ecdc0b6212fba24bd7b8df0
    • Instruction ID: 25b5ba8895dcb3cb88dcfa6c72ec0bf1fd79f96b3a1f0a376c552f4b38d017bd
    • Opcode Fuzzy Hash: 641b59db7f65a3ab08e139c3f2af9518f3cb42f67ecdc0b6212fba24bd7b8df0
    • Instruction Fuzzy Hash: 24613E32914F8486E310DF25E9403A8B7A4F7A9788F56D226DB8C17B56DF78E2E4C350
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E087C91C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memmove$Xlength_error@std@@
    • String ID: vector<T> too long
    • API String ID: 1743304318-3788999226
    • Opcode ID: 6aff1f75edffbdf4b80d613d3d6867ab484c2079979520281b4ed76577727b7f
    • Instruction ID: deeb9b97286b29a668a32aaba2ed5aa01f3613a97f5b9a2cdfda5f3d1d38c58d
    • Opcode Fuzzy Hash: 6aff1f75edffbdf4b80d613d3d6867ab484c2079979520281b4ed76577727b7f
    • Instruction Fuzzy Hash: EF31F262B14A8982CE10DFAAE9044A9E760F758BD0B849227DF9C47395EF7CF191C300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E085AF6C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E0804E6C: memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7E0804F4D
    • ?_Xout_of_range@std@@YAXPEBD@Z.MSVCP_WIN ref: 00007FF7E085B0A3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xout_of_range@std@@memmove
    • String ID: VUUUUUUU$VUUUUUUU$invalid vector<T> subscript
    • API String ID: 1894236298-1373641553
    • Opcode ID: d7f7870fa350f9f146b3f48668fcc591c04c79c586d27b06217e8ad9d5010fb2
    • Instruction ID: 2f5c297add9c9acf8bb1154c634fd407581c63792d7f904d8d3b3f25beb6177b
    • Opcode Fuzzy Hash: d7f7870fa350f9f146b3f48668fcc591c04c79c586d27b06217e8ad9d5010fb2
    • Instruction Fuzzy Hash: 3B31E162B04A4986DA14EF16E5043AAA760F794FD4F984036DE5E0B760EE38F596C340
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080ACBC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memmove$Xlength_error@std@@
    • String ID: vector<T> too long
    • API String ID: 1743304318-3788999226
    • Opcode ID: 208dce97dfcf3630004ad17c013da983815f5fdfdf5fffa99dea6ce1f33f18a4
    • Instruction ID: a0f4978d83edda2508e54fbf26efcdea772e520b8f8a5850a91c8c5f67149c23
    • Opcode Fuzzy Hash: 208dce97dfcf3630004ad17c013da983815f5fdfdf5fffa99dea6ce1f33f18a4
    • Instruction Fuzzy Hash: 8331A162B05A8581EA10DB65E900179B7A1FB45FF8B509336DE7D07BD8DE3CE091C301
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0813A14 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85synchronizationCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CreateCurrentMutexProcess
    • String ID: Local\SM0:%d:%d:%hs$wil
    • API String ID: 3937467467-2303653343
    • Opcode ID: 1ac1e5daa802867f0d297b9617db5162381fd7c97ecd129e47ec86362a9d0668
    • Instruction ID: 00c9d7dcb0355d211d41addab961dfe6ccc51209c2acc0ac39ae7a971ce7637b
    • Opcode Fuzzy Hash: 1ac1e5daa802867f0d297b9617db5162381fd7c97ecd129e47ec86362a9d0668
    • Instruction Fuzzy Hash: 7241523261CA4186E710EB21E4407AAB3A0FF98784FC05132EA8E87B55DF7CE555C751
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E086EB7C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memmove$Xlength_error@std@@
    • String ID: vector<T> too long
    • API String ID: 1743304318-3788999226
    • Opcode ID: ca11bb53e2e9e4cb5b149b0ae1a4b14ffd52ab9b5dcab0b90a5aa20ccf5a1832
    • Instruction ID: bf545e6db3c0993ef95ad687242893419e7dddc501b2d61378226aba43c9c900
    • Opcode Fuzzy Hash: ca11bb53e2e9e4cb5b149b0ae1a4b14ffd52ab9b5dcab0b90a5aa20ccf5a1832
    • Instruction Fuzzy Hash: CC31AC72718AC981CE04EFA6E8445AAA760F749FE4B948636DF6D17BD4CF38E061C305
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0880328 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
    Download Yara Rule
    APIs
    • ?_Xlength_error@std@@YAXPEBD@Z.MSVCP_WIN(?,00000000,?,00007FF7E08805BA), ref: 00007FF7E088036B
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,?,00007FF7E08805BA), ref: 00007FF7E08803DA
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,?,00007FF7E08805BA), ref: 00007FF7E08803EE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memmove$Xlength_error@std@@
    • String ID: vector<T> too long
    • API String ID: 1743304318-3788999226
    • Opcode ID: 5fe292c950ec2564095dffa19dec810ce4ba81e6c88e980435e5ae4fa8fbf61f
    • Instruction ID: 5ce9a038455ecb0f18d4d14449b5cc8be13444fa878f67d57e331ee3329e27a5
    • Opcode Fuzzy Hash: 5fe292c950ec2564095dffa19dec810ce4ba81e6c88e980435e5ae4fa8fbf61f
    • Instruction Fuzzy Hash: D521D123608BC582DB50EFA6E44407DA7A0FB45FD8BA48136DE6D17B99CE3CE052C311
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0865ED0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
    Download Yara Rule
    APIs
    Strings
    • onecore\windows\core\console\open\src\renderer\vt\state.cpp, xrefs: 00007FF7E0865F4C
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: _scwprintf_vsnwprintf_smemset
    • String ID: onecore\windows\core\console\open\src\renderer\vt\state.cpp
    • API String ID: 2187233866-1242362329
    • Opcode ID: 0534295f1e4cf70684d08c6f7ccdf6c10796c4a4be4332d8fbb1a7434c93f6ef
    • Instruction ID: e31bf73747f27d10c437d020a4301d86458d63ddc967007d34edaef903124455
    • Opcode Fuzzy Hash: 0534295f1e4cf70684d08c6f7ccdf6c10796c4a4be4332d8fbb1a7434c93f6ef
    • Instruction Fuzzy Hash: F1210432B09B4281FA00FB56B844AB9A351AF84BD0F954137EE4D07B91DF3CF4618711
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08896AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76COMMON
    Download Yara Rule
    APIs
    Strings
    • onecore\windows\core\console\open\src\renderer\gdi\state.cpp, xrefs: 00007FF7E08896FE
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: DeleteObject
    • String ID: onecore\windows\core\console\open\src\renderer\gdi\state.cpp
    • API String ID: 1531683806-181080528
    • Opcode ID: 465b39cd52213b139b9236a39b353cfa7278afff628603bdb8fbb05a0891b044
    • Instruction ID: 7353d90a151fe73cdc734a872a53581ebdd2eb3a7012a4f48a4eb2e6451042f9
    • Opcode Fuzzy Hash: 465b39cd52213b139b9236a39b353cfa7278afff628603bdb8fbb05a0891b044
    • Instruction Fuzzy Hash: A931A732619A4686EB10AF51D0503B8A760FF94F98F884232DE4D8B795CF38F065C732
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0828D5C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memmove$Xlength_error@std@@
    • String ID: vector<T> too long
    • API String ID: 1743304318-3788999226
    • Opcode ID: ac66d28fb5dcdb0df4219b9a9e30411432e5cf186c9a4bd56d8d444e0de5a3cf
    • Instruction ID: 4bafe69226ae210c435e1862a19136ffe940e487b4d2364dee6997d29490f185
    • Opcode Fuzzy Hash: ac66d28fb5dcdb0df4219b9a9e30411432e5cf186c9a4bd56d8d444e0de5a3cf
    • Instruction Fuzzy Hash: C621B222718AC581DE00DB66F8445A9E7A0F759FE8B848233EE6D177D9CF38E155C301
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E087FB2C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
    Download Yara Rule
    APIs
    • ?_Xlength_error@std@@YAXPEBD@Z.MSVCP_WIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7E087D3FF), ref: 00007FF7E087FB73
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7E087D3FF), ref: 00007FF7E087FBDB
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7E087D3FF), ref: 00007FF7E087FBF1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memmove$Xlength_error@std@@
    • String ID: vector<T> too long
    • API String ID: 1743304318-3788999226
    • Opcode ID: d79f096436f27c39aa00e89a8b41da4bd81b8806b061882445443b32d41d2f50
    • Instruction ID: 578213906093f16d6701d499dd114e5b13bdd0c6ed5b040602588bab2d2403bb
    • Opcode Fuzzy Hash: d79f096436f27c39aa00e89a8b41da4bd81b8806b061882445443b32d41d2f50
    • Instruction Fuzzy Hash: A721B262614A8581DA00EB66E8441A9A790FB49BF8B948732EE7C177D6DF38E1A1C301
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08857A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON
    Download Yara Rule
    APIs
    • ?_Xlength_error@std@@YAXPEBD@Z.MSVCP_WIN(?,?,?,?,?,?,?,00007FF7E088639F), ref: 00007FF7E08857D8
    • memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,00007FF7E088639F), ref: 00007FF7E0885852
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF7E088639F), ref: 00007FF7E0885864
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xlength_error@std@@memmovememset
    • String ID: vector<T> too long
    • API String ID: 1954582803-3788999226
    • Opcode ID: 34522a61d8399e3af1692f69cfd38b6ec49ccd941b4f5f339f295468e39a4d6a
    • Instruction ID: 9f1395019885079e13093a7703cb080f966da358407f0bae89530fdba84cabb7
    • Opcode Fuzzy Hash: 34522a61d8399e3af1692f69cfd38b6ec49ccd941b4f5f339f295468e39a4d6a
    • Instruction Fuzzy Hash: BC21CF62B18A8481DA10EB66A9000BAE760FB45FE0B948337DABD57BD4CF7CE0618350
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E088568C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • ?_Xlength_error@std@@YAXPEBD@Z.MSVCP_WIN(?,?,?,?,?,?,?,00007FF7E088639F), ref: 00007FF7E08856C0
    • memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,00007FF7E088639F), ref: 00007FF7E0885738
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF7E088639F), ref: 00007FF7E088574A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xlength_error@std@@memmovememset
    • String ID: vector<T> too long
    • API String ID: 1954582803-3788999226
    • Opcode ID: 817e659930ab263358c2f5a3c52ded7d0961b5ca94fa83cb9ec03ef62c2921b1
    • Instruction ID: ff23785511be53cae3894b644f10a876504f9bbd2f8537dead457f4420fd1bea
    • Opcode Fuzzy Hash: 817e659930ab263358c2f5a3c52ded7d0961b5ca94fa83cb9ec03ef62c2921b1
    • Instruction Fuzzy Hash: C5219262705A8481DA20DB56A9100AAE761F745FE0B948737DBBD57BD4DE7CE0518301
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08858BC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • ?_Xlength_error@std@@YAXPEBD@Z.MSVCP_WIN(?,?,?,00007FF7E08870BD,?,?,?,?,?,?,?,00000000,?,00007FF7E0886371), ref: 00007FF7E08858F0
    • memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7E08870BD,?,?,?,?,?,?,?,00000000,?,00007FF7E0886371), ref: 00007FF7E088594C
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E08870BD,?,?,?,?,?,?,?,00000000,?,00007FF7E0886371), ref: 00007FF7E088595E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xlength_error@std@@memmovememset
    • String ID: vector<T> too long
    • API String ID: 1954582803-3788999226
    • Opcode ID: a21047738fcf2c33d8fd9ecf82878716fff406830476c2378074e14deaa61d1d
    • Instruction ID: 6b8f7364e3b9d98a916831d2fe8bc54b0f2c0a3e9785ffd5b5ae681c0ae99dab
    • Opcode Fuzzy Hash: a21047738fcf2c33d8fd9ecf82878716fff406830476c2378074e14deaa61d1d
    • Instruction Fuzzy Hash: 0D21AE32619A8481EB00EF65E50016DB7A5FB88FE47908237DA6C17B98DF3CE0628311
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08859CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xlength_error@std@@memmovememset
    • String ID: vector<T> too long
    • API String ID: 1954582803-3788999226
    • Opcode ID: 2c8d6599c73a1154bd10e1b7d57d41d53130b6c38565220439def9d1e7870d25
    • Instruction ID: d6031a25052091759e4aa2f3ddeca6d5e1bf3da3e3687b55abbde39dfa055637
    • Opcode Fuzzy Hash: 2c8d6599c73a1154bd10e1b7d57d41d53130b6c38565220439def9d1e7870d25
    • Instruction Fuzzy Hash: B521C262709A8081DA14DB6AE9400B9E760FB45FE4B944737DBAD17BC4DE7CE1618310
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0801BBC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • _o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,00007FF7E08578DD,?,?,?,00007FF7E081FCFE), ref: 00007FF7E0820B6A
    • _o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,00007FF7E081F836), ref: 00007FF7E0820B8C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: _o_terminate
    • String ID: onecore\windows\core\console\open\src\renderer\base\renderer.cpp$onecore\windows\core\console\open\src\types\viewport.cpp
    • API String ID: 882196631-4274426706
    • Opcode ID: 6ff11addec043debe3cfcdaa0282ebe8a6e3421852f5dcbd5dfcad4d8e6325e1
    • Instruction ID: 6cf73d136d4ccac2d93a0c46579833b9e1269b2e83559b9cb88eb4fde94ea60c
    • Opcode Fuzzy Hash: 6ff11addec043debe3cfcdaa0282ebe8a6e3421852f5dcbd5dfcad4d8e6325e1
    • Instruction Fuzzy Hash: 7721A731E08B4BC2E720BB54A4442A99724FBA8758FE44233D64C17F65DE3CF6A58321
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0806B8C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: AddressAdjustProcRectWindow
    • String ID: AdjustWindowRectExForDpi
    • API String ID: 1468628330-2659676865
    • Opcode ID: dfe8ed26ccaeb82f883efdb104d4e9128cb7bd261fe8d8bcc86d55da8266976e
    • Instruction ID: 8cd6096e43c796538c81baff49b507f1fd4f0672d6c9c3df525f02bed1103f6d
    • Opcode Fuzzy Hash: dfe8ed26ccaeb82f883efdb104d4e9128cb7bd261fe8d8bcc86d55da8266976e
    • Instruction Fuzzy Hash: 54214F35A0DA5296E710AB15A800739FBA0FB9AB84FD44032D94D47B64CF3CF461DB21
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F5CAC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • _o_wcscpy_s.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,00007FF7E07F4BFA), ref: 00007FF7E07F5CF5
    • _o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,00007FF7E07F4BFA), ref: 00007FF7E081C08A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: _o_terminate_o_wcscpy_s
    • String ID: __DefaultTTFont__$onecore\windows\core\console\open\src\renderer\base\renderer.cpp
    • API String ID: 1762320008-1480924436
    • Opcode ID: e7f67eefd72b822ae0c845b46a20c0f35f4c76835fc42122b955d5a5104ef11e
    • Instruction ID: aaf99f0cc309c831d00aa0586f15270b048af30a09061c56d5b874fbd96f990e
    • Opcode Fuzzy Hash: e7f67eefd72b822ae0c845b46a20c0f35f4c76835fc42122b955d5a5104ef11e
    • Instruction Fuzzy Hash: F0211972508741DAE7009F24E004399BBA0FB48B4CF94453ADB880B76ADBB9E169CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0802114 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CursorDestroyXout_of_range@std@@
    • String ID: invalid deque<T> subscript$onecore\windows\core\console\open\src\interactivity\win32\icon.cpp
    • API String ID: 4209192844-1509472713
    • Opcode ID: 4d4b065a0e086f9a4aa2fe284d66a17472bf7719c4109242def29a7cbf9b1dcd
    • Instruction ID: e46f1d32de0e1c6258cf0720c3af961093d8b1e5061e871e80d7d9a00c819e7b
    • Opcode Fuzzy Hash: 4d4b065a0e086f9a4aa2fe284d66a17472bf7719c4109242def29a7cbf9b1dcd
    • Instruction Fuzzy Hash: 78110A72A06A46C5EF19AB59D4603B8B7A0FF98B88F944537CA1D53350CF3CE4658312
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0817C8C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38threadCOMMON
    Download Yara Rule
    APIs
    • CreateThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,?,?,?,?,?,?,00007FF7E080110C), ref: 00007FF7E0817CB1
    • SetThreadDescription.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-3(?,?,?,?,?,?,?,?,?,?,00007FF7E080110C), ref: 00007FF7E0817CF2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Thread$CreateDescription
    • String ID: Host Signal Handler Thread$onecore\windows\core\console\open\src\interactivity\base\hostsignalinputthread.cpp
    • API String ID: 1572939561-3636843087
    • Opcode ID: 05a15f5b649f8f41e1f7fb400bdca53d171c26ca487898e89c49452f5584f64b
    • Instruction ID: 7e642c881fa7091716bc016c1500093fa2cf02f7af6089c8f0106ffd8504e882
    • Opcode Fuzzy Hash: 05a15f5b649f8f41e1f7fb400bdca53d171c26ca487898e89c49452f5584f64b
    • Instruction Fuzzy Hash: D5019266A18A0386FB00AB10E4107B5A7A1BF98B94FD48433C94E87754CF3CF165C722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08733FC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: MonitorWindow$FromInfoRect
    • String ID: (
    • API String ID: 1973172141-3887548279
    • Opcode ID: f0b1d1e8fd30342a5bba7561a028de92a06d02729235c11ab45030191d2f521b
    • Instruction ID: e1e2303aa6ad98924ec25b8d5d09e51638d91723673a5cca9deaa1aa622de1f7
    • Opcode Fuzzy Hash: f0b1d1e8fd30342a5bba7561a028de92a06d02729235c11ab45030191d2f521b
    • Instruction Fuzzy Hash: D9018662D1978586FB549B20E04427AE760FBE9B48F446226DE8D06315DF3CE0D5CB12
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E087F460 Relevance: 6.4, APIs: 5, Instructions: 163COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memmove
    • String ID:
    • API String ID: 2162964266-0
    • Opcode ID: 26b66c48060921c89e964ad289f2ccbd4ac3545894f75dcc05ede4bd70e339e7
    • Instruction ID: cdf918ed1c7607232400c1f65f121d0383793ed321383c0ce7849ea94197da7f
    • Opcode Fuzzy Hash: 26b66c48060921c89e964ad289f2ccbd4ac3545894f75dcc05ede4bd70e339e7
    • Instruction Fuzzy Hash: 1951F662B096C282DE20DE66E4052BAE790FB44BD4F588133CF9E57BA9DF3CE4518311
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0834DF0 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
    Download Yara Rule
    APIs
    • _o_towupper.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,?,?,00007FF7E0834B9D), ref: 00007FF7E0834ED0
    • _o_towupper.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,?,?,00007FF7E0834B9D), ref: 00007FF7E0834EEE
    • _o_towupper.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,?,?,00007FF7E0834B9D), ref: 00007FF7E0834F0C
    • _o_towupper.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,?,?,00007FF7E0834B9D), ref: 00007FF7E0834F2A
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: _o_towupper
    • String ID:
    • API String ID: 3866689482-0
    • Opcode ID: 0a2e8564e7a4e36e1d46d29561d14008382f1a4eb2758f1f6a4e2d4450d74877
    • Instruction ID: d085a64f7ececa88fbf50c89fd8a0bd529910216829b7e479a19d78711d10758
    • Opcode Fuzzy Hash: 0a2e8564e7a4e36e1d46d29561d14008382f1a4eb2758f1f6a4e2d4450d74877
    • Instruction Fuzzy Hash: 9F519222E18A6685FB10AB15D8403BDA371FB94B48F84A132DF4D17795EF3CB5A4C361
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07FB830 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 127COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalEnterSection
    • String ID: Ground$onecore\windows\core\console\open\src\host\getset.cpp
    • API String ID: 1904992153-3105179758
    • Opcode ID: 88212eb62bd6bf02725f51b06932c0a3e15bfbf10a9b265304e64d5665572eb1
    • Instruction ID: 7501389e81226dffc1e7fa6658f86a747ed29e22748923b341cfd5603e25537d
    • Opcode Fuzzy Hash: 88212eb62bd6bf02725f51b06932c0a3e15bfbf10a9b265304e64d5665572eb1
    • Instruction Fuzzy Hash: 1F51AE65E0C64299FF64BB21A440379ABA4AF59794FD45133CA0E073A5CE3CF8709732
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0802BCC Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 106COMMON
    Download Yara Rule
    APIs
    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000001,?,00000000,00007FF7E0875ED6,?,?,?,?,00000000,00007FF7E0824487), ref: 00007FF7E0802BFC
    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000001,?,00000000,00007FF7E0875ED6,?,?,?,?,00000000,00007FF7E0824487), ref: 00007FF7E08212C1
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00000001,?,00000000,00007FF7E0875ED6,?,?,?,?,00000000,00007FF7E0824487), ref: 00007FF7E0821353
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalLeaveSection$CloseHandle
    • String ID: onecore\windows\core\console\open\src\host\input.cpp
    • API String ID: 3647471834-1659879473
    • Opcode ID: e2dc0b69ee529b19067d720e71539113908e6aac7d6b0ac7bb4699bd937bd2f1
    • Instruction ID: a8029066e9ab52550a2af7d63d9e792457487a01ac1e4f623faf42f2a4ffc10f
    • Opcode Fuzzy Hash: e2dc0b69ee529b19067d720e71539113908e6aac7d6b0ac7bb4699bd937bd2f1
    • Instruction Fuzzy Hash: 61419E35A0864286FA20EF25E45437AE7A1FF65B94FD04132DA4D43BA5CE3CF4258722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0889D1C Relevance: 6.1, APIs: 4, Instructions: 105COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E088A910: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7E088A970
    • _o_calloc.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E0877509), ref: 00007FF7E0889D8B
    • _o_calloc.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E0877509), ref: 00007FF7E0889DB9
    • _o_calloc.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E0877509), ref: 00007FF7E0889DED
    • _o_calloc.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E0877509), ref: 00007FF7E0889E0E
      • Part of subcall function 00007FF7E088AC1C: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E088ABE4), ref: 00007FF7E088AC96
      • Part of subcall function 00007FF7E088AC1C: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E088ABE4), ref: 00007FF7E088ACB4
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: _o_calloc$Heap$Free$Alloc
    • String ID:
    • API String ID: 2629698466-0
    • Opcode ID: d31677bb11ee4fb32328e293b12ca9f0600390006ff5caf3a6d6ac6654ab59a4
    • Instruction ID: 5442f1c39580ee737d09cbf85b377d2192cd72104c6150d2dd302e64df4f86ed
    • Opcode Fuzzy Hash: d31677bb11ee4fb32328e293b12ca9f0600390006ff5caf3a6d6ac6654ab59a4
    • Instruction Fuzzy Hash: 8F41D132608B42C6EB14EF11E440279BBA0FB49F94B989132DF5E5B790CF79E861C365
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07FBA40 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF7E07FA612), ref: 00007FF7E07FBA67
    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF7E07FA612), ref: 00007FF7E081E45F
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,00000000,00007FF7E07FA612), ref: 00007FF7E081E4F1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalLeaveSection$CloseHandle
    • String ID: onecore\windows\core\console\open\src\host\input.cpp
    • API String ID: 3647471834-1659879473
    • Opcode ID: 8d7cc261953b2286dd5d48e0e15b69c74ec6ccd383cf60fd6b7a9eb00a9e947b
    • Instruction ID: 9839c1d299ba28edb728222345e1c4a7531d60d09d270e32e00ccf226a9aa1e2
    • Opcode Fuzzy Hash: 8d7cc261953b2286dd5d48e0e15b69c74ec6ccd383cf60fd6b7a9eb00a9e947b
    • Instruction Fuzzy Hash: 1641A135B08A0286F620AF15E444379EB90FF99B94FC04232DE4D537A9CE3CF4618726
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E083B270 Relevance: 6.1, APIs: 4, Instructions: 85COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: default_delete$CriticalEnterSection
    • String ID:
    • API String ID: 739439809-0
    • Opcode ID: 0e3a6a151d95a38910e8470d6ed94dbc7687136a5009f3ca37cca61ef23b2ca2
    • Instruction ID: 0add3de96749c9a540f3071f9d609a242a64e45b6f176f7d209c97223d4a3f80
    • Opcode Fuzzy Hash: 0e3a6a151d95a38910e8470d6ed94dbc7687136a5009f3ca37cca61ef23b2ca2
    • Instruction Fuzzy Hash: B8317862A0D68183FA21AB25E0413ABE3A0FB95784F945132EB8D57746DF3CE515C721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0850534 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 72COMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00000000,00000000,00000000,00007FF7E08501F1), ref: 00007FF7E085056A
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00000000,00000000,00007FF7E08501F1), ref: 00007FF7E085057D
    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00000000,00000000,00000000,00007FF7E08501F1), ref: 00007FF7E08505E6
    Strings
    • onecore\windows\core\console\open\src\host\utf8towidecharparser.cpp, xrefs: 00007FF7E08505FD
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ByteCharMultiWide$ErrorLast
    • String ID: onecore\windows\core\console\open\src\host\utf8towidecharparser.cpp
    • API String ID: 1717984340-2572910317
    • Opcode ID: a82dfdec6448dfee8d531615711da9c0ee22efb983a5d8cfe60f02e57e4a11e5
    • Instruction ID: 4fe5482c84f5f04a89da26293b5bce387dbd033774f6eb235434103194a6808a
    • Opcode Fuzzy Hash: a82dfdec6448dfee8d531615711da9c0ee22efb983a5d8cfe60f02e57e4a11e5
    • Instruction Fuzzy Hash: 1D218F72A08B418AE710AF52E80026DFBA0FBD8BD4F844536EE4D53B65DF78E461CB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08068A0 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: RectWindow$Empty$InfoLongMonitor$EqualFrom
    • String ID:
    • API String ID: 3368657190-0
    • Opcode ID: 49dc82c313256515491611460b89d7f42fef9167657f20c27d9934b79553b972
    • Instruction ID: 28fce7c527846167cc6983084f3042efe7dd643ab54a5f2c844b40b6594af346
    • Opcode Fuzzy Hash: 49dc82c313256515491611460b89d7f42fef9167657f20c27d9934b79553b972
    • Instruction Fuzzy Hash: EC31B572618B8287EB00AF25E440279FBA0FB89BD0B854133DA4D47B54DF3CE424CB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0889BCC Relevance: 6.0, APIs: 4, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • _o_free.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E0889E5B,?,?,?,00007FF7E0877509), ref: 00007FF7E0889C07
    • _o_free.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E0889E5B,?,?,?,00007FF7E0877509), ref: 00007FF7E0889C26
    • _o_free.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E0889E5B,?,?,?,00007FF7E0877509), ref: 00007FF7E0889C3A
    • _o_free.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E0889E5B,?,?,?,00007FF7E0877509), ref: 00007FF7E0889C54
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: _o_free
    • String ID:
    • API String ID: 1736097121-0
    • Opcode ID: 18cc9f161fd3a264945d9532672339430a972a18d4bc4c0ee4c85333e345ad70
    • Instruction ID: 1e72b9220a9b4642d210d2220fb75fa7ec9cf3d5c1e40fe837f91eeab66371b6
    • Opcode Fuzzy Hash: 18cc9f161fd3a264945d9532672339430a972a18d4bc4c0ee4c85333e345ad70
    • Instruction Fuzzy Hash: E221ED32A04A41C2EB549F16D454338ABA1FB89F65FD84336DE6E473D4DF39E861C221
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08596E0 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
    Download Yara Rule
    APIs
    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E08596F9
    • ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E0859710
    • ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z.MSVCP_WIN ref: 00007FF7E085973A
    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP_WIN ref: 00007FF7E085974E
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?eback@?$basic_streambuf@?gbump@?$basic_streambuf@
    • String ID:
    • API String ID: 3536508186-0
    • Opcode ID: 1f1763359bcdafe3711c9531051113ce51257a2baef9e42efb58e1c297cabd03
    • Instruction ID: eac2d74ba334c2f2884cf1a396df8e77ef07d1eafc2fe98fbcb5a0ba4ea68b2c
    • Opcode Fuzzy Hash: 1f1763359bcdafe3711c9531051113ce51257a2baef9e42efb58e1c297cabd03
    • Instruction Fuzzy Hash: B9115421A18A8186E7506F25A444278FA90EB4EB60FD85232EAAD067D5CF3CF456C721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0881CE0 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: _o_floor$_o_terminate
    • String ID:
    • API String ID: 1703617362-0
    • Opcode ID: 1ccd3c46f1c52993795332463777db3da059fc595898edab22ace026a9d9976f
    • Instruction ID: ec5394cfa71eea716266d96a44aafaf9539f4e1d3575e3c3e24aac4802caac76
    • Opcode Fuzzy Hash: 1ccd3c46f1c52993795332463777db3da059fc595898edab22ace026a9d9976f
    • Instruction Fuzzy Hash: DD0130225681C1CED300BFB5814179CF364EF08798F548232EA089B657FB34B4A18726
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0815614 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E08156D8,?,?,?,?,?,?,?,?,00007FF7E080F431), ref: 00007FF7E0815635
    • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E08156D8,?,?,?,?,?,?,?,?,00007FF7E080F431), ref: 00007FF7E0815644
    • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E08156D8,?,?,?,?,?,?,?,?,00007FF7E080F431), ref: 00007FF7E081567B
    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E08156D8,?,?,?,?,?,?,?,?,00007FF7E080F431), ref: 00007FF7E081568F
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalExclusiveLockSection$AcquireEnterLeaveRelease
    • String ID:
    • API String ID: 1115728412-0
    • Opcode ID: 957058e025f2f2586605fe32f381293dd56a3aba5a0829e49609dac9d3677142
    • Instruction ID: adeafac3db17a42f7fc274ff08b2506b2437fd1bbd3b7ad61e9b7585bde0a7bd
    • Opcode Fuzzy Hash: 957058e025f2f2586605fe32f381293dd56a3aba5a0829e49609dac9d3677142
    • Instruction Fuzzy Hash: C7018062B18B82C2EA149B11E144238F760FF9EF80BD89132DE4E17714DF3CE4908711
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0837C60 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: C_error@std@@Throw_$Mtx_lockMtx_unlock
    • String ID:
    • API String ID: 973703179-0
    • Opcode ID: 3aa3c202e5b15ed1bcbfd8a6d68aa4a793de144a32905b4c78550d23903fa68b
    • Instruction ID: 83b47c43e2ac2f69c04d3ab3a6a4d33dafdb3dca48154c21d8ffd3ea35562d60
    • Opcode Fuzzy Hash: 3aa3c202e5b15ed1bcbfd8a6d68aa4a793de144a32905b4c78550d23903fa68b
    • Instruction Fuzzy Hash: 01010421A04B4286EB04AB21E454379EBA0FF8AB51FD99131CA0E47351DF3CF469C721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08565EC Relevance: 6.0, APIs: 4, Instructions: 37COMMON
    Download Yara Rule
    APIs
    • ?uncaught_exception@std@@YA_NXZ.MSVCP_WIN ref: 00007FF7E08565F5
    • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP_WIN ref: 00007FF7E0856609
    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN ref: 00007FF7E0856623
    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP_WIN ref: 00007FF7E0856642
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: U?$char_traits@$D@std@@@std@@$?rdbuf@?$basic_ios@D@std@@@2@V?$basic_streambuf@$?uncaught_exception@std@@Osfx@?$basic_ostream@
    • String ID:
    • API String ID: 1787288787-0
    • Opcode ID: 180668e569c939012f3c587a25f02c8ad867e106bc42a0a8f8c691e6055a2711
    • Instruction ID: 13bfabe263d39e124c876ba2785418950ebe675e48a518ccfbdbf4cc0aa9c089
    • Opcode Fuzzy Hash: 180668e569c939012f3c587a25f02c8ad867e106bc42a0a8f8c691e6055a2711
    • Instruction Fuzzy Hash: 5801E866604E46C6DB14AB15E494338ABA0FB8EF82795E032CA0E57325CF3CE469C321
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0837BC0 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: C_error@std@@Throw_$Mtx_lockMtx_unlock
    • String ID:
    • API String ID: 973703179-0
    • Opcode ID: fee24b636b6697896b46d8abe2d47511341287c58640f8bfdccf4ac25e940e1c
    • Instruction ID: 5418141985ae0e2b605a0ff6c485ba94eaaf3ea16162ef8c9bbe4fdcfd69d977
    • Opcode Fuzzy Hash: fee24b636b6697896b46d8abe2d47511341287c58640f8bfdccf4ac25e940e1c
    • Instruction Fuzzy Hash: 41014F21604B4287EB546B21E80437DF6A0FF8AB81FC8A131CA5E47341DF3CE4658721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0816670 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
    Download Yara Rule
    APIs
    • _o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E0814DA9,?,?,?,?,?,?,?,?,?), ref: 00007FF7E0816683
    • _o__invalid_parameter_noinfo.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E0814DA9,?,?,?,?,?,?,?,?,?), ref: 00007FF7E0816696
    • _o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E0814DA9,?,?,?,?,?,?,?,?,?), ref: 00007FF7E08166A9
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E0814DA9,?,?,?,?,?,?,?,?,?), ref: 00007FF7E08166C2
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: _o__errno$_o__invalid_parameter_noinfomemmove
    • String ID:
    • API String ID: 2571840558-0
    • Opcode ID: 90be3c5a7eea0bda27790c06953b07fc783528dd1b565281ab5077c640e10c11
    • Instruction ID: 2e8d2b67e24bca0a4ff145fb3a71d67b92b79493bd98311e91522ad0597b6145
    • Opcode Fuzzy Hash: 90be3c5a7eea0bda27790c06953b07fc783528dd1b565281ab5077c640e10c11
    • Instruction Fuzzy Hash: F9F0F890E0974786EE547BA09844779E7909F29741FD45436CD4E0A387EE3C78748632
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F82F0 Relevance: 6.0, APIs: 4, Instructions: 22COMMON
    Download Yara Rule
    APIs
    • _o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,00007FF7E07F6E2E), ref: 00007FF7E081C420
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FF7E07F6E2E), ref: 00007FF7E081C42E
    • DeleteObject.GDI32 ref: 00007FF7E081C43F
    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FF7E07F6E2E), ref: 00007FF7E081C44D
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ErrorLast$DeleteObject_o_terminate
    • String ID:
    • API String ID: 3671834921-0
    • Opcode ID: cc03395ad6cdc716912128db9ec960ab1e2288e1260e27081bfd36774ca31ae6
    • Instruction ID: b741c2b66f2d6807c66c0e8d79330dfc9a39d875dad412a697915bf95d6c5611
    • Opcode Fuzzy Hash: cc03395ad6cdc716912128db9ec960ab1e2288e1260e27081bfd36774ca31ae6
    • Instruction Fuzzy Hash: 44F01C31A08A42CBEA042B10E84417CEB60FB8EB46BD49572C60E02350DF3CA069C711
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E086CB40 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 477COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID: onecore\windows\core\console\open\src\server\apidispatchers.cpp
    • API String ID: 0-3284698556
    • Opcode ID: f936ae79458f4efd643d5045bf2301a738dd9824c82ffba61fa4e19652970904
    • Instruction ID: 8c38e8fd814a55b57dff41c9229c19494a7b408b95b391a1b2fc346caeacaf3b
    • Opcode Fuzzy Hash: f936ae79458f4efd643d5045bf2301a738dd9824c82ffba61fa4e19652970904
    • Instruction Fuzzy Hash: 4512A076B08B428AEB10AF65D4403BCA7A1FB44B88F918133DA4D57799DF38F561C362
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0888B20 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 394COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: _o_terminate
    • String ID: onecore\windows\core\console\open\src\renderer\dx\customtextrenderer.cpp
    • API String ID: 882196631-1094745302
    • Opcode ID: 2fcc11a7708290774bf028d5b5345432a8981e027a312f193b5946a3989279ea
    • Instruction ID: 258e531e02a0173e5a0a02e6a43b5098625db6a7c5f18003ddc005c1ceb07b79
    • Opcode Fuzzy Hash: 2fcc11a7708290774bf028d5b5345432a8981e027a312f193b5946a3989279ea
    • Instruction Fuzzy Hash: 67028F32B08F8686EB10AB65E4402ADB371FB88B88F944132DE4D57B65DF38F465C761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F8538 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 327COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ArgvCommandFreeLineLocal
    • String ID: onecore\windows\core\console\open\src\host\consolearguments.cpp
    • API String ID: 1203019955-3802082478
    • Opcode ID: b6c8c666e2973443bf57e9abeed9bdc3f3bf3aed5afe4f0a8b458ee53f472e20
    • Instruction ID: 1bbc4ac44109c9530875f16a225f2dbb589d36375a85d96f1df3fadaab170d71
    • Opcode Fuzzy Hash: b6c8c666e2973443bf57e9abeed9bdc3f3bf3aed5afe4f0a8b458ee53f472e20
    • Instruction Fuzzy Hash: E4E12E62B08A429AEF10EB64D4413EDA361BF58388FD05033DA4D57B9ADF38F525C761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0831690 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 303COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E08316E8
      • Part of subcall function 00007FF7E0802BCC: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000001,?,00000000,00007FF7E0875ED6,?,?,?,?,00000000,00007FF7E0824487), ref: 00007FF7E0802BFC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID: onecore\windows\core\console\open\src\host\alias.cpp
    • API String ID: 3168844106-1127424212
    • Opcode ID: 93fa2d0f02c8afa8a8e320999b1e07d58fbca9ddc8031b81249c9e9669d0bcfe
    • Instruction ID: d298665de9ea1d8505027cf6954f4e782e0e9dba370c33c55ca0f44db96cacda
    • Opcode Fuzzy Hash: 93fa2d0f02c8afa8a8e320999b1e07d58fbca9ddc8031b81249c9e9669d0bcfe
    • Instruction Fuzzy Hash: 47D1922260DBC685EA70AB24E4513EAE360FBD9744F905132EACD53B5AEF3CE454CB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08693A0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 269COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID: invalid string position$onecore\windows\core\console\open\src\renderer\vt\paint.cpp
    • API String ID: 0-2687595187
    • Opcode ID: 2575b854b49949d4729eb44cedd83268c9b8cde82555cef9037fc09b0d9d97ba
    • Instruction ID: b38531a800eaaabe7d5df7c8c35c65dcef2df83c47f4d110538ee21b5e07b66e
    • Opcode Fuzzy Hash: 2575b854b49949d4729eb44cedd83268c9b8cde82555cef9037fc09b0d9d97ba
    • Instruction Fuzzy Hash: 39B1D716A1C68292EA10AB35E4003FAE364FB98754F805033DA8D93795EF3CF565C722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E086BC30 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 234COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID: onecore\windows\core\console\open\src\server\apidispatchers.cpp
    • API String ID: 0-3284698556
    • Opcode ID: 31d2f3a65c3d7ba4057113b286be5a72a497d8e963d82bc4fcf91a435ddb88ac
    • Instruction ID: 2379192770da7dc5096bede4fe5e0cfce6fe0716e0534b857448aee95b89bd64
    • Opcode Fuzzy Hash: 31d2f3a65c3d7ba4057113b286be5a72a497d8e963d82bc4fcf91a435ddb88ac
    • Instruction Fuzzy Hash: DEA18F76B04B468AEB10AB64D8003FC67A1FB4478CF958532DE4D57799EE38E5A18322
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E086BFA0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 219COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID: onecore\windows\core\console\open\src\server\apidispatchers.cpp
    • API String ID: 0-3284698556
    • Opcode ID: 062e961c0b42a767a611c8cc304bc9b84865ae6aae65f7d6cf4344e917694254
    • Instruction ID: 97f4006d32cedf9c7a13f9fd0fb34dde093d8fe427106911b1664bbc2e79daa7
    • Opcode Fuzzy Hash: 062e961c0b42a767a611c8cc304bc9b84865ae6aae65f7d6cf4344e917694254
    • Instruction Fuzzy Hash: 5E917176B04B468AEB109B74D8002FC67A1FB88788F958533DE4C57B59DF38E561C362
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E084F1D0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: default_delete
    • String ID: onecore\windows\core\console\open\src\host\readdatadirect.cpp
    • API String ID: 3712186324-866399598
    • Opcode ID: 40702a7dcd8f9ccd59058cd8804d37997dd7d1a160abb02b76e421b39be6ed91
    • Instruction ID: fcf9cb7013ae36abaeb43c281b50246156db8fb4f3b58346c4c6810cedf5a994
    • Opcode Fuzzy Hash: 40702a7dcd8f9ccd59058cd8804d37997dd7d1a160abb02b76e421b39be6ed91
    • Instruction Fuzzy Hash: FB916E32508B4185EA20EB15E4513AEE7A4FB95784F904037DB8D53BA6DF3DF861C722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E083C05C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 212COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID: onecore\windows\core\console\open\src\host\directio.cpp
    • API String ID: 0-2458865805
    • Opcode ID: 2357d1e325e7c0a0598c659240a6da3134c6c514f8dc77dc2075df18d5451190
    • Instruction ID: 1007f35ee49ccbd1d68acc0d622b40d3bccef6d68d16803694949be66ef94137
    • Opcode Fuzzy Hash: 2357d1e325e7c0a0598c659240a6da3134c6c514f8dc77dc2075df18d5451190
    • Instruction Fuzzy Hash: 6A91603261C69281E620EB11E0406BEF3A1FBC9794F806136EA8D53B59EF3CE655CB15
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0801E60 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 186COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID: invalid deque<T> subscript$onecore\windows\core\console\open\src\interactivity\win32\window.cpp
    • API String ID: 0-908316100
    • Opcode ID: caa376d4d77fc618ee5f01900fb632285f5dab8b25634dac13ab5ba65aafd90f
    • Instruction ID: d2786cfc560f5a0377cf89e8f7c8de84179a32c23126742d3bb3f7291f45a03c
    • Opcode Fuzzy Hash: caa376d4d77fc618ee5f01900fb632285f5dab8b25634dac13ab5ba65aafd90f
    • Instruction Fuzzy Hash: B8817266A19A8285EB08FFA5C4502BDB3A1FF54B58F804437EA0D47B95EF78F464C321
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0800CE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181COMMON
    Download Yara Rule
    APIs
    • ?_Xlength_error@std@@YAXPEBD@Z.MSVCP_WIN(00000000,?,?,00000000,?,00007FF7E08652F1), ref: 00007FF7E081FE6F
    • _o__invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?,00000000,?,00007FF7E08652F1), ref: 00007FF7E081FEC8
      • Part of subcall function 00007FF7E080FD8C: _o_malloc.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000,00007FF7E080393E,?,?,?,?,00007FF7E082A040,?,?,?,?,?,?,?), ref: 00007FF7E080FDA6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xlength_error@std@@_o__invalid_parameter_noinfo_noreturn_o_malloc
    • String ID: vector<T> too long
    • API String ID: 3132977491-3788999226
    • Opcode ID: 80c951497960cd4891ecb04f2f00baf0ae1ea29444e937f70285b7a0770113fb
    • Instruction ID: 8cfd9b4b7f828452eef4e9360da61b9804abf26c811f7ba477bb40665e9df640
    • Opcode Fuzzy Hash: 80c951497960cd4891ecb04f2f00baf0ae1ea29444e937f70285b7a0770113fb
    • Instruction Fuzzy Hash: 5161C272A04B4982DE14DB19E500279A3E1FB58BD8F908632DE5D1B7A6EF7CF4A1C310
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0809F90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 175COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ClientRect
    • String ID: onecore\windows\core\console\open\src\renderer\gdi\invalidate.cpp$onecore\windows\core\console\open\src\renderer\gdi\math.cpp
    • API String ID: 846599473-1022252393
    • Opcode ID: e47de121780c7d0f040a452692a9558b6e13f861b61fe627d7871cc0012473d0
    • Instruction ID: e37399b1e9ec29b8fcb5e937f750d8a9b98cb8501bd767f9d07f5b8cc6af5d74
    • Opcode Fuzzy Hash: e47de121780c7d0f040a452692a9558b6e13f861b61fe627d7871cc0012473d0
    • Instruction Fuzzy Hash: E9818732A08681CAE710EF24D0806ADB7A5FB44B48FD45136EA0E87795DB3CF961C722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07FCB60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMON
    Download Yara Rule
    APIs
    • ?_Xlength_error@std@@YAXPEBD@Z.MSVCP_WIN(?,?,00000000,00007FF7E07FCF29,?,?,00000000,00000000,?,?,001E0078,00000000,?,001E007823290078,00007FF7E07F59D3), ref: 00007FF7E081EB7B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xlength_error@std@@
    • String ID: vector<T> too long
    • API String ID: 1004598685-3788999226
    • Opcode ID: 951de1a6d9ea06dcb7db006de0b07bf7a060a5f502b9bb6d3b626a0bbf04b1a2
    • Instruction ID: 09b4c2e059865b314081206dc8e5e512f9da91dd1ea2d4785a4698aa199580b9
    • Opcode Fuzzy Hash: 951de1a6d9ea06dcb7db006de0b07bf7a060a5f502b9bb6d3b626a0bbf04b1a2
    • Instruction Fuzzy Hash: 5951A1B2B09B4982DE14DF19D544279A3A0FB58BD4B809732DA6E0B795EF7CF0A1C311
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0817DE8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142fileCOMMON
    Download Yara Rule
    APIs
    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF7E0817B83), ref: 00007FF7E0817E0C
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF7E0817B83), ref: 00007FF7E0817E1C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ErrorFileLastRead
    • String ID: onecore\windows\core\console\open\src\interactivity\base\hostsignalinputthread.cpp
    • API String ID: 1948546556-3640217669
    • Opcode ID: fd2c96b42c3bcc5fddc5e92b90dbc4dfd08cdbd373a58c798c3ba3b4a85bdd1f
    • Instruction ID: 57d000f2bab7731b2005aafa5b679bc6b9e007e86e2d7492ae907c2e5f09aa16
    • Opcode Fuzzy Hash: fd2c96b42c3bcc5fddc5e92b90dbc4dfd08cdbd373a58c798c3ba3b4a85bdd1f
    • Instruction Fuzzy Hash: 15518422B08A4289EB10BB65D4503B9A3A1EF48B48FD05036EA4D47B96DF3CF565C322
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08475BC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
    Download Yara Rule
    APIs
    • ?_Xout_of_range@std@@YAXPEBD@Z.MSVCP_WIN ref: 00007FF7E0847704
      • Part of subcall function 00007FF7E085A170: ?_Xout_of_range@std@@YAXPEBD@Z.MSVCP_WIN(?,?,?,00007FF7E0847645), ref: 00007FF7E085A1C4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xout_of_range@std@@
    • String ID: invalid vector<T> subscript$onecore\windows\core\console\open\src\host\screeninfo.cpp
    • API String ID: 1960685668-2524403630
    • Opcode ID: f2de62f828aa6e173bde98e35a014a80e75348baaf9da77373047cd2e9299a39
    • Instruction ID: e138f08d657b72bf3b7308ec72e5e65dbbfc8e3339b8c594a2afb03e58e74228
    • Opcode Fuzzy Hash: f2de62f828aa6e173bde98e35a014a80e75348baaf9da77373047cd2e9299a39
    • Instruction Fuzzy Hash: C051D732A14AD499E711DF69E8416E9A3B0FF98798F845122FF8C17B14EF38E596C340
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08552C8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ExceptionThrowXlength_error@std@@
    • String ID: vector<T> too long
    • API String ID: 2465630161-3788999226
    • Opcode ID: afce5f52707cbeda7a51dd0faa106f2cf9b5bdd9c12d03d068b4eb5e27b7294c
    • Instruction ID: 08614707ac10c47b7aba994c531dd0cb150f00949a1f517e427ca0b39f469939
    • Opcode Fuzzy Hash: afce5f52707cbeda7a51dd0faa106f2cf9b5bdd9c12d03d068b4eb5e27b7294c
    • Instruction Fuzzy Hash: C64181B2715F4982DE14DF1AE8540AAA3E5FB48BD4B548137DE9D4B7A4EF38E052C300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0808838 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
    Download Yara Rule
    APIs
    • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,00000000,?,00007FF7E080836D), ref: 00007FF7E0808887
    • CompareStringOrdinal.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7E0808900
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CompareDirectoryOrdinalStringWindows
    • String ID: %SystemRoot%
    • API String ID: 2837938056-4275961626
    • Opcode ID: 5bc732bcb436b96198102e36ef39281611e5bf909846b75e868cfff85eb770de
    • Instruction ID: 9d24e6b9ac8af60e70bf57876dd291e718dbbf5bb5bc509d2c1e3dc0aaa79e23
    • Opcode Fuzzy Hash: 5bc732bcb436b96198102e36ef39281611e5bf909846b75e868cfff85eb770de
    • Instruction Fuzzy Hash: F6419E22B19642C2FA11BF1594003BAAAA1BF44B88FD44037DE8D07785EF7DF4A5C322
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0879084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ByteCharMultiWide
    • String ID: onecore\windows\core\console\open\src\types\convert.cpp
    • API String ID: 626452242-4041387901
    • Opcode ID: 556fb81a1586239f75fe6d00e3904eaae09d43a3f530a8023bf48048cd107811
    • Instruction ID: db3f8ab491b5e25888265af59dccc7056a4c24d40c223d767cc2f6d991771e6b
    • Opcode Fuzzy Hash: 556fb81a1586239f75fe6d00e3904eaae09d43a3f530a8023bf48048cd107811
    • Instruction Fuzzy Hash: 1B410632A08B4185E710DB65E8403A9BBA1FB887A8F945136DE9D53B99CF3CE4A1C351
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080B270 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Release
    • String ID: $onecore\windows\core\console\open\src\renderer\gdi\paint.cpp
    • API String ID: 1375353473-3907913552
    • Opcode ID: 9be9f4f98344f53a14120652cd680e30dfaf3658a490294c66d2319984288d7e
    • Instruction ID: e3153f0a7f36c4f67da6f45ad631214287c21000878a02cb732adf624e468aff
    • Opcode Fuzzy Hash: 9be9f4f98344f53a14120652cd680e30dfaf3658a490294c66d2319984288d7e
    • Instruction Fuzzy Hash: DB51A132A0868686F710AF65E0407B9BBA0FB88B88F945137DA4D47765CF3CF465C721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08774B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: FileWrite
    • String ID: onecore\windows\core\console\open\src\interactivity\onecore\coniosrvcomm.cpp$onecore\windows\core\console\open\src\renderer\wddmcon\wddmconrenderer.cpp
    • API String ID: 3934441357-3505446033
    • Opcode ID: 28a0d9db8930b9e83d2cb568f2637e4a6fda957643cbb4bc667b34b13d5b9403
    • Instruction ID: 27dd7dafaf2bf0654e2454243f9747150d3881da9b5bc544cb2a3bc12db91799
    • Opcode Fuzzy Hash: 28a0d9db8930b9e83d2cb568f2637e4a6fda957643cbb4bc667b34b13d5b9403
    • Instruction Fuzzy Hash: 7F51B622A08A4282FB50E719D444779E760EB94BA4F944333D6AD437E9DF3CF4A5C722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07FBA90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID:
    • String ID: invalid deque<T> subscript
    • API String ID: 0-2228476695
    • Opcode ID: c32465e383e2c5e0a01112c40a2e6af17bc35da84f597ed5915a3e7c608b9b60
    • Instruction ID: 3676ffaa222dfbab5c2bb1d170ffa904d743eb81529b53e6f17ff7f2648e178a
    • Opcode Fuzzy Hash: c32465e383e2c5e0a01112c40a2e6af17bc35da84f597ed5915a3e7c608b9b60
    • Instruction Fuzzy Hash: 6B418AA1A1878285EE25AF159454379E7A1FF48B84FE48137C94D137A8EF3CF5708322
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08443E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
    Download Yara Rule
    APIs
    Strings
    • onecore\windows\core\console\open\src\server\objecthandle.cpp, xrefs: 00007FF7E08443F0
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ByteCharMultiWidedefault_deletememmove
    • String ID: onecore\windows\core\console\open\src\server\objecthandle.cpp
    • API String ID: 1922133517-459684902
    • Opcode ID: 8e1f713631cc1f6c6dceed86ca41d70ca0407c58298b84c47ef3885ee79c6052
    • Instruction ID: 0a41593f91b45ecf93d425e53d2290379137ebcb35a5880b5865c91dcd123629
    • Opcode Fuzzy Hash: 8e1f713631cc1f6c6dceed86ca41d70ca0407c58298b84c47ef3885ee79c6052
    • Instruction Fuzzy Hash: D241CA2650C7818AE711EF29A44037AFBA2FB44784F946137EA9D03796CE3CF461CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E083B670 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E083B68F
      • Part of subcall function 00007FF7E0839F94: _o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,00007FF7E0839BE9), ref: 00007FF7E0839FB7
    • _o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7E083B786
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: _o_terminate$CriticalEnterSection
    • String ID: onecore\windows\core\console\open\src\host\directio.cpp
    • API String ID: 1354191923-2458865805
    • Opcode ID: c2226e2c0dcf2ce74df08c7a8fa8c5e3789b5850acc6bfb86ccc25749755da85
    • Instruction ID: 5331689f6c0b08547f336d6394a5c727e0beaad421cd44414d7d79aab5e7ee8a
    • Opcode Fuzzy Hash: c2226e2c0dcf2ce74df08c7a8fa8c5e3789b5850acc6bfb86ccc25749755da85
    • Instruction Fuzzy Hash: A3418E22B1C78282E640AB25E4507BAE790EBD6784F945032EB8D53B56DE3CF524C622
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E084FAD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
    Download Yara Rule
    APIs
    Strings
    • onecore\windows\core\console\open\src\host\writedata.cpp, xrefs: 00007FF7E084FB34
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: default_delete
    • String ID: onecore\windows\core\console\open\src\host\writedata.cpp
    • API String ID: 3712186324-3632423436
    • Opcode ID: 85fcf6c899e0dc61e69e6cea0954e9a1cedfdfa90d649687fa540f2e32c39cb2
    • Instruction ID: efb48fac4c911c23b0b3937ec112b6e69e10edef84d71a04384d20e26b4634ac
    • Opcode Fuzzy Hash: 85fcf6c899e0dc61e69e6cea0954e9a1cedfdfa90d649687fa540f2e32c39cb2
    • Instruction Fuzzy Hash: 0641A362508B8595EA60AF15E1803A9B3A0FB48784F908136DF8D07B96DF3CE4A5CB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0881B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON
    Download Yara Rule
    APIs
    Strings
    • onecore\windows\core\console\open\src\renderer\dx\dxrenderer.cpp, xrefs: 00007FF7E0881B6C
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Rect$EmptySubtract
    • String ID: onecore\windows\core\console\open\src\renderer\dx\dxrenderer.cpp
    • API String ID: 3474499642-3506895815
    • Opcode ID: c9d498d6a27276f3d9d379d09529990a3eba5e9bd269f46f75d629d6fc7a213a
    • Instruction ID: b595295d68b306dec8f47fa800bd0ebd218c7858bcc459d2ffbaaf01868e5bc4
    • Opcode Fuzzy Hash: c9d498d6a27276f3d9d379d09529990a3eba5e9bd269f46f75d629d6fc7a213a
    • Instruction Fuzzy Hash: 3541BB32A08BC287E7649B25E4403EAB7A0E789B84F949136DB9E07751DF7CF494C721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07FD6E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xout_of_range@std@@
    • String ID: invalid deque<T> subscript
    • API String ID: 1960685668-2228476695
    • Opcode ID: 651c1094f6287a8ae1c6b7ae08a47b192235778b733423dc389437bee79a9740
    • Instruction ID: c23e3b50b5546e8ef4fa8e019460aa2d442a2d59c79dfc1b7c1a77579368c2ac
    • Opcode Fuzzy Hash: 651c1094f6287a8ae1c6b7ae08a47b192235778b733423dc389437bee79a9740
    • Instruction Fuzzy Hash: 38315736A15A45DAEB10AF65D4806AD73B0FB49788F801036DE0C63B65DF38E469C321
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0848970 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xout_of_range@std@@
    • String ID: invalid string position$onecore\windows\core\console\open\src\host\_output.cpp
    • API String ID: 1960685668-258750115
    • Opcode ID: 0c7608319e167f2a00a6bb8d3f963bf5364201700b8c05bf38f91ab97f859ed2
    • Instruction ID: 36cf2068613d7eed0fd38716eb7102d1b3c1289b2cbe5192b3d885373eece016
    • Opcode Fuzzy Hash: 0c7608319e167f2a00a6bb8d3f963bf5364201700b8c05bf38f91ab97f859ed2
    • Instruction Fuzzy Hash: 13218D32B14A859AE700EB65D8403EDA7A0FB59788F848132DE4C23B54DF38E565C761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080BA84 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _o__invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,00007FF7E080BA6F,?,?,?,?,00007FF7E080338A,?,?,00000000,00007FF7E0840271), ref: 00007FF7E0826102
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: _o__invalid_parameter_noinfo_noreturn
    • String ID: onecore\internal\minwin\priv_sdk\inc\appmodelpolicy.h$onecore\windows\core\console\conint\processpolicy.cpp
    • API String ID: 38229942-1181345395
    • Opcode ID: b2211e6f4c7de6ef34c786951b6f847564f00f3c7ae5eadf1c43561cb2c325d5
    • Instruction ID: 0c6d44e8cfe4b6ea4eb18ee9bdf1d3045008c43c3ff2128ca7423de093816bbb
    • Opcode Fuzzy Hash: b2211e6f4c7de6ef34c786951b6f847564f00f3c7ae5eadf1c43561cb2c325d5
    • Instruction Fuzzy Hash: 0E21A162E5864783FA186A259175778B690FF423B8FD05237C65E02BDACD3DF4708222
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F633C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61threadCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E07F8F28: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00007FF7E07F635D,?,?,?,?,00000000,00007FF7E07F3128,?,?,00000000,00007FF7E07F2F43), ref: 00007FF7E07F8F31
    • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,00000000,00007FF7E07F3128,?,?,00000000,00007FF7E07F2F43), ref: 00007FF7E07F6382
    • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,00000000,00007FF7E07F3128,?,?,00000000,00007FF7E07F2F43), ref: 00007FF7E07F6390
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Current$Thread$Process
    • String ID: onecore\windows\core\console\open\src\interactivity\win32\windowio.cpp
    • API String ID: 3664162594-1145931909
    • Opcode ID: 6f87d51dd03eb88d6566ea3d52b00c7344ec63e68ed39a1d217927ba599edf16
    • Instruction ID: 1b2cf0a2ea0d5382e38353b6783c6830f5c55dcb7fd53f39b487433ee2f4165a
    • Opcode Fuzzy Hash: 6f87d51dd03eb88d6566ea3d52b00c7344ec63e68ed39a1d217927ba599edf16
    • Instruction Fuzzy Hash: 86218235A0C64286EA10AB15E0002B9F7B0FF98B84FA44133EA4D53756DF3CF462CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08445C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: _o_terminatememset
    • String ID: onecore\windows\core\console\open\src\host\dbcs.cpp
    • API String ID: 1963963490-3591230717
    • Opcode ID: 2682f5e4deafb082c503c9a93db6f141e00bc98e7d386b1003f19d7d77503dc4
    • Instruction ID: 5c15321e7334df2e71aa62d71b32c3094970ee9a93bab8dc9767c54f53e53131
    • Opcode Fuzzy Hash: 2682f5e4deafb082c503c9a93db6f141e00bc98e7d386b1003f19d7d77503dc4
    • Instruction Fuzzy Hash: C3210436A08A8186EB10FF59E09523DE362FB89B94F95A037DB4E43754DF38E422C711
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E085F424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memsetswprintf
    • String ID: `
    • API String ID: 3661171589-2679148245
    • Opcode ID: b0165670da96331bbdb91b9d7467daeff5a1e819b143d35306697cc8ee21aedd
    • Instruction ID: 554c62668f1f1575545f89a8481baf8931b8c00851f2d4faf8f6cb88ddabdfd6
    • Opcode Fuzzy Hash: b0165670da96331bbdb91b9d7467daeff5a1e819b143d35306697cc8ee21aedd
    • Instruction Fuzzy Hash: FD21B73261CA8581EB10AB25E4503FEA360FB88B54F804532DB9D47B95DF7CE465CB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080670C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
    Download Yara Rule
    APIs
    Strings
    • onecore\windows\core\console\open\src\interactivity\win32\windowmetrics.cpp, xrefs: 00007FF7E0822689
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: LongWindow
    • String ID: onecore\windows\core\console\open\src\interactivity\win32\windowmetrics.cpp
    • API String ID: 1378638983-926436646
    • Opcode ID: a4b6d573f5b16623fe60c8cfc5add4e18bb71a82db521b430c711bc4c59f8489
    • Instruction ID: 2f19c30fc3d1d41a542c538529ed585bddeb1fd4de80355ec228f1a59cda0aab
    • Opcode Fuzzy Hash: a4b6d573f5b16623fe60c8cfc5add4e18bb71a82db521b430c711bc4c59f8489
    • Instruction Fuzzy Hash: 3C21C335B08A4283EB14AB16E440239E7A0FF99FD4F904236DE0D07B65CF3DE4619B15
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0851144 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • ?_Xlength_error@std@@YAXPEBD@Z.MSVCP_WIN(?,?,?,00007FF7E0851584), ref: 00007FF7E085117B
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E0851584), ref: 00007FF7E08511D1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xlength_error@std@@memmove
    • String ID: string too long
    • API String ID: 1146228739-2556327735
    • Opcode ID: 0a3b7f3ee41e008f8268290e914ef0819c4d9e3202da2d2fe4c5bd2ff86697dc
    • Instruction ID: e51db6699f6c8caca4d0416d1bbc34186b411b5f9ad82ca3d37fae34b58846eb
    • Opcode Fuzzy Hash: 0a3b7f3ee41e008f8268290e914ef0819c4d9e3202da2d2fe4c5bd2ff86697dc
    • Instruction Fuzzy Hash: 3011B132708A8185EE04EF12E900169B7A6FB44FE0F848232DF6D07B99DE7CE461C311
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E085A7C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xout_of_range@std@@
    • String ID: invalid vector<T> subscript
    • API String ID: 1960685668-3016609489
    • Opcode ID: 798e44e9d674955d59db1a49f2075911c5a43d9247d33ba94d718322d0a4b64e
    • Instruction ID: f32254897f8da98203ad0a014386f526474996da8699b3fff9918fdeb5bd0e04
    • Opcode Fuzzy Hash: 798e44e9d674955d59db1a49f2075911c5a43d9247d33ba94d718322d0a4b64e
    • Instruction Fuzzy Hash: FD015272B04A8A82EE04AF15E6847B8E7E5EB54FC8F98C032DE0D07754DE3CE4618711
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08385C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • onecore\windows\core\console\open\src\host\vtinputthread.cpp, xrefs: 00007FF7E0838664
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ErrorFileLastRead
    • String ID: onecore\windows\core\console\open\src\host\vtinputthread.cpp
    • API String ID: 1948546556-3316410220
    • Opcode ID: a9d8988349eae429be1a2e27f0d79c10af0b906a4c1cbf3d84babec6d9799f1e
    • Instruction ID: 7b679d7f38655fe18953876e3e57305ccdfaac3414c79a44bfa14d1d2bd88f90
    • Opcode Fuzzy Hash: a9d8988349eae429be1a2e27f0d79c10af0b906a4c1cbf3d84babec6d9799f1e
    • Instruction Fuzzy Hash: 27216331618682C6EB60AB21E4053BEB7A0FBD9784FC05136DA4D4B755DF3CE464CBA2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E083434C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • ?_Xout_of_range@std@@YAXPEBD@Z.MSVCP_WIN(?,?,00000001,00007FF7E0834A63), ref: 00007FF7E0834387
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000001,00007FF7E0834A63), ref: 00007FF7E08343CE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xout_of_range@std@@memmove
    • String ID: invalid string position
    • API String ID: 1894236298-1799206989
    • Opcode ID: 79e48190ed937696b990e30e027891a77dd27d1db6d7f2a28a4aa7f18bf8148f
    • Instruction ID: 2537f8be4afa6965b8a3bc092a9f4e7de8a89ed6b01d237f25dcf4680a87ab8b
    • Opcode Fuzzy Hash: 79e48190ed937696b990e30e027891a77dd27d1db6d7f2a28a4aa7f18bf8148f
    • Instruction Fuzzy Hash: 5B11CE32B14B8990DE009F29E988198A3A2F758FC8BA49032DB4C07768CF3CF169C340
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E085B528 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
    Download Yara Rule
    APIs
    • ?_Xout_of_range@std@@YAXPEBD@Z.MSVCP_WIN(?,?,00000001,00007FF7E0846693), ref: 00007FF7E085B59D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xout_of_range@std@@
    • String ID: invalid vector<T> subscript$onecore\windows\core\console\open\src\buffer\out\attrrow.cpp
    • API String ID: 1960685668-1249968659
    • Opcode ID: 844253ac52ffa5520eab2f99b6d94a8dfd2ee8289bb7dc2ef34484d134c9aab8
    • Instruction ID: 3bb18c784e476ed51a8dbc9c4fc667c46bc2869299161446062d1bd78d9a85c5
    • Opcode Fuzzy Hash: 844253ac52ffa5520eab2f99b6d94a8dfd2ee8289bb7dc2ef34484d134c9aab8
    • Instruction Fuzzy Hash: C811E572B14A8582CF04EF65E5545B8A7E0EBA8BC4B94D033DE4D0B749DE3CE560C721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0801BF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
    Download Yara Rule
    APIs
    • _o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,00007FF7E081F836), ref: 00007FF7E0820B8C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: _o_terminate
    • String ID: onecore\windows\core\console\open\src\renderer\base\renderer.cpp$onecore\windows\core\console\open\src\types\viewport.cpp
    • API String ID: 882196631-4274426706
    • Opcode ID: 52f2c7c151fad2dc831af892f40eb9b850137629a7ae68e8853eab1621c24504
    • Instruction ID: c65bf1f322fc48ed2a3d2a82b0de7f401ee96b5caf8d03aad3db11f845b16d6e
    • Opcode Fuzzy Hash: 52f2c7c151fad2dc831af892f40eb9b850137629a7ae68e8853eab1621c24504
    • Instruction Fuzzy Hash: 2011EB31E0860BD2E710BB94A4546AD9724EFE8798FE04133D94C13F65DD3CF2668321
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E084DC20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E084DA2C: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E084DA70
      • Part of subcall function 00007FF7E084DA2C: _Init_thread_footer.LIBCMT ref: 00007FF7E084DA96
      • Part of subcall function 00007FF7E0810000: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803769,?,?,?,?,00007FF7E081B159), ref: 00007FF7E0810010
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,00007FF7E084DB03), ref: 00007FF7E084DC85
    • _Init_thread_footer.LIBCMT ref: 00007FF7E084DC9F
      • Part of subcall function 00007FF7E080FF98: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803790,?,?,?,?,00007FF7E081B159), ref: 00007FF7E080FFA8
      • Part of subcall function 00007FF7E080FF98: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803790,?,?,?,?,00007FF7E081B159), ref: 00007FF7E080FFE8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalSection$EnterInit_thread_footer$AddressLeaveLibraryLoadProc
    • String ID: NtOpenProcess
    • API String ID: 3281356286-3690168757
    • Opcode ID: f69586c9a2d81fc3eb902e5bf34a354c24e43ce7708fd1b04da5357c22ccc56a
    • Instruction ID: 06fd36f90ff0a4578f92a264ce4a7937aab6d63283ad46d59e55643925c4d591
    • Opcode Fuzzy Hash: f69586c9a2d81fc3eb902e5bf34a354c24e43ce7708fd1b04da5357c22ccc56a
    • Instruction Fuzzy Hash: 02111925A08B46C9EA00BB16E890365A3A0AF45B90FD84533DA5D077A5DF7CF461CB21
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F649C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,00007FF7E07F63C5,?,?,?,?,00000000,00007FF7E07F3128,?,?,00000000,00007FF7E07F2F43), ref: 00007FF7E07F6533
    • _Init_thread_footer.LIBCMT ref: 00007FF7E07F654D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: AddressInit_thread_footerProc
    • String ID: ConsoleControl
    • API String ID: 904429856-3740886617
    • Opcode ID: a7f453ff901e87697cd4bd84f2f91b95d73da567a1be98584440f059c5dbff63
    • Instruction ID: 0d24edea764b6535d0c116ae3ac4d7279c9beadf799f80282ebd97360d7c0724
    • Opcode Fuzzy Hash: a7f453ff901e87697cd4bd84f2f91b95d73da567a1be98584440f059c5dbff63
    • Instruction Fuzzy Hash: 94113A25A0CA87C5EA20AB15E840364E360FB48B94FD84137DA1D477A5DF3CF8A5CB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0886540 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xout_of_range@std@@
    • String ID: invalid string position$onecore\windows\core\console\open\src\renderer\dx\customtextlayout.cpp
    • API String ID: 1960685668-2152613991
    • Opcode ID: d50fa177d57d68cdf05483b1e78aaa63beb95cc120da0380cd21aed975d0f93a
    • Instruction ID: 6a6a2b8a20e0cd3769c87204f3dc74fdfc66467250d7a3d86399cde2abd09184
    • Opcode Fuzzy Hash: d50fa177d57d68cdf05483b1e78aaa63beb95cc120da0380cd21aed975d0f93a
    • Instruction Fuzzy Hash: 9911A032A08A4386EB50AF28E444368A7A0FB94B84FD54032D60D4B765EF3CE975C361
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0828340 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    • _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7E0828348
      • Part of subcall function 00007FF7E080DD64: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,00007FF7E080DD18), ref: 00007FF7E080DD7B
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E0828383
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: AddressExceptionHandleModuleProcThrow
    • String ID: RtlDllShutdownInProgress
    • API String ID: 1273124314-2005622848
    • Opcode ID: 7b25091fba79d6d2c85bf7525825f11159b8eb447402ea106c5d11ee7dc576d8
    • Instruction ID: 9024ccf8b52910e646529ff8b5e549e59897109fffe72ab6858da8430c5c7701
    • Opcode Fuzzy Hash: 7b25091fba79d6d2c85bf7525825f11159b8eb447402ea106c5d11ee7dc576d8
    • Instruction Fuzzy Hash: BDF03024E0AB02C6FE19BBA1AC953B4A3A0AF19B00FD85037CD4D06361DF3C74658732
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E084DCE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E084DA2C: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E084DA70
      • Part of subcall function 00007FF7E084DA2C: _Init_thread_footer.LIBCMT ref: 00007FF7E084DA96
      • Part of subcall function 00007FF7E0810000: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803769,?,?,?,?,00007FF7E081B159), ref: 00007FF7E0810010
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,00007FF7E084DB25), ref: 00007FF7E084DD49
    • _Init_thread_footer.LIBCMT ref: 00007FF7E084DD63
      • Part of subcall function 00007FF7E080FF98: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803790,?,?,?,?,00007FF7E081B159), ref: 00007FF7E080FFA8
      • Part of subcall function 00007FF7E080FF98: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803790,?,?,?,?,00007FF7E081B159), ref: 00007FF7E080FFE8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalSection$EnterInit_thread_footer$AddressLeaveLibraryLoadProc
    • String ID: NtQueryInformationProcess
    • API String ID: 3281356286-2781105232
    • Opcode ID: 8a368f7bb160db630f5f6bc80dea80493078756c35dc0347b8ee9a10d8dac79c
    • Instruction ID: ca526b514c4bf113b2735a17b0330c6b1cf3406e110cbc220c014418c47b2ead
    • Opcode Fuzzy Hash: 8a368f7bb160db630f5f6bc80dea80493078756c35dc0347b8ee9a10d8dac79c
    • Instruction Fuzzy Hash: 5B112B25A08B4286FA10AB15F850376A7A0BF45B94FD44533DA4D077A5CF3DF462CB21
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E085AC7C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
    Download Yara Rule
    APIs
    • ?_Xlength_error@std@@YAXPEBD@Z.MSVCP_WIN(?,?,?,00007FF7E085AA94,?,?,?,?,?,?,00000000,00000001,?,00007FF7E0855DFD), ref: 00007FF7E085ACB9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xlength_error@std@@
    • String ID: UUUUUUUU$vector<T> too long
    • API String ID: 1004598685-1961640351
    • Opcode ID: d21bdb6a11a04bc5bf8dec92e3ddd717f84cb0fbaa83c1ee2f192170330ec251
    • Instruction ID: fded5b64e2bd7427c73a32b9618611c80a19b2e6aa8e5a70a60cff2abf884afd
    • Opcode Fuzzy Hash: d21bdb6a11a04bc5bf8dec92e3ddd717f84cb0fbaa83c1ee2f192170330ec251
    • Instruction Fuzzy Hash: BD013976A05B9181DB14EF12E58022AF7B5FB59BC0B989132DA9D47B18EE3CE4A08710
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F6BD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
    Download Yara Rule
    APIs
    • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E07F6BC0), ref: 00007FF7E07F6C0E
    • _o_wcscpy_s.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E07F6BC0), ref: 00007FF7E07F6C67
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: _o_wcscpy_swcsncmp
    • String ID: __DefaultTTFont__
    • API String ID: 2955157898-894678944
    • Opcode ID: 439badd03b3ab9f446708a297ac780d270f1c6a92a11388ea119ad15094109fe
    • Instruction ID: 7e4194d2d0a057bc40d8a420c4c5f6d6d91711e356dec21ce6ece2005018018e
    • Opcode Fuzzy Hash: 439badd03b3ab9f446708a297ac780d270f1c6a92a11388ea119ad15094109fe
    • Instruction Fuzzy Hash: D8113961A08A4286FB50AB25E400379A7A0EB4DB55FC45033CA8E47762DF3DF479CB32
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E083E770 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E083E77F
    • IsValidCodePage.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7E083E793
      • Part of subcall function 00007FF7E0802BCC: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000001,?,00000000,00007FF7E0875ED6,?,?,?,?,00000000,00007FF7E0824487), ref: 00007FF7E0802BFC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalSection$CodeEnterLeavePageValid
    • String ID: onecore\windows\core\console\open\src\host\getset.cpp
    • API String ID: 2606172417-1703575416
    • Opcode ID: a126eadb2c6ba2e16eb676238f832a12d21c535c269bbf2bf2cc276b5ff78779
    • Instruction ID: 60af2aabad39dcd124b10578248030385915f149c5870a949fe10642e184bfa6
    • Opcode Fuzzy Hash: a126eadb2c6ba2e16eb676238f832a12d21c535c269bbf2bf2cc276b5ff78779
    • Instruction Fuzzy Hash: 1E01A221E0C203C7E7247B20A4903B9E690EFAA704FD42537D50E07382DE3CB864C632
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E083E840 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E083E84F
    • IsValidCodePage.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7E083E863
      • Part of subcall function 00007FF7E0802BCC: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000001,?,00000000,00007FF7E0875ED6,?,?,?,?,00000000,00007FF7E0824487), ref: 00007FF7E0802BFC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalSection$CodeEnterLeavePageValid
    • String ID: onecore\windows\core\console\open\src\host\getset.cpp
    • API String ID: 2606172417-1703575416
    • Opcode ID: 3ebe8d93e07041a40c6cf79dd9e0ff56f60d3fa1cfd4ce6b4b4e5f267b7f73d0
    • Instruction ID: bb030d9720aef5907c95d059985a428dbd07faf43a2b145ff693d8471f488522
    • Opcode Fuzzy Hash: 3ebe8d93e07041a40c6cf79dd9e0ff56f60d3fa1cfd4ce6b4b4e5f267b7f73d0
    • Instruction Fuzzy Hash: 0B018F20E08203CBF7107B60A4543B9E690EFAA704FD46537D60E033C2DE3CB8648A32
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0884BA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
    Download Yara Rule
    APIs
    Strings
    • onecore\windows\core\console\open\src\renderer\dx\dxrenderer.cpp, xrefs: 00007FF7E0884BF3
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Rect$IntersectOffset
    • String ID: onecore\windows\core\console\open\src\renderer\dx\dxrenderer.cpp
    • API String ID: 2840374550-3506895815
    • Opcode ID: 558564877560829c95983dfdf9c63f11b6b73f98389d3e48f05b040c301d27c2
    • Instruction ID: 7ba502a25e0629189b84359731bb6d294b72433edf9b1b26a73ea55c50c469b7
    • Opcode Fuzzy Hash: 558564877560829c95983dfdf9c63f11b6b73f98389d3e48f05b040c301d27c2
    • Instruction Fuzzy Hash: CD118662918BC582E610AB64E4402FAF760FB99B48F84A232DA8D16715DF3CE195CB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080B850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: AddressInit_thread_footerProc
    • String ID: ConsoleControl
    • API String ID: 904429856-3740886617
    • Opcode ID: a71230bbec7c55631b59c0aa5ff82330859a80119c28394645f98aa3288d8fd2
    • Instruction ID: f40d944e2f87a6d7c29339410cf14c59523123d84e216e0dbb5ef614950bf78f
    • Opcode Fuzzy Hash: a71230bbec7c55631b59c0aa5ff82330859a80119c28394645f98aa3288d8fd2
    • Instruction Fuzzy Hash: A5113660A08A46C2FA20AB24E850378A7A4FB08789FD48137C54D467B1DF3CF5A5CB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0885D1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xlength_error@std@@memset
    • String ID: vector<T> too long
    • API String ID: 1527646195-3788999226
    • Opcode ID: f4a454fcbf3dfcfd1a783a2fe7a8ed26c99f1667c9a8c8374874f177993f29d1
    • Instruction ID: fefe809b10fa10ba080692afefd64a4f0859a2c410c38e1e1e1c7815a9d44dd3
    • Opcode Fuzzy Hash: f4a454fcbf3dfcfd1a783a2fe7a8ed26c99f1667c9a8c8374874f177993f29d1
    • Instruction Fuzzy Hash: B301B572A06F4582EB04AB15E5043A8E7E0FB48BA4F988736DA2D0B794DF7CE465C710
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F2FBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: AddressInit_thread_footerProc
    • String ID: TranslateMessageEx
    • API String ID: 904429856-3229300106
    • Opcode ID: dc574be43af7f285d15f131261b88bbc7baa9dc0b048400edea56cc8a45c4a3c
    • Instruction ID: dbca965a1abd5369bb4cd86e9d3a8edd0f9456fd8dc345002ac51f5a9ba8c9bb
    • Opcode Fuzzy Hash: dc574be43af7f285d15f131261b88bbc7baa9dc0b048400edea56cc8a45c4a3c
    • Instruction Fuzzy Hash: AF113C65A09A42C9EE50BB15E940374A7A1EF48784FD88133D91D4B7A1DF3CF865C722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E084DB7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E084DA2C: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E084DA70
      • Part of subcall function 00007FF7E084DA2C: _Init_thread_footer.LIBCMT ref: 00007FF7E084DA96
      • Part of subcall function 00007FF7E0810000: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803769,?,?,?,?,00007FF7E081B159), ref: 00007FF7E0810010
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,00007FF7E084DB30), ref: 00007FF7E084DBD1
    • _Init_thread_footer.LIBCMT ref: 00007FF7E084DBEB
      • Part of subcall function 00007FF7E080FF98: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803790,?,?,?,?,00007FF7E081B159), ref: 00007FF7E080FFA8
      • Part of subcall function 00007FF7E080FF98: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803790,?,?,?,?,00007FF7E081B159), ref: 00007FF7E080FFE8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalSection$EnterInit_thread_footer$AddressLeaveLibraryLoadProc
    • String ID: NtClose
    • API String ID: 3281356286-218744656
    • Opcode ID: 480afb4a08e29612966375148544f08f4c86f7807d07a4d095395f08e8e1926c
    • Instruction ID: 7b140bab3279bf6704a91489f4e0769eadf73b8804d75857f5a42424fecca8e6
    • Opcode Fuzzy Hash: 480afb4a08e29612966375148544f08f4c86f7807d07a4d095395f08e8e1926c
    • Instruction Fuzzy Hash: 71010525A18A4289EA59BB15E890375B3A0EF45B94FD44137DA4D077A2DF3CF860CB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08729E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E0810000: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803769,?,?,?,?,00007FF7E081B159), ref: 00007FF7E0810010
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E0872A34
    • _Init_thread_footer.LIBCMT ref: 00007FF7E0872A4E
      • Part of subcall function 00007FF7E080FF98: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803790,?,?,?,?,00007FF7E081B159), ref: 00007FF7E080FFA8
      • Part of subcall function 00007FF7E080FF98: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803790,?,?,?,?,00007FF7E081B159), ref: 00007FF7E080FFE8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalSection$Enter$AddressInit_thread_footerLeaveProc
    • String ID: EnterReaderModeHelper
    • API String ID: 3610791082-2410284899
    • Opcode ID: 6408468371e059007db19b080bffcae9035abb3c54ebd5ce1f577aa1d0b52410
    • Instruction ID: 743e7530379746affd3f2c5ad42c8afcb05968b6d4b0e877f3f85a577902ca91
    • Opcode Fuzzy Hash: 6408468371e059007db19b080bffcae9035abb3c54ebd5ce1f577aa1d0b52410
    • Instruction Fuzzy Hash: 9F011E25A09A47C5EA54AB19E844379E3A0EF55B84FD48133D90D473A5CF3CF8A5CB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F83B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: AddressProc
    • String ID: GetWindowDPI
    • API String ID: 190572456-1607898006
    • Opcode ID: 7963cc8ae5d42a880f6f4bb4dc426fd9a7a704e189a634b7059a7bb1a62bfdf9
    • Instruction ID: fcdcd2052aaf0bf0116e5a84b28a90c867e4672f3185ba6abd7d5f182b42e99e
    • Opcode Fuzzy Hash: 7963cc8ae5d42a880f6f4bb4dc426fd9a7a704e189a634b7059a7bb1a62bfdf9
    • Instruction Fuzzy Hash: 4D010C25A0DA869AFE95AB05E840338E760AF59B80FD94037C94D06761DF3CF8B5D722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0838B98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • onecore\windows\core\console\open\src\host\ptysignalinputthread.cpp, xrefs: 00007FF7E0838BDA
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ErrorFileLastRead
    • String ID: onecore\windows\core\console\open\src\host\ptysignalinputthread.cpp
    • API String ID: 1948546556-2623150832
    • Opcode ID: b24167ac88b1b39b30d1021e681d4306e257dd365b740657bbe55f44f84d8d54
    • Instruction ID: c3e7f020f08ea3cb58d98f232d5e2ed4f35b2553869b2969ec1a75d96991a3f8
    • Opcode Fuzzy Hash: b24167ac88b1b39b30d1021e681d4306e257dd365b740657bbe55f44f84d8d54
    • Instruction Fuzzy Hash: 5801AD62918282C7E7507B6090013BDE7A0FBC6305FC00132D64D47396CF3CF4248632
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080E310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: AddressProc
    • String ID: EnablePerMonitorDialogScaling
    • API String ID: 190572456-2779642180
    • Opcode ID: 0079fc62416a13100da5c252f56f4719a30328b533a391102aec639347d7dfaa
    • Instruction ID: 1c12988ce1792c936fdea5c984626c74fe866769d61642dae069e2bddcc797b4
    • Opcode Fuzzy Hash: 0079fc62416a13100da5c252f56f4719a30328b533a391102aec639347d7dfaa
    • Instruction Fuzzy Hash: 0C012C24E0AB42A5FB116B50E840370EB90BF29704FD94137C90D46355DF3CB8A4D632
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E080DCAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMON
    Download Yara Rule
    APIs
    • DeleteTimerQueueTimer.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0(?,?,?,00007FF7E082EC41,?,?,?,00007FF7E081D8A2), ref: 00007FF7E080DCCC
    Strings
    • onecore\windows\core\console\open\src\host\cursorblinker.cpp, xrefs: 00007FF7E08270D6
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Timer$DeleteQueue
    • String ID: onecore\windows\core\console\open\src\host\cursorblinker.cpp
    • API String ID: 672719580-1313982512
    • Opcode ID: 79a2b4b675a2aecf3e637692a4337ac872f0686dd98acaec53603e43800195b6
    • Instruction ID: 4475cf08754e5dc64d64d4db0b6ba5c2c1cee62d84ab81e18a0bb82688fd2923
    • Opcode Fuzzy Hash: 79a2b4b675a2aecf3e637692a4337ac872f0686dd98acaec53603e43800195b6
    • Instruction Fuzzy Hash: 8EF0626190894281F7206B65D410378E691EB49B78FD89332C97D423D0CF3CF451C636
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E084DA2C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24libraryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E0810000: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803769,?,?,?,?,00007FF7E081B159), ref: 00007FF7E0810010
    • LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7E084DA70
    • _Init_thread_footer.LIBCMT ref: 00007FF7E084DA96
      • Part of subcall function 00007FF7E080FF98: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803790,?,?,?,?,00007FF7E081B159), ref: 00007FF7E080FFA8
      • Part of subcall function 00007FF7E080FF98: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E0803790,?,?,?,?,00007FF7E081B159), ref: 00007FF7E080FFE8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalSection$Enter$Init_thread_footerLeaveLibraryLoad_onexit
    • String ID: ntdll.dll
    • API String ID: 626564473-2227199552
    • Opcode ID: 1a2441478f73351f8d3c7c190e8b51d6d46d8c46e0357a078076099465f3c9c3
    • Instruction ID: 3fd202fc6172dd04894e49fbdac0ba6b254a76434ea89630f6c9fa3186a6fa4b
    • Opcode Fuzzy Hash: 1a2441478f73351f8d3c7c190e8b51d6d46d8c46e0357a078076099465f3c9c3
    • Instruction Fuzzy Hash: 39F0C924A18A03C5EB40FB15EC91375B3A0BB85755FC09133D50D427A2DF3CB569CB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E07F3068 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
    Download Yara Rule
    APIs
    • SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,000001C82450C120,00007FF7E0807022), ref: 00007FF7E07F306C
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,000001C82450C120,00007FF7E0807022), ref: 00007FF7E081B15C
    Strings
    • CreateWindowsWindow failed with status 0x%x, gle = 0x%x, xrefs: 00007FF7E081B16B
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ErrorEventLast
    • String ID: CreateWindowsWindow failed with status 0x%x, gle = 0x%x
    • API String ID: 3848097054-2322296577
    • Opcode ID: 488acdefd44e3855263609e7cf5f2dc168a1e73e94e5fa4b2db815e81637fcfb
    • Instruction ID: a42a7830a67b61f3fd174a99bcb3ea9bb09c2d6ab07a2929e391eaad1ed71857
    • Opcode Fuzzy Hash: 488acdefd44e3855263609e7cf5f2dc168a1e73e94e5fa4b2db815e81637fcfb
    • Instruction Fuzzy Hash: C1E03065B0964386F9107715A401278DAA0AF89B90FD89032D90E47742DE3CF4608722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E085B32C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
    Download Yara Rule
    APIs
    • ?_Xout_of_range@std@@YAXPEBD@Z.MSVCP_WIN(?,?,?,?,00007FF7E0820557), ref: 00007FF7E085B360
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Xout_of_range@std@@
    • String ID: VUUUUUUU$invalid vector<T> subscript
    • API String ID: 1960685668-3105710005
    • Opcode ID: 98cfa04ebded98f5afad50dee3c34c396a57aa3d8c235d8ab9d2f2bd380ad2e5
    • Instruction ID: b8cf8daf07acc1ddf551c09a5aa818be2b5f991c701035d6da6a6e1d2d91c027
    • Opcode Fuzzy Hash: 98cfa04ebded98f5afad50dee3c34c396a57aa3d8c235d8ab9d2f2bd380ad2e5
    • Instruction Fuzzy Hash: 44E086B5F11E8D82CA04AB19D845798D3A4FB69FC5BD08033DA4D17334EE3CA665C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E086FE20 Relevance: 5.2, APIs: 4, Instructions: 152COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalSection$Leave$Enter
    • String ID:
    • API String ID: 2978645861-0
    • Opcode ID: 2c716912b7d65239af87600b58851e2715fb0953455623fe2a8201c418cc0109
    • Instruction ID: 203ef2b7a14bea55b66f4cf010b7053aa678d643a6da29bb6c61d72c15a34ebc
    • Opcode Fuzzy Hash: 2c716912b7d65239af87600b58851e2715fb0953455623fe2a8201c418cc0109
    • Instruction Fuzzy Hash: 1651DB36A1C68286E750EF20E4043BAE760FB89784F858432D98D97749DF3CF855CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08768E0 Relevance: 5.1, APIs: 4, Instructions: 132COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: CriticalSection$Leave$Enter
    • String ID:
    • API String ID: 2978645861-0
    • Opcode ID: 801f5be29e16ea4aa784275498de8b2104d85039a87f7e9569a178af70838083
    • Instruction ID: 1ad30747b26acc85cca6eabace535bf8b90929613c1f7626f0b1390f1c5fd623
    • Opcode Fuzzy Hash: 801f5be29e16ea4aa784275498de8b2104d85039a87f7e9569a178af70838083
    • Instruction Fuzzy Hash: 81518536618B4286E710EB15E44037AFBA0FB89B94F849132DE4E87758DF3CE465CB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E083078F Relevance: 5.1, APIs: 4, Instructions: 98COMMON
    Download Yara Rule
    APIs
    • _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7E08307B5
    • _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7E08307DD
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7E0830883
      • Part of subcall function 00007FF7E082B798: ?_Xlength_error@std@@YAXPEBD@Z.MSVCP_WIN(?,?,?,?,00007FF7E0805756,?,?,?,00007FF7E080524E,?,?,?,00007FF7E0805951), ref: 00007FF7E082B7A3
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7E08308A9
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: ExceptionThrowmemmove$Xlength_error@std@@
    • String ID:
    • API String ID: 3398810815-0
    • Opcode ID: 5e962fd1f47fb9a3aff22c556befd5b7f9e177a969863d3d70beab3284f45164
    • Instruction ID: 4c501ecd911e936f2b249d2c233e3f3c7ef810792cf5c7faedc5a309deb34eaa
    • Opcode Fuzzy Hash: 5e962fd1f47fb9a3aff22c556befd5b7f9e177a969863d3d70beab3284f45164
    • Instruction Fuzzy Hash: B731D062604B4186DA04EF6298011AAA761FB84BE0B548336EF7C4B7D5DF7CE162C340
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08308E8 Relevance: 5.1, APIs: 4, Instructions: 74COMMON
    Download Yara Rule
    APIs
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E082205D), ref: 00007FF7E0830989
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E082205D), ref: 00007FF7E0830997
      • Part of subcall function 00007FF7E082B798: ?_Xlength_error@std@@YAXPEBD@Z.MSVCP_WIN(?,?,?,?,00007FF7E0805756,?,?,?,00007FF7E080524E,?,?,?,00007FF7E0805951), ref: 00007FF7E082B7A3
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E082205D), ref: 00007FF7E08309B8
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E082205D), ref: 00007FF7E08309C6
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memmove$Xlength_error@std@@
    • String ID:
    • API String ID: 1743304318-0
    • Opcode ID: 1953338d2aa590173cdd92cc2939d58181b20cc250aae4e9ece25f184d8ebad0
    • Instruction ID: 750c491d253ac456526d2f0ecfc2490548067af7e35a0b10877c6536dd18c0e5
    • Opcode Fuzzy Hash: 1953338d2aa590173cdd92cc2939d58181b20cc250aae4e9ece25f184d8ebad0
    • Instruction Fuzzy Hash: FA21BC62704B4591EA00EF26A8051AAB765FB54BF0B904333EEBD4B7D6DE7CF0628315
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0855A58 Relevance: 5.1, APIs: 4, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,?,00007FF7E085930A,?,?,?,?,?,00007FF7E0855124), ref: 00007FF7E0855AD8
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,?,00007FF7E085930A,?,?,?,?,?,00007FF7E0855124), ref: 00007FF7E0855AE6
      • Part of subcall function 00007FF7E082B798: ?_Xlength_error@std@@YAXPEBD@Z.MSVCP_WIN(?,?,?,?,00007FF7E0805756,?,?,?,00007FF7E080524E,?,?,?,00007FF7E0805951), ref: 00007FF7E082B7A3
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,?,00007FF7E085930A,?,?,?,?,?,00007FF7E0855124), ref: 00007FF7E0855B00
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,?,00007FF7E085930A,?,?,?,?,?,00007FF7E0855124), ref: 00007FF7E0855B0E
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memmove$Xlength_error@std@@
    • String ID:
    • API String ID: 1743304318-0
    • Opcode ID: 017907326591f0d0520ab236c7cb43a94def5834a608b486f2ac3cbead44069b
    • Instruction ID: df621daa690374c6e8824256c3707c76b1e33e94e8690cc241bd802cc4f1f596
    • Opcode Fuzzy Hash: 017907326591f0d0520ab236c7cb43a94def5834a608b486f2ac3cbead44069b
    • Instruction Fuzzy Hash: BF21D422608B8181DA10EF13A4412AAE751FB45FD0F844232DFAC0BB86CF7CF0628305
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0878E0C Relevance: 5.1, APIs: 4, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E0879CDF,?,?,?,?,?,00007FF7E08791B3), ref: 00007FF7E0878E88
    • memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7E0879CDF,?,?,?,?,?,00007FF7E08791B3), ref: 00007FF7E0878E95
      • Part of subcall function 00007FF7E082B798: ?_Xlength_error@std@@YAXPEBD@Z.MSVCP_WIN(?,?,?,?,00007FF7E0805756,?,?,?,00007FF7E080524E,?,?,?,00007FF7E0805951), ref: 00007FF7E082B7A3
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E0879CDF,?,?,?,?,?,00007FF7E08791B3), ref: 00007FF7E0878EAF
    • memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7E0879CDF,?,?,?,?,?,00007FF7E08791B3), ref: 00007FF7E0878EBC
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memmovememset$Xlength_error@std@@
    • String ID:
    • API String ID: 4052520723-0
    • Opcode ID: 4c212326328f763e9787aafb0bb695f6ca2f842879b98c4516e607046bde80b4
    • Instruction ID: d7c400126e88bb263651272fdfd8850b534ec6bbca30c4361fa7f7be29e336f5
    • Opcode Fuzzy Hash: 4c212326328f763e9787aafb0bb695f6ca2f842879b98c4516e607046bde80b4
    • Instruction Fuzzy Hash: A121D422608B4181EA04EF5795452AEA755FB85FE0B884232DF9C17B96CF7CF0628302
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E0855BF8 Relevance: 5.1, APIs: 4, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E0859507), ref: 00007FF7E0855C70
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E0859507), ref: 00007FF7E0855C7F
      • Part of subcall function 00007FF7E082B798: ?_Xlength_error@std@@YAXPEBD@Z.MSVCP_WIN(?,?,?,?,00007FF7E0805756,?,?,?,00007FF7E080524E,?,?,?,00007FF7E0805951), ref: 00007FF7E082B7A3
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E0859507), ref: 00007FF7E0855C92
    • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7E0859507), ref: 00007FF7E0855CA1
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: memmove$Xlength_error@std@@
    • String ID:
    • API String ID: 1743304318-0
    • Opcode ID: b8113094cf135a0732a3d3e2425324adbc35465e090a28326cb28a86abdd2036
    • Instruction ID: ef1acf91cf6fa63b83a045829016368f0345ae5b87587e123763d8f6948acf57
    • Opcode Fuzzy Hash: b8113094cf135a0732a3d3e2425324adbc35465e090a28326cb28a86abdd2036
    • Instruction Fuzzy Hash: D8116D32608B41C5EA00EF12A5411AAA765FB45BD0B944633EEAD17B9ADF3CF1528311
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7E08276EC Relevance: 5.0, APIs: 4, Instructions: 48memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,000001C8244F6718,00007FF7E0827503,?,?,?,00007FF7E0827FDB,?,?,?,?,?,00007FF7E080F3ED), ref: 00007FF7E082772A
    • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,000001C8244F6718,00007FF7E0827503,?,?,?,00007FF7E0827FDB,?,?,?,?,?,00007FF7E080F3ED), ref: 00007FF7E082773E
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,000001C8244F6718,00007FF7E0827503,?,?,?,00007FF7E0827FDB,?,?,?,?,?,00007FF7E080F3ED), ref: 00007FF7E0827762
    • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,000001C8244F6718,00007FF7E0827503,?,?,?,00007FF7E0827FDB,?,?,?,?,?,00007FF7E080F3ED), ref: 00007FF7E0827776
    Memory Dump Source
    • Source File: 00000000.00000002.2850072644.00007FF7E07F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E07F0000, based on PE: true
    • Associated: 00000000.00000002.2850058983.00007FF7E07F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850126338.00007FF7E088C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850150343.00007FF7E08B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e07f0000_conhost[1].jbxd
    Similarity
    • API ID: Heap$FreeProcess
    • String ID:
    • API String ID: 3859560861-0
    • Opcode ID: f7b5aed4725566fb19b2371a8865856982d53bdb2b3084854420066a7382e902
    • Instruction ID: 6538b9e3f41b601472796e7eb2f81fb62f9216e672b07cb3c97d1d2cc8ad2227
    • Opcode Fuzzy Hash: f7b5aed4725566fb19b2371a8865856982d53bdb2b3084854420066a7382e902
    • Instruction Fuzzy Hash: 5811DA36604F81CAD7149F12E4401A9BBB4F789F81B999126DB8E27715CF38E566C710
    Uniqueness

    Uniqueness Score: -1.00%