Edit tour

Windows Analysis Report
dpnhupnp.dll

Overview

General Information

Sample Name:	dpnhupnp.dll
Analysis ID:	579430
MD5:	cf22fca6a1c8035cb38867787f16be21
SHA1:	85cae7532a21983295a2c0aad5889e8dbd024c9f
SHA256:	3a52c4f27db221ed975af3d38ac4b9060203b9c6fb3532cdc61b969e21ca666c
Tags:	dlldridexexe
Infos:

Detection

Dridex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes memory attributes in foreign processes to executable or writable

Machine Learning detection for sample

Queues an APC in another process (thread injection)

Sigma detected: Suspicious Call by Ordinal

Machine Learning detection for dropped file

Uses Atom Bombing / ProGate to inject into other processes

Uses a Windows Living Off The Land Binaries (LOL bins)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Queries the installation date of Windows

Detected potential crypto function

Found potential string decryption / allocating functions

Stores files to the Windows start menu directory

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for execution timing, often used to detect debuggers

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Found evasive API chain checking for process token information

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to launch a program with higher privileges

Binary contains a suspicious time stamp

PE file contains more sections than normal

Contains functionality to retrieve information about pressed keystrokes

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to simulate mouse events

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 4592 cmdline: loaddll64.exe "C:\Users\user\Desktop\dpnhupnp.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)

cmd.exe (PID: 4532 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dpnhupnp.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 4356 cmdline: rundll32.exe "C:\Users\user\Desktop\dpnhupnp.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 2332 cmdline: rundll32.exe C:\Users\user\Desktop\dpnhupnp.dll,GetFileVersionInfoA MD5: 73C519F050C20580F8A62C849D49215A)

explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

DisplaySwitch.exe (PID: 2172 cmdline: C:\Windows\system32\DisplaySwitch.exe MD5: 97411B8A84E5980E509E500C3209E5C0)

DisplaySwitch.exe (PID: 1740 cmdline: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe MD5: 97411B8A84E5980E509E500C3209E5C0)

wusa.exe (PID: 5472 cmdline: C:\Windows\system32\wusa.exe MD5: 04CE745559916B99248F266BBF5F9ED9)

GamePanel.exe (PID: 4868 cmdline: C:\Windows\system32\GamePanel.exe MD5: 4EF330EFAE954723B1F2800C15FDA7EB)

GamePanel.exe (PID: 5712 cmdline: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe MD5: 4EF330EFAE954723B1F2800C15FDA7EB)

msdt.exe (PID: 4792 cmdline: C:\Windows\system32\msdt.exe MD5: 8BE43BAF1F37DA5AB31A53CA1C07EE0C)

msdt.exe (PID: 4796 cmdline: C:\Users\user\AppData\Local\1XXGC21\msdt.exe MD5: 8BE43BAF1F37DA5AB31A53CA1C07EE0C)

cmstp.exe (PID: 6272 cmdline: C:\Windows\system32\cmstp.exe MD5: 2A9828E0C405422D166E0141054A04B3)

cmstp.exe (PID: 6384 cmdline: C:\Users\user\AppData\Local\M4eXJF\cmstp.exe MD5: 2A9828E0C405422D166E0141054A04B3)

PresentationHost.exe (PID: 4516 cmdline: C:\Windows\system32\PresentationHost.exe MD5: E3053C73EA240F4C2F7971B3905A91CF)

PresentationHost.exe (PID: 2208 cmdline: C:\Users\user\AppData\Local\a6o\PresentationHost.exe MD5: E3053C73EA240F4C2F7971B3905A91CF)

cmstp.exe (PID: 2880 cmdline: C:\Windows\system32\cmstp.exe MD5: 2A9828E0C405422D166E0141054A04B3)

cmstp.exe (PID: 5004 cmdline: C:\Users\user\AppData\Local\96P3D\cmstp.exe MD5: 2A9828E0C405422D166E0141054A04B3)

rundll32.exe (PID: 5880 cmdline: rundll32.exe C:\Users\user\Desktop\dpnhupnp.dll,GetFileVersionInfoByHandle MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 7008 cmdline: rundll32.exe C:\Users\user\Desktop\dpnhupnp.dll,GetFileVersionInfoExA MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.278695271.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000003.00000002.357902587.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000018.00000002.424452492.00007FFC6F9E1000.00000020.00000001.01000000.0000000A.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000014.00000002.392236668.00007FFC6F9E1000.00000020.00000001.01000000.00000008.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000020.00000002.463842556.00007FFC6E2A1000.00000020.00000001.01000000.0000000C.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000023.00000002.491431291.00007FFC7C2F1000.00000020.00000001.01000000.0000000E.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000026.00000002.520892941.00007FFC7C2F1000.00000020.00000001.01000000.00000010.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000028.00000002.548047896.00007FFC7C2F1000.00000020.00000001.01000000.00000012.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000000E.00000002.293533164.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000009.00000002.285131581.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
35.2.cmstp.exe.7ffc7c2f0000.3.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
38.2.PresentationHost.exe.7ffc7c2f0000.3.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
3.2.rundll32.exe.7ffc6f9e0000.2.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
4.2.rundll32.exe.7ffc6f9e0000.2.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
20.2.DisplaySwitch.exe.7ffc6f9e0000.3.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
9.2.rundll32.exe.7ffc6f9e0000.2.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
24.2.GamePanel.exe.7ffc6f9e0000.3.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
32.2.msdt.exe.7ffc6e2a0000.3.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
14.2.rundll32.exe.7ffc6f9e0000.2.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0.2.loaddll64.exe.7ffc6f9e0000.2.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
40.2.cmstp.exe.7ffc7c2f0000.3.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
Click to see the 6 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Call by Ordinal

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\dpnhupnp.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\dpnhupnp.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dpnhupnp.dll",#1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4532, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\dpnhupnp.dll",#1, ProcessId: 4356

Source: Process started

Author: juju4: Data: Command: C:\Windows\system32\msdt.exe, CommandLine: C:\Windows\system32\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\msdt.exe, NewProcessName: C:\Windows\System32\msdt.exe, OriginalFileName: C:\Windows\System32\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\system32\msdt.exe, ProcessId: 4792

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: dpnhupnp.dll	Virustotal: Detection: 65%	Perma Link
Source: dpnhupnp.dll	Metadefender: Detection: 62%	Perma Link
Source: dpnhupnp.dll	ReversingLabs: Detection: 83%

Antivirus / Scanner detection for submitted sample

Source: dpnhupnp.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\4xeLXaDKW\WINSTA.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\WPx7QKO3\UxTheme.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\uRSIQRt4\dxgi.dll	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\96P3D\VERSION.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\96P3D\VERSION.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\1XXGC21\DUI70.dll	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\96P3D\VERSION.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\RiK2PNsRy\HID.DLL	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Machine Learning detection for sample

Source: dpnhupnp.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\4xeLXaDKW\WINSTA.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\WPx7QKO3\UxTheme.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\uRSIQRt4\dxgi.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\96P3D\VERSION.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\96P3D\VERSION.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\1XXGC21\DUI70.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\96P3D\VERSION.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\RiK2PNsRy\HID.DLL	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF775508534 CryptDestroyHash,CryptReleaseContext,	24_2_00007FF775508534
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF775508610 CryptGetHashParam,memset,	24_2_00007FF775508610
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF775508598 CryptAcquireContextW,CryptCreateHash,	24_2_00007FF775508598
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7755088F8 CryptHashData,	24_2_00007FF7755088F8
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77550874C CryptHashData,	24_2_00007FF77550874C
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299EDF30 CertGetCertificateContextProperty,GetLastError,CryptHashCertificate,GetLastError,GetLastError,CertFreeCertificateContext,	32_2_00007FF7299EDF30

Source: dpnhupnp.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: cmstp.pdbGCTL source: cmstp.exe, 00000023.00000000.468453797.00007FF7DE0BF000.00000002.00000001.01000000.0000000D.sdmp, cmstp.exe, 00000023.00000002.491387694.00007FF7DE0BF000.00000002.00000001.01000000.0000000D.sdmp, cmstp.exe, 00000028.00000002.547996060.00007FF72BE3F000.00000002.00000001.01000000.00000011.sdmp, cmstp.exe, 00000028.00000000.525056194.00007FF72BE3F000.00000002.00000001.01000000.00000011.sdmp, cmstp.exe.6.dr, cmstp.exe0.6.dr
Source:	Binary string: msdt.pdbGCTL source: msdt.exe, 00000020.00000002.463579902.00007FF729A08000.00000002.00000001.01000000.0000000B.sdmp, msdt.exe, 00000020.00000000.438710187.00007FF729A08000.00000002.00000001.01000000.0000000B.sdmp, msdt.exe.6.dr
Source:	Binary string: CloudNotifications.pdb source: CloudNotifications.exe.6.dr
Source:	Binary string: tabcal.pdbGCTL source: tabcal.exe.6.dr
Source:	Binary string: PresentationHost.pdbGCTL source: PresentationHost.exe, 00000026.00000002.520780934.00007FF76ED9F000.00000002.00000001.01000000.0000000F.sdmp, PresentationHost.exe, 00000026.00000000.496651636.00007FF76ED9F000.00000002.00000001.01000000.0000000F.sdmp, PresentationHost.exe.6.dr
Source:	Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr
Source:	Binary string: PresentationHost.pdb source: PresentationHost.exe, 00000026.00000002.520780934.00007FF76ED9F000.00000002.00000001.01000000.0000000F.sdmp, PresentationHost.exe, 00000026.00000000.496651636.00007FF76ED9F000.00000002.00000001.01000000.0000000F.sdmp, PresentationHost.exe.6.dr
Source:	Binary string: cmstp.pdb source: cmstp.exe, 00000023.00000000.468453797.00007FF7DE0BF000.00000002.00000001.01000000.0000000D.sdmp, cmstp.exe, 00000023.00000002.491387694.00007FF7DE0BF000.00000002.00000001.01000000.0000000D.sdmp, cmstp.exe, 00000028.00000002.547996060.00007FF72BE3F000.00000002.00000001.01000000.00000011.sdmp, cmstp.exe, 00000028.00000000.525056194.00007FF72BE3F000.00000002.00000001.01000000.00000011.sdmp, cmstp.exe.6.dr, cmstp.exe0.6.dr
Source:	Binary string: DisplaySwitch.pdbGCTL source: DisplaySwitch.exe, 00000014.00000000.368442640.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmp, DisplaySwitch.exe, 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmp, DisplaySwitch.exe.6.dr
Source:	Binary string: GamePanel.pdb source: GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr
Source:	Binary string: tabcal.pdb source: tabcal.exe.6.dr
Source:	Binary string: msdt.pdb source: msdt.exe, 00000020.00000002.463579902.00007FF729A08000.00000002.00000001.01000000.0000000B.sdmp, msdt.exe, 00000020.00000000.438710187.00007FF729A08000.00000002.00000001.01000000.0000000B.sdmp, msdt.exe.6.dr
Source:	Binary string: DisplaySwitch.pdb source: DisplaySwitch.exe, 00000014.00000000.368442640.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmp, DisplaySwitch.exe, 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmp, DisplaySwitch.exe.6.dr
Source:	Binary string: CloudNotifications.pdbGCTL source: CloudNotifications.exe.6.dr

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA3ED10 FindFirstFileExW,	0_2_00007FFC6FA3ED10
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299E7C3C GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree,	32_2_00007FF7299E7C3C
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299E6494 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,#13,GetLastError,GetProcessHeap,HeapFree,	32_2_00007FF7299E6494
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299FA65C memset,GetProcessHeap,HeapAlloc,FindFirstFileW,GetProcessHeap,HeapAlloc,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	32_2_00007FF7299FA65C
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299FBD48 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,CopyFileW,GetLastError,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	32_2_00007FF7299FBD48
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299E6720 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,	32_2_00007FF7299E6720
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299E7784 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,FindFirstFileW,_wcsicmp,_wcsicmp,GetFileAttributesW,SetFileAttributesW,GetLastError,GetFileAttributesW,SetFileAttributesW,GetLastError,DeleteFileW,CreateFileW,GetLastError,CloseHandle,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	32_2_00007FF7299E7784
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299E2770 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,	32_2_00007FF7299E2770
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2FED10 FindFirstFileExW,	32_2_00007FFC6E2FED10

Source: explorer.exe, 00000006.00000000.313547112.000000000EE50000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.293192524.000000000EE50000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.326336701.000000000EE50000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000006.00000000.313547112.000000000EE50000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.293192524.000000000EE50000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.326336701.000000000EE50000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: GamePanel.exe	String found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augment
Source: GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr	String found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augmenthttps://MediaData.XboxLive.com/screenshots/Augmenth
Source: GamePanel.exe	String found in binary or memory: https://MediaData.XboxLive.com/gameclips/Augment
Source: GamePanel.exe	String found in binary or memory: https://MediaData.XboxLive.com/screenshots/Augment
Source: GamePanel.exe	String found in binary or memory: https://aka.ms/ifg0es
Source: GamePanel.exe	String found in binary or memory: https://aka.ms/imfx4k
Source: GamePanel.exe	String found in binary or memory: https://aka.ms/imrx2o
Source: GamePanel.exe	String found in binary or memory: https://aka.ms/v5do45
Source: GamePanel.exe	String found in binary or memory: https://aka.ms/w5ryqn
Source: GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr	String found in binary or memory: https://aka.ms/w5ryqnhttps://aka.ms/imfx4kQUITTING
Source: GamePanel.exe, GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr	String found in binary or memory: https://aka.ms/wk9ocd
Source: GamePanel.exe	String found in binary or memory: https://mixer.com/%ws
Source: GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr	String found in binary or memory: https://mixer.com/%wsWindows.System.Launcher
Source: GamePanel.exe	String found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.png
Source: GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr	String found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.pngtitleIdaumIdkglIdprocessNamenametypeIdmultimedia
Source: GamePanel.exe, GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr	String found in binary or memory: https://mixer.com/api/v1/broadcasts/current
Source: GamePanel.exe	String found in binary or memory: https://mixer.com/api/v1/channels/%d
Source: GamePanel.exe	String found in binary or memory: https://mixer.com/api/v1/channels/%ws
Source: GamePanel.exe	String found in binary or memory: https://mixer.com/api/v1/chats/%.0f
Source: GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr	String found in binary or memory: https://mixer.com/api/v1/chats/%.0fhttps://mixer.com/api/v1/users/currentBEAM_IMAGEGamesGuide::BeamC
Source: GamePanel.exe	String found in binary or memory: https://mixer.com/api/v1/oauth/xbl/login
Source: GamePanel.exe	String found in binary or memory: https://mixer.com/api/v1/types/lookup%ws
Source: GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr	String found in binary or memory: https://mixer.com/api/v1/types/lookup%wshttps://mixer.com/api/v1/channels/%wshttps://mixer.com/api/v
Source: GamePanel.exe	String found in binary or memory: https://mixer.com/api/v1/users/current
Source: GamePanel.exe	String found in binary or memory: https://profile.xboxlive.com/users/me/profile/settings?settings=GameDisplayPicRaw
Source: GamePanel.exe	String found in binary or memory: https://www.xboxlive.com
Source: GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr	String found in binary or memory: https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameD

Source: unknown

DNS traffic detected: queries for: store-images.s-microsoft.com

Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe

Code function: 24_2_00007FF7754CFC50 RegisterRawInputDevices,

24_2_00007FF7754CFC50

Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe

Code function: 20_2_00007FF701BD5E1C GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetAsyncKeyState,

20_2_00007FF701BD5E1C

Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe

Code function: 32_2_00007FF7299E3120 GetProcessHeap,HeapAlloc,CreateStreamOnHGlobal,OpenClipboard,GetLastError,EmptyClipboard,GetHGlobalFromStream,SetClipboardData,CloseClipboard,GetProcessHeap,HeapFree,

32_2_00007FF7299E3120

E-Banking Fraud

Yara detected Dridex unpacked file

Source: Yara match	File source: 35.2.cmstp.exe.7ffc7c2f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.PresentationHost.exe.7ffc7c2f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.7ffc6f9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7ffc6f9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.DisplaySwitch.exe.7ffc6f9e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.7ffc6f9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.GamePanel.exe.7ffc6f9e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.msdt.exe.7ffc6e2a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.7ffc6f9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffc6f9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.cmstp.exe.7ffc7c2f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.278695271.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.357902587.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.424452492.00007FFC6F9E1000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.392236668.00007FFC6F9E1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.463842556.00007FFC6E2A1000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.491431291.00007FFC7C2F1000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.520892941.00007FFC7C2F1000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.548047896.00007FFC7C2F1000.00000020.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.293533164.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.285131581.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\M4eXJF\cmstp.exe C:\Users\user\AppData\Local\M4eXJF\cmstp.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\96P3D\cmstp.exe C:\Users\user\AppData\Local\96P3D\cmstp.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\M4eXJF\cmstp.exe C:\Users\user\AppData\Local\M4eXJF\cmstp.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\96P3D\cmstp.exe C:\Users\user\AppData\Local\96P3D\cmstp.exe	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA15020	0_2_00007FFC6FA15020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA297D0	0_2_00007FFC6FA297D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA47650	0_2_00007FFC6FA47650
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA3DDC0	0_2_00007FFC6FA3DDC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA4D520	0_2_00007FFC6FA4D520
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA2A2C0	0_2_00007FFC6FA2A2C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA1AA70	0_2_00007FFC6FA1AA70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA2CA50	0_2_00007FFC6FA2CA50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA159F0	0_2_00007FFC6FA159F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA33150	0_2_00007FFC6FA33150
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA07880	0_2_00007FFC6FA07880
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA0C030	0_2_00007FFC6FA0C030
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA10020	0_2_00007FFC6FA10020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA04800	0_2_00007FFC6FA04800
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9E1010	0_2_00007FFC6F9E1010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA1F870	0_2_00007FFC6FA1F870
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA2F870	0_2_00007FFC6FA2F870
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA35840	0_2_00007FFC6FA35840
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA05050	0_2_00007FFC6FA05050
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA0E7B0	0_2_00007FFC6FA0E7B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA5B7A0	0_2_00007FFC6FA5B7A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA4C780	0_2_00007FFC6FA4C780
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA5EF80	0_2_00007FFC6FA5EF80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9E6790	0_2_00007FFC6F9E6790
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA54FF0	0_2_00007FFC6FA54FF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA06FE0	0_2_00007FFC6FA06FE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9F8FC0	0_2_00007FFC6F9F8FC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9FA7D0	0_2_00007FFC6F9FA7D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA40F30	0_2_00007FFC6FA40F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA0872B	0_2_00007FFC6FA0872B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA5BF6F	0_2_00007FFC6FA5BF6F
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA40770	0_2_00007FFC6FA40770
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA45760	0_2_00007FFC6FA45760
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9FE770	0_2_00007FFC6F9FE770
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA02F50	0_2_00007FFC6FA02F50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA4A6B0	0_2_00007FFC6FA4A6B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA0F6B0	0_2_00007FFC6FA0F6B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA106A0	0_2_00007FFC6FA106A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9E7E80	0_2_00007FFC6F9E7E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9E6E90	0_2_00007FFC6F9E6E90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA47EC0	0_2_00007FFC6FA47EC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9E1620	0_2_00007FFC6F9E1620
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9EDE20	0_2_00007FFC6F9EDE20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA12E10	0_2_00007FFC6FA12E10
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA03610	0_2_00007FFC6FA03610
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9F8670	0_2_00007FFC6F9F8670
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA30650	0_2_00007FFC6FA30650
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9EC5A0	0_2_00007FFC6F9EC5A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9F65E0	0_2_00007FFC6F9F65E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9F95C0	0_2_00007FFC6F9F95C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA125C0	0_2_00007FFC6FA125C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA11D30	0_2_00007FFC6FA11D30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA10D10	0_2_00007FFC6FA10D10
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9F9D70	0_2_00007FFC6F9F9D70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA0D550	0_2_00007FFC6FA0D550
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA03D50	0_2_00007FFC6FA03D50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA4E4AD	0_2_00007FFC6FA4E4AD
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA4E4B6	0_2_00007FFC6FA4E4B6
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA4E49D	0_2_00007FFC6FA4E49D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA42CA0	0_2_00007FFC6FA42CA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA4E4A6	0_2_00007FFC6FA4E4A6
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA4A490	0_2_00007FFC6FA4A490
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA4E494	0_2_00007FFC6FA4E494
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA0AC80	0_2_00007FFC6FA0AC80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA4E48B	0_2_00007FFC6FA4E48B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA13CF0	0_2_00007FFC6FA13CF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA15CD0	0_2_00007FFC6FA15CD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9F3CD0	0_2_00007FFC6F9F3CD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9E5C20	0_2_00007FFC6F9E5C20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9F5420	0_2_00007FFC6F9F5420
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA49410	0_2_00007FFC6FA49410
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA4E400	0_2_00007FFC6FA4E400
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9F7410	0_2_00007FFC6F9F7410
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA44390	0_2_00007FFC6FA44390
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9F23F0	0_2_00007FFC6F9F23F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA34BC0	0_2_00007FFC6FA34BC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA11B30	0_2_00007FFC6FA11B30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9EBB20	0_2_00007FFC6F9EBB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA0A310	0_2_00007FFC6FA0A310
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA10300	0_2_00007FFC6FA10300
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA14360	0_2_00007FFC6FA14360
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA45B50	0_2_00007FFC6FA45B50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA03340	0_2_00007FFC6FA03340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9F8340	0_2_00007FFC6F9F8340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9E5350	0_2_00007FFC6F9E5350
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA482A0	0_2_00007FFC6FA482A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA4AAA0	0_2_00007FFC6FA4AAA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA0DAA0	0_2_00007FFC6FA0DAA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA47AF0	0_2_00007FFC6FA47AF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA082E0	0_2_00007FFC6FA082E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA1BAE0	0_2_00007FFC6FA1BAE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA42AE0	0_2_00007FFC6FA42AE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA092C0	0_2_00007FFC6FA092C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA3F2C0	0_2_00007FFC6FA3F2C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA4B260	0_2_00007FFC6FA4B260
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA1B250	0_2_00007FFC6FA1B250
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9E7A40	0_2_00007FFC6F9E7A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA0E9A0	0_2_00007FFC6FA0E9A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9FE9B0	0_2_00007FFC6F9FE9B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA011B0	0_2_00007FFC6FA011B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA19990	0_2_00007FFC6FA19990
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9E2980	0_2_00007FFC6F9E2980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA0F1F0	0_2_00007FFC6FA0F1F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA191F0	0_2_00007FFC6FA191F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA189F0	0_2_00007FFC6FA189F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA121D0	0_2_00007FFC6FA121D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA069C0	0_2_00007FFC6FA069C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA16130	0_2_00007FFC6FA16130
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9EB100	0_2_00007FFC6F9EB100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9FE110	0_2_00007FFC6F9FE110
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA03910	0_2_00007FFC6FA03910
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA4B960	0_2_00007FFC6FA4B960
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA46950	0_2_00007FFC6FA46950
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA04140	0_2_00007FFC6FA04140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9F08B0	0_2_00007FFC6F9F08B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9FD890	0_2_00007FFC6F9FD890
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6F9E18D0	0_2_00007FFC6F9E18D0
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe	Code function: 20_2_00007FF701BD4EC8	20_2_00007FF701BD4EC8
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe	Code function: 20_2_00007FF701BE1670	20_2_00007FF701BE1670
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe	Code function: 20_2_00007FF701BC1250	20_2_00007FF701BC1250
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe	Code function: 20_2_00007FF701BCB24C	20_2_00007FF701BCB24C
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe	Code function: 20_2_00007FF701BD41D8	20_2_00007FF701BD41D8
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe	Code function: 20_2_00007FF701BCFCD8	20_2_00007FF701BCFCD8
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe	Code function: 20_2_00007FF701BD740C	20_2_00007FF701BD740C
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe	Code function: 20_2_00007FF701BE13B0	20_2_00007FF701BE13B0
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77550D6B0	24_2_00007FF77550D6B0
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77553D788	24_2_00007FF77553D788
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77554D7A2	24_2_00007FF77554D7A2
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7754D3260	24_2_00007FF7754D3260
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77551B26C	24_2_00007FF77551B26C
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7754D72C8	24_2_00007FF7754D72C8
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF775535190	24_2_00007FF775535190
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77553B14C	24_2_00007FF77553B14C
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77552B124	24_2_00007FF77552B124
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF775547460	24_2_00007FF775547460
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7754F9484	24_2_00007FF7754F9484
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77550B454	24_2_00007FF77550B454
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77553137C	24_2_00007FF77553137C
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77550BE58	24_2_00007FF77550BE58
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF775515F08	24_2_00007FF775515F08
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7754A3D38	24_2_00007FF7754A3D38
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7754AA058	24_2_00007FF7754AA058
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77553BF88	24_2_00007FF77553BF88
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77554BFEC	24_2_00007FF77554BFEC
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF775537A20	24_2_00007FF775537A20
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF775511AD4	24_2_00007FF775511AD4
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7754AB928	24_2_00007FF7754AB928
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77552F920	24_2_00007FF77552F920
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF775517A00	24_2_00007FF775517A00
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77554FC59	24_2_00007FF77554FC59
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7754DDC44	24_2_00007FF7754DDC44
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77552BD14	24_2_00007FF77552BD14
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77554DB6C	24_2_00007FF77554DB6C
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF775510644	24_2_00007FF775510644
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF775500620	24_2_00007FF775500620
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7754DE560	24_2_00007FF7754DE560
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7754F253C	24_2_00007FF7754F253C
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7755445E0	24_2_00007FF7755445E0
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77550A5D0	24_2_00007FF77550A5D0
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7755048C0	24_2_00007FF7755048C0
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF775540728	24_2_00007FF775540728
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7754AA7EC	24_2_00007FF7754AA7EC
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7755547E5	24_2_00007FF7755547E5
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7754B9AF0	24_2_00007FF7754B9AF0
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7754AE7FC	24_2_00007FF7754AE7FC
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7754CE224	24_2_00007FF7754CE224
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7754EA250	24_2_00007FF7754EA250
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77552C2D8	24_2_00007FF77552C2D8
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7754E21AC	24_2_00007FF7754E21AC
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF775524198	24_2_00007FF775524198
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7755221AC	24_2_00007FF7755221AC
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7754D43B8	24_2_00007FF7754D43B8
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77553EE40	24_2_00007FF77553EE40
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7754F8F14	24_2_00007FF7754F8F14
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77552ED90	24_2_00007FF77552ED90
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF775524DD0	24_2_00007FF775524DD0
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77553D010	24_2_00007FF77553D010
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77550AFF0	24_2_00007FF77550AFF0
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7754F6948	24_2_00007FF7754F6948
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7755089F4	24_2_00007FF7755089F4
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77553A998	24_2_00007FF77553A998
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF775530C44	24_2_00007FF775530C44
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77550CCFC	24_2_00007FF77550CCFC
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7754C4CDC	24_2_00007FF7754C4CDC
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF7754DED00	24_2_00007FF7754DED00
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF729A052B0	32_2_00007FF729A052B0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299D2300	32_2_00007FF7299D2300
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299D6AF0	32_2_00007FF7299D6AF0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299CBAEC	32_2_00007FF7299CBAEC
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299DCA38	32_2_00007FF7299DCA38
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299ED25C	32_2_00007FF7299ED25C
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299EBA58	32_2_00007FF7299EBA58
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299F19B8	32_2_00007FF7299F19B8
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299EB1A4	32_2_00007FF7299EB1A4
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299C69B0	32_2_00007FF7299C69B0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299C99D8	32_2_00007FF7299C99D8
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299D6150	32_2_00007FF7299D6150
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299DF4DC	32_2_00007FF7299DF4DC
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299ECCE8	32_2_00007FF7299ECCE8
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299E3440	32_2_00007FF7299E3440
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299FD440	32_2_00007FF7299FD440
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299EFBEC	32_2_00007FF7299EFBEC
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299CFB90	32_2_00007FF7299CFB90
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299C6360	32_2_00007FF7299C6360
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299E2360	32_2_00007FF7299E2360
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299DA6A4	32_2_00007FF7299DA6A4
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299DC6FC	32_2_00007FF7299DC6FC
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299DD618	32_2_00007FF7299DD618
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299C5678	32_2_00007FF7299C5678
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299C9678	32_2_00007FF7299C9678
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299FE5CC	32_2_00007FF7299FE5CC
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF729A01E04	32_2_00007FF729A01E04
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299E5DEC	32_2_00007FF7299E5DEC
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299EAD3C	32_2_00007FF7299EAD3C
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299C7D18	32_2_00007FF7299C7D18
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299D80F8	32_2_00007FF7299D80F8
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299DC0E4	32_2_00007FF7299DC0E4
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299E2050	32_2_00007FF7299E2050
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299EC878	32_2_00007FF7299EC878
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299E37E0	32_2_00007FF7299E37E0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299F97D8	32_2_00007FF7299F97D8
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299E7F18	32_2_00007FF7299E7F18
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299E7784	32_2_00007FF7299E7784
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2E97D0	32_2_00007FFC6E2E97D0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2D5020	32_2_00007FFC6E2D5020
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2D5CD0	32_2_00007FFC6E2D5CD0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E30D520	32_2_00007FFC6E30D520
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2FDDC0	32_2_00007FFC6E2FDDC0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E307650	32_2_00007FFC6E307650
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2DBAE0	32_2_00007FFC6E2DBAE0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2EA2C0	32_2_00007FFC6E2EA2C0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2C7880	32_2_00007FFC6E2C7880
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2F3150	32_2_00007FFC6E2F3150
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2D59F0	32_2_00007FFC6E2D59F0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2DAA70	32_2_00007FFC6E2DAA70
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2ECA50	32_2_00007FFC6E2ECA50
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2CF6B0	32_2_00007FFC6E2CF6B0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2D06A0	32_2_00007FFC6E2D06A0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2A6E90	32_2_00007FFC6E2A6E90
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2A7E80	32_2_00007FFC6E2A7E80
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E30A6B0	32_2_00007FFC6E30A6B0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E307EC0	32_2_00007FFC6E307EC0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E300F30	32_2_00007FFC6E300F30
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2C872B	32_2_00007FFC6E2C872B
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E31BF6F	32_2_00007FFC6E31BF6F
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E300770	32_2_00007FFC6E300770
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2BE770	32_2_00007FFC6E2BE770
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E305760	32_2_00007FFC6E305760
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2C2F50	32_2_00007FFC6E2C2F50
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2CE7B0	32_2_00007FFC6E2CE7B0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2A6790	32_2_00007FFC6E2A6790
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E314FF0	32_2_00007FFC6E314FF0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E30C780	32_2_00007FFC6E30C780
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E31EF80	32_2_00007FFC6E31EF80
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2C6FE0	32_2_00007FFC6E2C6FE0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E31B7A0	32_2_00007FFC6E31B7A0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2BA7D0	32_2_00007FFC6E2BA7D0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2B8FC0	32_2_00007FFC6E2B8FC0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2CC030	32_2_00007FFC6E2CC030
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2D0020	32_2_00007FFC6E2D0020
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2A1010	32_2_00007FFC6E2A1010
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2C4800	32_2_00007FFC6E2C4800
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2DF870	32_2_00007FFC6E2DF870
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2EF870	32_2_00007FFC6E2EF870
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E320820	32_2_00007FFC6E320820
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2C5050	32_2_00007FFC6E2C5050
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2F5840	32_2_00007FFC6E2F5840
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E302CA0	32_2_00007FFC6E302CA0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2CAC80	32_2_00007FFC6E2CAC80
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2D3CF0	32_2_00007FFC6E2D3CF0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E30E48B	32_2_00007FFC6E30E48B
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E30A490	32_2_00007FFC6E30A490
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E30E494	32_2_00007FFC6E30E494
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E30E49D	32_2_00007FFC6E30E49D
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E30E4A6	32_2_00007FFC6E30E4A6
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2B3CD0	32_2_00007FFC6E2B3CD0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E30E4AD	32_2_00007FFC6E30E4AD
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E30E4B6	32_2_00007FFC6E30E4B6
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2D1D30	32_2_00007FFC6E2D1D30
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2F8D20	32_2_00007FFC6E2F8D20
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2D0D10	32_2_00007FFC6E2D0D10
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2B9D70	32_2_00007FFC6E2B9D70
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2CD550	32_2_00007FFC6E2CD550
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2C3D50	32_2_00007FFC6E2C3D50
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2AC5A0	32_2_00007FFC6E2AC5A0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E31C590	32_2_00007FFC6E31C590
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2B65E0	32_2_00007FFC6E2B65E0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2D25C0	32_2_00007FFC6E2D25C0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2B95C0	32_2_00007FFC6E2B95C0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2A1620	32_2_00007FFC6E2A1620
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2ADE20	32_2_00007FFC6E2ADE20
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2D2E10	32_2_00007FFC6E2D2E10
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2C3610	32_2_00007FFC6E2C3610
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2B8670	32_2_00007FFC6E2B8670
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2F0650	32_2_00007FFC6E2F0650
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2CDAA0	32_2_00007FFC6E2CDAA0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E307AF0	32_2_00007FFC6E307AF0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2C82E0	32_2_00007FFC6E2C82E0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E302AE0	32_2_00007FFC6E302AE0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E3082A0	32_2_00007FFC6E3082A0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E30AAA0	32_2_00007FFC6E30AAA0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2C92C0	32_2_00007FFC6E2C92C0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2F22C0	32_2_00007FFC6E2F22C0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2FF2C0	32_2_00007FFC6E2FF2C0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2D1B30	32_2_00007FFC6E2D1B30
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2ABB20	32_2_00007FFC6E2ABB20
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2CA310	32_2_00007FFC6E2CA310
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2D0300	32_2_00007FFC6E2D0300
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2D4360	32_2_00007FFC6E2D4360
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E305B50	32_2_00007FFC6E305B50
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2A5350	32_2_00007FFC6E2A5350
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2C3340	32_2_00007FFC6E2C3340
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2B8340	32_2_00007FFC6E2B8340
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E304390	32_2_00007FFC6E304390
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2B23F0	32_2_00007FFC6E2B23F0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2F4BC0	32_2_00007FFC6E2F4BC0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2A5C20	32_2_00007FFC6E2A5C20
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2B5420	32_2_00007FFC6E2B5420
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2B7410	32_2_00007FFC6E2B7410
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E30E400	32_2_00007FFC6E30E400
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E31FC00	32_2_00007FFC6E31FC00
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E309410	32_2_00007FFC6E309410
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2B08B0	32_2_00007FFC6E2B08B0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E31C0EB	32_2_00007FFC6E31C0EB
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2BD890	32_2_00007FFC6E2BD890
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2A18D0	32_2_00007FFC6E2A18D0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E31C8B1	32_2_00007FFC6E31C8B1
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2D6130	32_2_00007FFC6E2D6130
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E30B960	32_2_00007FFC6E30B960
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2BE110	32_2_00007FFC6E2BE110
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2C3910	32_2_00007FFC6E2C3910
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2AB100	32_2_00007FFC6E2AB100
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E306950	32_2_00007FFC6E306950
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2C4140	32_2_00007FFC6E2C4140
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2BE9B0	32_2_00007FFC6E2BE9B0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2C11B0	32_2_00007FFC6E2C11B0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2CE9A0	32_2_00007FFC6E2CE9A0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2D9990	32_2_00007FFC6E2D9990
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2A2980	32_2_00007FFC6E2A2980
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2CF1F0	32_2_00007FFC6E2CF1F0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2D91F0	32_2_00007FFC6E2D91F0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2D89F0	32_2_00007FFC6E2D89F0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2D21D0	32_2_00007FFC6E2D21D0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2C69C0	32_2_00007FFC6E2C69C0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E30B260	32_2_00007FFC6E30B260
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2DB250	32_2_00007FFC6E2DB250
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2A7A40	32_2_00007FFC6E2A7A40

Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: String function: 00007FF7299C4474 appears 37 times
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: String function: 00007FF7299C419C appears 54 times
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: String function: 00007FF7299CCF60 appears 903 times
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: String function: 00007FF729A0410C appears 37 times
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: String function: 00007FF7754A4D68 appears 192 times
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: String function: 00007FF7754A32F8 appears 394 times
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: String function: 00007FF7754A6894 appears 49 times
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: String function: 00007FF775546AD8 appears 230 times
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: String function: 00007FF7754B62E4 appears 62 times

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA27770 NtClose,	0_2_00007FFC6FA27770
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA4D520 NtQuerySystemInformation,RtlAllocateHeap,	0_2_00007FFC6FA4D520
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77554A9CC NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,HeapAlloc,memset,NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,RtlInitUnicodeString,RtlCompareUnicodeString,	24_2_00007FF77554A9CC
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF775516C44 RtlInitUnicodeString,NtQueryLicenseValue,	24_2_00007FF775516C44
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299F54EC NtQueryInformationToken,NtQueryInformationToken,	32_2_00007FF7299F54EC
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299F5580 NtOpenThreadToken,NtOpenProcessToken,NtQueryInformationToken,NtClose,	32_2_00007FF7299F5580
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2E7770 NtClose,	32_2_00007FFC6E2E7770
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2C5F40 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,	32_2_00007FFC6E2C5F40
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2D5CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose,	32_2_00007FFC6E2D5CD0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2DC4D0 CreateFileMappingW,VirtualAlloc,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,	32_2_00007FFC6E2DC4D0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E30D520 NtQuerySystemInformation,	32_2_00007FFC6E30D520
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2DBAE0 NtReadVirtualMemory,	32_2_00007FFC6E2DBAE0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2DAA70 VirtualAlloc,NtDuplicateObject,RtlQueueApcWow64Thread,	32_2_00007FFC6E2DAA70

Source: dpnhupnp.dll

Binary or memory string: OriginalFilenamedpnhupnp.dJ vs dpnhupnp.dll

Source: PresentationHost.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tabcal.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tabcal.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tabcal.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GamePanel.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GamePanel.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GamePanel.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel34.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel34.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel34.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel34.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe	Section loaded: kernel34.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Section loaded: kernel34.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\M4eXJF\cmstp.exe	Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\a6o\PresentationHost.exe	Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\96P3D\cmstp.exe	Section loaded: kernel34.dll

Source: DUI70.dll.6.dr	Static PE information: Number of sections : 55 > 10
Source: WINSTA.dll.6.dr	Static PE information: Number of sections : 55 > 10
Source: VERSION.dll1.6.dr	Static PE information: Number of sections : 55 > 10
Source: HID.DLL.6.dr	Static PE information: Number of sections : 55 > 10
Source: dxgi.dll.6.dr	Static PE information: Number of sections : 55 > 10
Source: UxTheme.dll.6.dr	Static PE information: Number of sections : 55 > 10
Source: VERSION.dll.6.dr	Static PE information: Number of sections : 55 > 10
Source: VERSION.dll0.6.dr	Static PE information: Number of sections : 55 > 10
Source: dpnhupnp.dll	Static PE information: Number of sections : 54 > 10

Source: dpnhupnp.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.6.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll0.6.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll.6.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: HID.DLL.6.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINSTA.dll.6.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dxgi.dll.6.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.6.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll1.6.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: dpnhupnp.dll	Virustotal: Detection: 65%
Source: dpnhupnp.dll	Metadefender: Detection: 62%
Source: dpnhupnp.dll	ReversingLabs: Detection: 83%

Source: dpnhupnp.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\dpnhupnp.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dpnhupnp.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dpnhupnp.dll,GetFileVersionInfoA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dpnhupnp.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dpnhupnp.dll,GetFileVersionInfoByHandle
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dpnhupnp.dll,GetFileVersionInfoExA
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\DisplaySwitch.exe C:\Windows\system32\DisplaySwitch.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\msdt.exe C:\Windows\system32\msdt.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\1XXGC21\msdt.exe C:\Users\user\AppData\Local\1XXGC21\msdt.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\M4eXJF\cmstp.exe C:\Users\user\AppData\Local\M4eXJF\cmstp.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\PresentationHost.exe C:\Windows\system32\PresentationHost.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\a6o\PresentationHost.exe C:\Users\user\AppData\Local\a6o\PresentationHost.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\96P3D\cmstp.exe C:\Users\user\AppData\Local\96P3D\cmstp.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dpnhupnp.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dpnhupnp.dll,GetFileVersionInfoA	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dpnhupnp.dll,GetFileVersionInfoByHandle	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dpnhupnp.dll,GetFileVersionInfoExA	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dpnhupnp.dll",#1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\DisplaySwitch.exe C:\Windows\system32\DisplaySwitch.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\msdt.exe C:\Windows\system32\msdt.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\1XXGC21\msdt.exe C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\M4eXJF\cmstp.exe C:\Users\user\AppData\Local\M4eXJF\cmstp.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\PresentationHost.exe C:\Windows\system32\PresentationHost.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\a6o\PresentationHost.exe C:\Users\user\AppData\Local\a6o\PresentationHost.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\96P3D\cmstp.exe C:\Users\user\AppData\Local\96P3D\cmstp.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@43/17@1/0

Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe

Code function: 20_2_00007FF701BCD6C4 CoCreateInstance,LocalFree,LocalFree,

20_2_00007FF701BCD6C4

Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe

Code function: 32_2_00007FFC6E2DCB00 GetProcessId,CreateToolhelp32Snapshot,Thread32First,

32_2_00007FFC6E2DCB00

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dpnhupnp.dll,GetFileVersionInfoA

Source: C:\Users\user\AppData\Local\96P3D\cmstp.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1d8c6780-ccd1-3f65-ac44-7ba47b61fe90}
Source: C:\Users\user\AppData\Local\96P3D\cmstp.exe	Mutant created: \Sessions\1\BaseNamedObjects\{d8079e48-5f84-d194-c189-b4fffdff4fd6}

Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe

Code function: 20_2_00007FF701BCE2D8 FindResourceExW,LoadResource,LockResource,

20_2_00007FF701BCE2D8

Source: GamePanel.exe	String found in binary or memory: Start/StopRecordAsync SUCCEEDED
Source: GamePanel.exe	String found in binary or memory: Start/StopRecordAsync SUCCEEDED
Source: GamePanel.exe	String found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
Source: GamePanel.exe	String found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
Source: GamePanel.exe	String found in binary or memory: Start/StopRecordAsync FINALIZING
Source: GamePanel.exe	String found in binary or memory: Start/StopRecordAsync FINALIZING

Source: dpnhupnp.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: dpnhupnp.dll

Static file information: File size 1064960 > 1048576

Source: dpnhupnp.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: cmstp.pdbGCTL source: cmstp.exe, 00000023.00000000.468453797.00007FF7DE0BF000.00000002.00000001.01000000.0000000D.sdmp, cmstp.exe, 00000023.00000002.491387694.00007FF7DE0BF000.00000002.00000001.01000000.0000000D.sdmp, cmstp.exe, 00000028.00000002.547996060.00007FF72BE3F000.00000002.00000001.01000000.00000011.sdmp, cmstp.exe, 00000028.00000000.525056194.00007FF72BE3F000.00000002.00000001.01000000.00000011.sdmp, cmstp.exe.6.dr, cmstp.exe0.6.dr
Source:	Binary string: msdt.pdbGCTL source: msdt.exe, 00000020.00000002.463579902.00007FF729A08000.00000002.00000001.01000000.0000000B.sdmp, msdt.exe, 00000020.00000000.438710187.00007FF729A08000.00000002.00000001.01000000.0000000B.sdmp, msdt.exe.6.dr
Source:	Binary string: CloudNotifications.pdb source: CloudNotifications.exe.6.dr
Source:	Binary string: tabcal.pdbGCTL source: tabcal.exe.6.dr
Source:	Binary string: PresentationHost.pdbGCTL source: PresentationHost.exe, 00000026.00000002.520780934.00007FF76ED9F000.00000002.00000001.01000000.0000000F.sdmp, PresentationHost.exe, 00000026.00000000.496651636.00007FF76ED9F000.00000002.00000001.01000000.0000000F.sdmp, PresentationHost.exe.6.dr
Source:	Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr
Source:	Binary string: PresentationHost.pdb source: PresentationHost.exe, 00000026.00000002.520780934.00007FF76ED9F000.00000002.00000001.01000000.0000000F.sdmp, PresentationHost.exe, 00000026.00000000.496651636.00007FF76ED9F000.00000002.00000001.01000000.0000000F.sdmp, PresentationHost.exe.6.dr
Source:	Binary string: cmstp.pdb source: cmstp.exe, 00000023.00000000.468453797.00007FF7DE0BF000.00000002.00000001.01000000.0000000D.sdmp, cmstp.exe, 00000023.00000002.491387694.00007FF7DE0BF000.00000002.00000001.01000000.0000000D.sdmp, cmstp.exe, 00000028.00000002.547996060.00007FF72BE3F000.00000002.00000001.01000000.00000011.sdmp, cmstp.exe, 00000028.00000000.525056194.00007FF72BE3F000.00000002.00000001.01000000.00000011.sdmp, cmstp.exe.6.dr, cmstp.exe0.6.dr
Source:	Binary string: DisplaySwitch.pdbGCTL source: DisplaySwitch.exe, 00000014.00000000.368442640.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmp, DisplaySwitch.exe, 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmp, DisplaySwitch.exe.6.dr
Source:	Binary string: GamePanel.pdb source: GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr
Source:	Binary string: tabcal.pdb source: tabcal.exe.6.dr
Source:	Binary string: msdt.pdb source: msdt.exe, 00000020.00000002.463579902.00007FF729A08000.00000002.00000001.01000000.0000000B.sdmp, msdt.exe, 00000020.00000000.438710187.00007FF729A08000.00000002.00000001.01000000.0000000B.sdmp, msdt.exe.6.dr
Source:	Binary string: DisplaySwitch.pdb source: DisplaySwitch.exe, 00000014.00000000.368442640.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmp, DisplaySwitch.exe, 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmp, DisplaySwitch.exe.6.dr
Source:	Binary string: CloudNotifications.pdbGCTL source: CloudNotifications.exe.6.dr

Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe

Code function: 32_2_00007FFC6E31D500 push rax; iretd

32_2_00007FFC6E31D501

Source: dpnhupnp.dll	Static PE information: section name: .vxl
Source: dpnhupnp.dll	Static PE information: section name: .qwubgr
Source: dpnhupnp.dll	Static PE information: section name: .eer
Source: dpnhupnp.dll	Static PE information: section name: .xwwauf
Source: dpnhupnp.dll	Static PE information: section name: .pkc
Source: dpnhupnp.dll	Static PE information: section name: .npkda
Source: dpnhupnp.dll	Static PE information: section name: .vhs
Source: dpnhupnp.dll	Static PE information: section name: .iaywj
Source: dpnhupnp.dll	Static PE information: section name: .nasi
Source: dpnhupnp.dll	Static PE information: section name: .zhvprh
Source: dpnhupnp.dll	Static PE information: section name: .yatdsp
Source: dpnhupnp.dll	Static PE information: section name: .njso
Source: dpnhupnp.dll	Static PE information: section name: .lgliat
Source: dpnhupnp.dll	Static PE information: section name: .ntqjh
Source: dpnhupnp.dll	Static PE information: section name: .sucsek
Source: dpnhupnp.dll	Static PE information: section name: .qsxjui
Source: dpnhupnp.dll	Static PE information: section name: .twctcm
Source: dpnhupnp.dll	Static PE information: section name: .nms
Source: dpnhupnp.dll	Static PE information: section name: .ogj
Source: dpnhupnp.dll	Static PE information: section name: .vrkgb
Source: dpnhupnp.dll	Static PE information: section name: .gikfw
Source: dpnhupnp.dll	Static PE information: section name: .ktl
Source: dpnhupnp.dll	Static PE information: section name: .crcn
Source: dpnhupnp.dll	Static PE information: section name: .wtfr
Source: dpnhupnp.dll	Static PE information: section name: .hep
Source: dpnhupnp.dll	Static PE information: section name: .ywg
Source: dpnhupnp.dll	Static PE information: section name: .sqsp
Source: dpnhupnp.dll	Static PE information: section name: .tkyonf
Source: dpnhupnp.dll	Static PE information: section name: .lmr
Source: dpnhupnp.dll	Static PE information: section name: .nmvll
Source: dpnhupnp.dll	Static PE information: section name: .uvboq
Source: dpnhupnp.dll	Static PE information: section name: .pck
Source: dpnhupnp.dll	Static PE information: section name: .cui
Source: dpnhupnp.dll	Static PE information: section name: .bjpf
Source: dpnhupnp.dll	Static PE information: section name: .tdsza
Source: dpnhupnp.dll	Static PE information: section name: .ljyns
Source: dpnhupnp.dll	Static PE information: section name: .uvvcd
Source: dpnhupnp.dll	Static PE information: section name: .dhcna
Source: dpnhupnp.dll	Static PE information: section name: .ntjkji
Source: dpnhupnp.dll	Static PE information: section name: .copgfj
Source: dpnhupnp.dll	Static PE information: section name: .zmu
Source: dpnhupnp.dll	Static PE information: section name: .nqzul
Source: dpnhupnp.dll	Static PE information: section name: .qgbg
Source: dpnhupnp.dll	Static PE information: section name: .obih
Source: dpnhupnp.dll	Static PE information: section name: .igwjz
Source: dpnhupnp.dll	Static PE information: section name: .mkzlg
Source: dpnhupnp.dll	Static PE information: section name: .ovmzdw
Source: dpnhupnp.dll	Static PE information: section name: .rqfw
Source: CloudNotifications.exe.6.dr	Static PE information: section name: .imrsiv
Source: CloudNotifications.exe.6.dr	Static PE information: section name: .didat
Source: tabcal.exe.6.dr	Static PE information: section name: .didat
Source: DisplaySwitch.exe.6.dr	Static PE information: section name: .imrsiv
Source: GamePanel.exe.6.dr	Static PE information: section name: .imrsiv
Source: GamePanel.exe.6.dr	Static PE information: section name: .didat
Source: VERSION.dll.6.dr	Static PE information: section name: .vxl
Source: VERSION.dll.6.dr	Static PE information: section name: .qwubgr
Source: VERSION.dll.6.dr	Static PE information: section name: .eer
Source: VERSION.dll.6.dr	Static PE information: section name: .xwwauf
Source: VERSION.dll.6.dr	Static PE information: section name: .pkc
Source: VERSION.dll.6.dr	Static PE information: section name: .npkda
Source: VERSION.dll.6.dr	Static PE information: section name: .vhs
Source: VERSION.dll.6.dr	Static PE information: section name: .iaywj
Source: VERSION.dll.6.dr	Static PE information: section name: .nasi
Source: VERSION.dll.6.dr	Static PE information: section name: .zhvprh
Source: VERSION.dll.6.dr	Static PE information: section name: .yatdsp
Source: VERSION.dll.6.dr	Static PE information: section name: .njso
Source: VERSION.dll.6.dr	Static PE information: section name: .lgliat
Source: VERSION.dll.6.dr	Static PE information: section name: .ntqjh
Source: VERSION.dll.6.dr	Static PE information: section name: .sucsek
Source: VERSION.dll.6.dr	Static PE information: section name: .qsxjui
Source: VERSION.dll.6.dr	Static PE information: section name: .twctcm
Source: VERSION.dll.6.dr	Static PE information: section name: .nms
Source: VERSION.dll.6.dr	Static PE information: section name: .ogj
Source: VERSION.dll.6.dr	Static PE information: section name: .vrkgb
Source: VERSION.dll.6.dr	Static PE information: section name: .gikfw
Source: VERSION.dll.6.dr	Static PE information: section name: .ktl
Source: VERSION.dll.6.dr	Static PE information: section name: .crcn
Source: VERSION.dll.6.dr	Static PE information: section name: .wtfr
Source: VERSION.dll.6.dr	Static PE information: section name: .hep
Source: VERSION.dll.6.dr	Static PE information: section name: .ywg
Source: VERSION.dll.6.dr	Static PE information: section name: .sqsp
Source: VERSION.dll.6.dr	Static PE information: section name: .tkyonf
Source: VERSION.dll.6.dr	Static PE information: section name: .lmr
Source: VERSION.dll.6.dr	Static PE information: section name: .nmvll
Source: VERSION.dll.6.dr	Static PE information: section name: .uvboq
Source: VERSION.dll.6.dr	Static PE information: section name: .pck
Source: VERSION.dll.6.dr	Static PE information: section name: .cui
Source: VERSION.dll.6.dr	Static PE information: section name: .bjpf
Source: VERSION.dll.6.dr	Static PE information: section name: .tdsza
Source: VERSION.dll.6.dr	Static PE information: section name: .ljyns
Source: VERSION.dll.6.dr	Static PE information: section name: .uvvcd
Source: VERSION.dll.6.dr	Static PE information: section name: .dhcna
Source: VERSION.dll.6.dr	Static PE information: section name: .ntjkji
Source: VERSION.dll.6.dr	Static PE information: section name: .copgfj
Source: VERSION.dll.6.dr	Static PE information: section name: .zmu
Source: VERSION.dll.6.dr	Static PE information: section name: .nqzul
Source: VERSION.dll.6.dr	Static PE information: section name: .qgbg
Source: VERSION.dll.6.dr	Static PE information: section name: .obih
Source: VERSION.dll.6.dr	Static PE information: section name: .igwjz
Source: VERSION.dll.6.dr	Static PE information: section name: .mkzlg
Source: VERSION.dll.6.dr	Static PE information: section name: .ovmzdw
Source: VERSION.dll.6.dr	Static PE information: section name: .rqfw
Source: VERSION.dll.6.dr	Static PE information: section name: .ahr
Source: VERSION.dll0.6.dr	Static PE information: section name: .vxl
Source: VERSION.dll0.6.dr	Static PE information: section name: .qwubgr
Source: VERSION.dll0.6.dr	Static PE information: section name: .eer
Source: VERSION.dll0.6.dr	Static PE information: section name: .xwwauf
Source: VERSION.dll0.6.dr	Static PE information: section name: .pkc
Source: VERSION.dll0.6.dr	Static PE information: section name: .npkda
Source: VERSION.dll0.6.dr	Static PE information: section name: .vhs
Source: VERSION.dll0.6.dr	Static PE information: section name: .iaywj
Source: VERSION.dll0.6.dr	Static PE information: section name: .nasi
Source: VERSION.dll0.6.dr	Static PE information: section name: .zhvprh
Source: VERSION.dll0.6.dr	Static PE information: section name: .yatdsp
Source: VERSION.dll0.6.dr	Static PE information: section name: .njso
Source: VERSION.dll0.6.dr	Static PE information: section name: .lgliat
Source: VERSION.dll0.6.dr	Static PE information: section name: .ntqjh
Source: VERSION.dll0.6.dr	Static PE information: section name: .sucsek
Source: VERSION.dll0.6.dr	Static PE information: section name: .qsxjui
Source: VERSION.dll0.6.dr	Static PE information: section name: .twctcm
Source: VERSION.dll0.6.dr	Static PE information: section name: .nms
Source: VERSION.dll0.6.dr	Static PE information: section name: .ogj
Source: VERSION.dll0.6.dr	Static PE information: section name: .vrkgb
Source: VERSION.dll0.6.dr	Static PE information: section name: .gikfw
Source: VERSION.dll0.6.dr	Static PE information: section name: .ktl
Source: VERSION.dll0.6.dr	Static PE information: section name: .crcn
Source: VERSION.dll0.6.dr	Static PE information: section name: .wtfr
Source: VERSION.dll0.6.dr	Static PE information: section name: .hep
Source: VERSION.dll0.6.dr	Static PE information: section name: .ywg
Source: VERSION.dll0.6.dr	Static PE information: section name: .sqsp
Source: VERSION.dll0.6.dr	Static PE information: section name: .tkyonf
Source: VERSION.dll0.6.dr	Static PE information: section name: .lmr
Source: VERSION.dll0.6.dr	Static PE information: section name: .nmvll
Source: VERSION.dll0.6.dr	Static PE information: section name: .uvboq
Source: VERSION.dll0.6.dr	Static PE information: section name: .pck
Source: VERSION.dll0.6.dr	Static PE information: section name: .cui
Source: VERSION.dll0.6.dr	Static PE information: section name: .bjpf
Source: VERSION.dll0.6.dr	Static PE information: section name: .tdsza
Source: VERSION.dll0.6.dr	Static PE information: section name: .ljyns
Source: VERSION.dll0.6.dr	Static PE information: section name: .uvvcd
Source: VERSION.dll0.6.dr	Static PE information: section name: .dhcna
Source: VERSION.dll0.6.dr	Static PE information: section name: .ntjkji
Source: VERSION.dll0.6.dr	Static PE information: section name: .copgfj
Source: VERSION.dll0.6.dr	Static PE information: section name: .zmu
Source: VERSION.dll0.6.dr	Static PE information: section name: .nqzul
Source: VERSION.dll0.6.dr	Static PE information: section name: .qgbg
Source: VERSION.dll0.6.dr	Static PE information: section name: .obih
Source: VERSION.dll0.6.dr	Static PE information: section name: .igwjz
Source: VERSION.dll0.6.dr	Static PE information: section name: .mkzlg
Source: VERSION.dll0.6.dr	Static PE information: section name: .ovmzdw
Source: VERSION.dll0.6.dr	Static PE information: section name: .rqfw
Source: VERSION.dll0.6.dr	Static PE information: section name: .ggmm
Source: UxTheme.dll.6.dr	Static PE information: section name: .vxl
Source: UxTheme.dll.6.dr	Static PE information: section name: .qwubgr
Source: UxTheme.dll.6.dr	Static PE information: section name: .eer
Source: UxTheme.dll.6.dr	Static PE information: section name: .xwwauf
Source: UxTheme.dll.6.dr	Static PE information: section name: .pkc
Source: UxTheme.dll.6.dr	Static PE information: section name: .npkda
Source: UxTheme.dll.6.dr	Static PE information: section name: .vhs
Source: UxTheme.dll.6.dr	Static PE information: section name: .iaywj
Source: UxTheme.dll.6.dr	Static PE information: section name: .nasi
Source: UxTheme.dll.6.dr	Static PE information: section name: .zhvprh
Source: UxTheme.dll.6.dr	Static PE information: section name: .yatdsp
Source: UxTheme.dll.6.dr	Static PE information: section name: .njso
Source: UxTheme.dll.6.dr	Static PE information: section name: .lgliat
Source: UxTheme.dll.6.dr	Static PE information: section name: .ntqjh
Source: UxTheme.dll.6.dr	Static PE information: section name: .sucsek
Source: UxTheme.dll.6.dr	Static PE information: section name: .qsxjui
Source: UxTheme.dll.6.dr	Static PE information: section name: .twctcm
Source: UxTheme.dll.6.dr	Static PE information: section name: .nms
Source: UxTheme.dll.6.dr	Static PE information: section name: .ogj
Source: UxTheme.dll.6.dr	Static PE information: section name: .vrkgb
Source: UxTheme.dll.6.dr	Static PE information: section name: .gikfw
Source: UxTheme.dll.6.dr	Static PE information: section name: .ktl
Source: UxTheme.dll.6.dr	Static PE information: section name: .crcn
Source: UxTheme.dll.6.dr	Static PE information: section name: .wtfr
Source: UxTheme.dll.6.dr	Static PE information: section name: .hep
Source: UxTheme.dll.6.dr	Static PE information: section name: .ywg
Source: UxTheme.dll.6.dr	Static PE information: section name: .sqsp
Source: UxTheme.dll.6.dr	Static PE information: section name: .tkyonf
Source: UxTheme.dll.6.dr	Static PE information: section name: .lmr
Source: UxTheme.dll.6.dr	Static PE information: section name: .nmvll
Source: UxTheme.dll.6.dr	Static PE information: section name: .uvboq
Source: UxTheme.dll.6.dr	Static PE information: section name: .pck
Source: UxTheme.dll.6.dr	Static PE information: section name: .cui
Source: UxTheme.dll.6.dr	Static PE information: section name: .bjpf
Source: UxTheme.dll.6.dr	Static PE information: section name: .tdsza
Source: UxTheme.dll.6.dr	Static PE information: section name: .ljyns
Source: UxTheme.dll.6.dr	Static PE information: section name: .uvvcd
Source: UxTheme.dll.6.dr	Static PE information: section name: .dhcna
Source: UxTheme.dll.6.dr	Static PE information: section name: .ntjkji
Source: UxTheme.dll.6.dr	Static PE information: section name: .copgfj
Source: UxTheme.dll.6.dr	Static PE information: section name: .zmu
Source: UxTheme.dll.6.dr	Static PE information: section name: .nqzul
Source: UxTheme.dll.6.dr	Static PE information: section name: .qgbg
Source: UxTheme.dll.6.dr	Static PE information: section name: .obih
Source: UxTheme.dll.6.dr	Static PE information: section name: .igwjz
Source: UxTheme.dll.6.dr	Static PE information: section name: .mkzlg
Source: UxTheme.dll.6.dr	Static PE information: section name: .ovmzdw
Source: UxTheme.dll.6.dr	Static PE information: section name: .rqfw
Source: UxTheme.dll.6.dr	Static PE information: section name: .jrx
Source: HID.DLL.6.dr	Static PE information: section name: .vxl
Source: HID.DLL.6.dr	Static PE information: section name: .qwubgr
Source: HID.DLL.6.dr	Static PE information: section name: .eer
Source: HID.DLL.6.dr	Static PE information: section name: .xwwauf
Source: HID.DLL.6.dr	Static PE information: section name: .pkc
Source: HID.DLL.6.dr	Static PE information: section name: .npkda
Source: HID.DLL.6.dr	Static PE information: section name: .vhs
Source: HID.DLL.6.dr	Static PE information: section name: .iaywj
Source: HID.DLL.6.dr	Static PE information: section name: .nasi
Source: HID.DLL.6.dr	Static PE information: section name: .zhvprh
Source: HID.DLL.6.dr	Static PE information: section name: .yatdsp
Source: HID.DLL.6.dr	Static PE information: section name: .njso
Source: HID.DLL.6.dr	Static PE information: section name: .lgliat
Source: HID.DLL.6.dr	Static PE information: section name: .ntqjh
Source: HID.DLL.6.dr	Static PE information: section name: .sucsek
Source: HID.DLL.6.dr	Static PE information: section name: .qsxjui
Source: HID.DLL.6.dr	Static PE information: section name: .twctcm
Source: HID.DLL.6.dr	Static PE information: section name: .nms
Source: HID.DLL.6.dr	Static PE information: section name: .ogj
Source: HID.DLL.6.dr	Static PE information: section name: .vrkgb
Source: HID.DLL.6.dr	Static PE information: section name: .gikfw
Source: HID.DLL.6.dr	Static PE information: section name: .ktl
Source: HID.DLL.6.dr	Static PE information: section name: .crcn
Source: HID.DLL.6.dr	Static PE information: section name: .wtfr
Source: HID.DLL.6.dr	Static PE information: section name: .hep
Source: HID.DLL.6.dr	Static PE information: section name: .ywg
Source: HID.DLL.6.dr	Static PE information: section name: .sqsp
Source: HID.DLL.6.dr	Static PE information: section name: .tkyonf
Source: HID.DLL.6.dr	Static PE information: section name: .lmr
Source: HID.DLL.6.dr	Static PE information: section name: .nmvll
Source: HID.DLL.6.dr	Static PE information: section name: .uvboq
Source: HID.DLL.6.dr	Static PE information: section name: .pck
Source: HID.DLL.6.dr	Static PE information: section name: .cui
Source: HID.DLL.6.dr	Static PE information: section name: .bjpf
Source: HID.DLL.6.dr	Static PE information: section name: .tdsza
Source: HID.DLL.6.dr	Static PE information: section name: .ljyns
Source: HID.DLL.6.dr	Static PE information: section name: .uvvcd
Source: HID.DLL.6.dr	Static PE information: section name: .dhcna
Source: HID.DLL.6.dr	Static PE information: section name: .ntjkji
Source: HID.DLL.6.dr	Static PE information: section name: .copgfj
Source: HID.DLL.6.dr	Static PE information: section name: .zmu
Source: HID.DLL.6.dr	Static PE information: section name: .nqzul
Source: HID.DLL.6.dr	Static PE information: section name: .qgbg
Source: HID.DLL.6.dr	Static PE information: section name: .obih
Source: HID.DLL.6.dr	Static PE information: section name: .igwjz
Source: HID.DLL.6.dr	Static PE information: section name: .mkzlg
Source: HID.DLL.6.dr	Static PE information: section name: .ovmzdw
Source: HID.DLL.6.dr	Static PE information: section name: .rqfw
Source: HID.DLL.6.dr	Static PE information: section name: .upo
Source: WINSTA.dll.6.dr	Static PE information: section name: .vxl
Source: WINSTA.dll.6.dr	Static PE information: section name: .qwubgr
Source: WINSTA.dll.6.dr	Static PE information: section name: .eer
Source: WINSTA.dll.6.dr	Static PE information: section name: .xwwauf
Source: WINSTA.dll.6.dr	Static PE information: section name: .pkc
Source: WINSTA.dll.6.dr	Static PE information: section name: .npkda
Source: WINSTA.dll.6.dr	Static PE information: section name: .vhs
Source: WINSTA.dll.6.dr	Static PE information: section name: .iaywj
Source: WINSTA.dll.6.dr	Static PE information: section name: .nasi
Source: WINSTA.dll.6.dr	Static PE information: section name: .zhvprh
Source: WINSTA.dll.6.dr	Static PE information: section name: .yatdsp
Source: WINSTA.dll.6.dr	Static PE information: section name: .njso
Source: WINSTA.dll.6.dr	Static PE information: section name: .lgliat
Source: WINSTA.dll.6.dr	Static PE information: section name: .ntqjh
Source: WINSTA.dll.6.dr	Static PE information: section name: .sucsek
Source: WINSTA.dll.6.dr	Static PE information: section name: .qsxjui
Source: WINSTA.dll.6.dr	Static PE information: section name: .twctcm
Source: WINSTA.dll.6.dr	Static PE information: section name: .nms
Source: WINSTA.dll.6.dr	Static PE information: section name: .ogj
Source: WINSTA.dll.6.dr	Static PE information: section name: .vrkgb
Source: WINSTA.dll.6.dr	Static PE information: section name: .gikfw
Source: WINSTA.dll.6.dr	Static PE information: section name: .ktl
Source: WINSTA.dll.6.dr	Static PE information: section name: .crcn
Source: WINSTA.dll.6.dr	Static PE information: section name: .wtfr
Source: WINSTA.dll.6.dr	Static PE information: section name: .hep
Source: WINSTA.dll.6.dr	Static PE information: section name: .ywg
Source: WINSTA.dll.6.dr	Static PE information: section name: .sqsp
Source: WINSTA.dll.6.dr	Static PE information: section name: .tkyonf
Source: WINSTA.dll.6.dr	Static PE information: section name: .lmr
Source: WINSTA.dll.6.dr	Static PE information: section name: .nmvll
Source: WINSTA.dll.6.dr	Static PE information: section name: .uvboq
Source: WINSTA.dll.6.dr	Static PE information: section name: .pck
Source: WINSTA.dll.6.dr	Static PE information: section name: .cui
Source: WINSTA.dll.6.dr	Static PE information: section name: .bjpf
Source: WINSTA.dll.6.dr	Static PE information: section name: .tdsza
Source: WINSTA.dll.6.dr	Static PE information: section name: .ljyns
Source: WINSTA.dll.6.dr	Static PE information: section name: .uvvcd
Source: WINSTA.dll.6.dr	Static PE information: section name: .dhcna
Source: WINSTA.dll.6.dr	Static PE information: section name: .ntjkji
Source: WINSTA.dll.6.dr	Static PE information: section name: .copgfj
Source: WINSTA.dll.6.dr	Static PE information: section name: .zmu
Source: WINSTA.dll.6.dr	Static PE information: section name: .nqzul
Source: WINSTA.dll.6.dr	Static PE information: section name: .qgbg
Source: WINSTA.dll.6.dr	Static PE information: section name: .obih
Source: WINSTA.dll.6.dr	Static PE information: section name: .igwjz
Source: WINSTA.dll.6.dr	Static PE information: section name: .mkzlg
Source: WINSTA.dll.6.dr	Static PE information: section name: .ovmzdw
Source: WINSTA.dll.6.dr	Static PE information: section name: .rqfw
Source: WINSTA.dll.6.dr	Static PE information: section name: .zpkuim
Source: dxgi.dll.6.dr	Static PE information: section name: .vxl
Source: dxgi.dll.6.dr	Static PE information: section name: .qwubgr
Source: dxgi.dll.6.dr	Static PE information: section name: .eer
Source: dxgi.dll.6.dr	Static PE information: section name: .xwwauf
Source: dxgi.dll.6.dr	Static PE information: section name: .pkc
Source: dxgi.dll.6.dr	Static PE information: section name: .npkda
Source: dxgi.dll.6.dr	Static PE information: section name: .vhs
Source: dxgi.dll.6.dr	Static PE information: section name: .iaywj
Source: dxgi.dll.6.dr	Static PE information: section name: .nasi
Source: dxgi.dll.6.dr	Static PE information: section name: .zhvprh
Source: dxgi.dll.6.dr	Static PE information: section name: .yatdsp
Source: dxgi.dll.6.dr	Static PE information: section name: .njso
Source: dxgi.dll.6.dr	Static PE information: section name: .lgliat
Source: dxgi.dll.6.dr	Static PE information: section name: .ntqjh
Source: dxgi.dll.6.dr	Static PE information: section name: .sucsek
Source: dxgi.dll.6.dr	Static PE information: section name: .qsxjui
Source: dxgi.dll.6.dr	Static PE information: section name: .twctcm
Source: dxgi.dll.6.dr	Static PE information: section name: .nms
Source: dxgi.dll.6.dr	Static PE information: section name: .ogj
Source: dxgi.dll.6.dr	Static PE information: section name: .vrkgb
Source: dxgi.dll.6.dr	Static PE information: section name: .gikfw
Source: dxgi.dll.6.dr	Static PE information: section name: .ktl
Source: dxgi.dll.6.dr	Static PE information: section name: .crcn
Source: dxgi.dll.6.dr	Static PE information: section name: .wtfr
Source: dxgi.dll.6.dr	Static PE information: section name: .hep
Source: dxgi.dll.6.dr	Static PE information: section name: .ywg
Source: dxgi.dll.6.dr	Static PE information: section name: .sqsp
Source: dxgi.dll.6.dr	Static PE information: section name: .tkyonf
Source: dxgi.dll.6.dr	Static PE information: section name: .lmr
Source: dxgi.dll.6.dr	Static PE information: section name: .nmvll
Source: dxgi.dll.6.dr	Static PE information: section name: .uvboq
Source: dxgi.dll.6.dr	Static PE information: section name: .pck
Source: dxgi.dll.6.dr	Static PE information: section name: .cui
Source: dxgi.dll.6.dr	Static PE information: section name: .bjpf
Source: dxgi.dll.6.dr	Static PE information: section name: .tdsza
Source: dxgi.dll.6.dr	Static PE information: section name: .ljyns
Source: dxgi.dll.6.dr	Static PE information: section name: .uvvcd
Source: dxgi.dll.6.dr	Static PE information: section name: .dhcna
Source: dxgi.dll.6.dr	Static PE information: section name: .ntjkji
Source: dxgi.dll.6.dr	Static PE information: section name: .copgfj
Source: dxgi.dll.6.dr	Static PE information: section name: .zmu
Source: dxgi.dll.6.dr	Static PE information: section name: .nqzul
Source: dxgi.dll.6.dr	Static PE information: section name: .qgbg
Source: dxgi.dll.6.dr	Static PE information: section name: .obih
Source: dxgi.dll.6.dr	Static PE information: section name: .igwjz
Source: dxgi.dll.6.dr	Static PE information: section name: .mkzlg
Source: dxgi.dll.6.dr	Static PE information: section name: .ovmzdw
Source: dxgi.dll.6.dr	Static PE information: section name: .rqfw
Source: dxgi.dll.6.dr	Static PE information: section name: .ymlmlw
Source: DUI70.dll.6.dr	Static PE information: section name: .vxl
Source: DUI70.dll.6.dr	Static PE information: section name: .qwubgr
Source: DUI70.dll.6.dr	Static PE information: section name: .eer
Source: DUI70.dll.6.dr	Static PE information: section name: .xwwauf
Source: DUI70.dll.6.dr	Static PE information: section name: .pkc
Source: DUI70.dll.6.dr	Static PE information: section name: .npkda
Source: DUI70.dll.6.dr	Static PE information: section name: .vhs
Source: DUI70.dll.6.dr	Static PE information: section name: .iaywj
Source: DUI70.dll.6.dr	Static PE information: section name: .nasi
Source: DUI70.dll.6.dr	Static PE information: section name: .zhvprh
Source: DUI70.dll.6.dr	Static PE information: section name: .yatdsp
Source: DUI70.dll.6.dr	Static PE information: section name: .njso
Source: DUI70.dll.6.dr	Static PE information: section name: .lgliat
Source: DUI70.dll.6.dr	Static PE information: section name: .ntqjh
Source: DUI70.dll.6.dr	Static PE information: section name: .sucsek
Source: DUI70.dll.6.dr	Static PE information: section name: .qsxjui
Source: DUI70.dll.6.dr	Static PE information: section name: .twctcm
Source: DUI70.dll.6.dr	Static PE information: section name: .nms
Source: DUI70.dll.6.dr	Static PE information: section name: .ogj
Source: DUI70.dll.6.dr	Static PE information: section name: .vrkgb
Source: DUI70.dll.6.dr	Static PE information: section name: .gikfw
Source: DUI70.dll.6.dr	Static PE information: section name: .ktl
Source: DUI70.dll.6.dr	Static PE information: section name: .crcn
Source: DUI70.dll.6.dr	Static PE information: section name: .wtfr
Source: DUI70.dll.6.dr	Static PE information: section name: .hep
Source: DUI70.dll.6.dr	Static PE information: section name: .ywg
Source: DUI70.dll.6.dr	Static PE information: section name: .sqsp
Source: DUI70.dll.6.dr	Static PE information: section name: .tkyonf
Source: DUI70.dll.6.dr	Static PE information: section name: .lmr
Source: DUI70.dll.6.dr	Static PE information: section name: .nmvll
Source: DUI70.dll.6.dr	Static PE information: section name: .uvboq
Source: DUI70.dll.6.dr	Static PE information: section name: .pck
Source: DUI70.dll.6.dr	Static PE information: section name: .cui
Source: DUI70.dll.6.dr	Static PE information: section name: .bjpf
Source: DUI70.dll.6.dr	Static PE information: section name: .tdsza
Source: DUI70.dll.6.dr	Static PE information: section name: .ljyns
Source: DUI70.dll.6.dr	Static PE information: section name: .uvvcd
Source: DUI70.dll.6.dr	Static PE information: section name: .dhcna
Source: DUI70.dll.6.dr	Static PE information: section name: .ntjkji
Source: DUI70.dll.6.dr	Static PE information: section name: .copgfj
Source: DUI70.dll.6.dr	Static PE information: section name: .zmu
Source: DUI70.dll.6.dr	Static PE information: section name: .nqzul
Source: DUI70.dll.6.dr	Static PE information: section name: .qgbg
Source: DUI70.dll.6.dr	Static PE information: section name: .obih
Source: DUI70.dll.6.dr	Static PE information: section name: .igwjz
Source: DUI70.dll.6.dr	Static PE information: section name: .mkzlg
Source: DUI70.dll.6.dr	Static PE information: section name: .ovmzdw
Source: DUI70.dll.6.dr	Static PE information: section name: .rqfw
Source: DUI70.dll.6.dr	Static PE information: section name: .ngt
Source: VERSION.dll1.6.dr	Static PE information: section name: .vxl
Source: VERSION.dll1.6.dr	Static PE information: section name: .qwubgr
Source: VERSION.dll1.6.dr	Static PE information: section name: .eer
Source: VERSION.dll1.6.dr	Static PE information: section name: .xwwauf
Source: VERSION.dll1.6.dr	Static PE information: section name: .pkc
Source: VERSION.dll1.6.dr	Static PE information: section name: .npkda
Source: VERSION.dll1.6.dr	Static PE information: section name: .vhs
Source: VERSION.dll1.6.dr	Static PE information: section name: .iaywj
Source: VERSION.dll1.6.dr	Static PE information: section name: .nasi
Source: VERSION.dll1.6.dr	Static PE information: section name: .zhvprh
Source: VERSION.dll1.6.dr	Static PE information: section name: .yatdsp
Source: VERSION.dll1.6.dr	Static PE information: section name: .njso
Source: VERSION.dll1.6.dr	Static PE information: section name: .lgliat
Source: VERSION.dll1.6.dr	Static PE information: section name: .ntqjh
Source: VERSION.dll1.6.dr	Static PE information: section name: .sucsek
Source: VERSION.dll1.6.dr	Static PE information: section name: .qsxjui
Source: VERSION.dll1.6.dr	Static PE information: section name: .twctcm
Source: VERSION.dll1.6.dr	Static PE information: section name: .nms
Source: VERSION.dll1.6.dr	Static PE information: section name: .ogj
Source: VERSION.dll1.6.dr	Static PE information: section name: .vrkgb
Source: VERSION.dll1.6.dr	Static PE information: section name: .gikfw
Source: VERSION.dll1.6.dr	Static PE information: section name: .ktl
Source: VERSION.dll1.6.dr	Static PE information: section name: .crcn
Source: VERSION.dll1.6.dr	Static PE information: section name: .wtfr
Source: VERSION.dll1.6.dr	Static PE information: section name: .hep
Source: VERSION.dll1.6.dr	Static PE information: section name: .ywg
Source: VERSION.dll1.6.dr	Static PE information: section name: .sqsp
Source: VERSION.dll1.6.dr	Static PE information: section name: .tkyonf
Source: VERSION.dll1.6.dr	Static PE information: section name: .lmr
Source: VERSION.dll1.6.dr	Static PE information: section name: .nmvll
Source: VERSION.dll1.6.dr	Static PE information: section name: .uvboq
Source: VERSION.dll1.6.dr	Static PE information: section name: .pck
Source: VERSION.dll1.6.dr	Static PE information: section name: .cui
Source: VERSION.dll1.6.dr	Static PE information: section name: .bjpf
Source: VERSION.dll1.6.dr	Static PE information: section name: .tdsza
Source: VERSION.dll1.6.dr	Static PE information: section name: .ljyns
Source: VERSION.dll1.6.dr	Static PE information: section name: .uvvcd
Source: VERSION.dll1.6.dr	Static PE information: section name: .dhcna
Source: VERSION.dll1.6.dr	Static PE information: section name: .ntjkji
Source: VERSION.dll1.6.dr	Static PE information: section name: .copgfj
Source: VERSION.dll1.6.dr	Static PE information: section name: .zmu
Source: VERSION.dll1.6.dr	Static PE information: section name: .nqzul
Source: VERSION.dll1.6.dr	Static PE information: section name: .qgbg
Source: VERSION.dll1.6.dr	Static PE information: section name: .obih
Source: VERSION.dll1.6.dr	Static PE information: section name: .igwjz
Source: VERSION.dll1.6.dr	Static PE information: section name: .mkzlg
Source: VERSION.dll1.6.dr	Static PE information: section name: .ovmzdw
Source: VERSION.dll1.6.dr	Static PE information: section name: .rqfw
Source: VERSION.dll1.6.dr	Static PE information: section name: .rjand

Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe

Code function: 20_2_00007FF701BE1B88 LoadLibraryW,GetProcAddress,FreeLibrary,SetDisplayConfig,

20_2_00007FF701BE1B88

Source: cmstp.exe.6.dr

Static PE information: 0xEF676D1B [Thu Apr 11 15:32:43 2097 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\4xeLXaDKW\WINSTA.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\M4eXJF\cmstp.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\M4eXJF\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\96P3D\cmstp.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\RiK2PNsRy\HID.DLL	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\96P3D\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\a6o\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\WPx7QKO3\CloudNotifications.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\uRSIQRt4\dxgi.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\a6o\PresentationHost.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\WPx7QKO3\UxTheme.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\RiK2PNsRy\tabcal.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\1XXGC21\DUI70.dll	Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\RkRLYOhG1

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\explorer.exe TID: 1952

Thread sleep count: 33 > 30

Jump to behavior

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RiK2PNsRy\HID.DLL	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\WPx7QKO3\CloudNotifications.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RiK2PNsRy\tabcal.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe

Code function: 20_2_00007FF701BC1250 rdtsc

20_2_00007FF701BC1250

Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll64.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_0-80010

Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe	API coverage: 0.3 %
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	API coverage: 0.2 %
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	API coverage: 1.7 %

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFC6FA3DDC0 GetSystemInfo,

0_2_00007FFC6FA3DDC0

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6FA3ED10 FindFirstFileExW,	0_2_00007FFC6FA3ED10
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299E7C3C GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree,	32_2_00007FF7299E7C3C
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299E6494 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,#13,GetLastError,GetProcessHeap,HeapFree,	32_2_00007FF7299E6494
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299FA65C memset,GetProcessHeap,HeapAlloc,FindFirstFileW,GetProcessHeap,HeapAlloc,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	32_2_00007FF7299FA65C
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299FBD48 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,CopyFileW,GetLastError,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	32_2_00007FF7299FBD48
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299E6720 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,	32_2_00007FF7299E6720
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299E7784 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,FindFirstFileW,_wcsicmp,_wcsicmp,GetFileAttributesW,SetFileAttributesW,GetLastError,GetFileAttributesW,SetFileAttributesW,GetLastError,DeleteFileW,CreateFileW,GetLastError,CloseHandle,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	32_2_00007FF7299E7784
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF7299E2770 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,	32_2_00007FF7299E2770
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FFC6E2FED10 FindFirstFileExW,	32_2_00007FFC6E2FED10

Source: explorer.exe, 00000006.00000000.301054763.00000000067C2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.289710351.00000000086C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.289794382.0000000008778000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000006.00000000.289710351.00000000086C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000006.00000000.301054763.00000000067C2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.301054763.00000000067C2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000006.00000000.308538161.0000000008778000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}efb8b}
Source: explorer.exe, 00000006.00000000.289710351.00000000086C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe

Code function: 20_2_00007FF701BD23E4 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,

20_2_00007FF701BD23E4

Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe

Code function: 20_2_00007FF701BE1B88 LoadLibraryW,GetProcAddress,FreeLibrary,SetDisplayConfig,

20_2_00007FF701BE1B88

Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe

Code function: 20_2_00007FF701BD6EBC TlsGetValue,GetProcessHeap,HeapAlloc,TlsSetValue,?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ,GetProcessHeap,HeapFree,TlsSetValue,

20_2_00007FF701BD6EBC

Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe

Code function: 20_2_00007FF701BC1250 rdtsc

20_2_00007FF701BC1250

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFC6FA297D0 LdrLoadDll,FindClose,

0_2_00007FFC6FA297D0

Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe

Code function: 24_2_00007FF7754DF0A0 BlockInput,SendInput,

24_2_00007FF7754DF0A0

Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe	Code function: 20_2_00007FF701BE2140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_00007FF701BE2140
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe	Code function: 20_2_00007FF701BE24E0 SetUnhandledExceptionFilter,	20_2_00007FF701BE24E0
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77554B284 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00007FF77554B284
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77554BD44 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_00007FF77554BD44
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: 24_2_00007FF77554BF20 SetUnhandledExceptionFilter,	24_2_00007FF77554BF20
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF729A06140 SetUnhandledExceptionFilter,	32_2_00007FF729A06140
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe	Code function: 32_2_00007FF729A05E58 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	32_2_00007FF729A05E58

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: VERSION.dll.6.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DD4EFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DD4E000 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8BAD2A20 protect: page execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Uses Atom Bombing / ProGate to inject into other processes

Source: C:\Windows\System32\rundll32.exe

Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h

Jump to behavior

Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe

Code function: 32_2_00007FF7299CFF54 memset,GetModuleFileNameW,GetLastError,memset,ShellExecuteExW,CreateThread,GetLastError,GetProcessHeap,HeapFree,GetLastError,

32_2_00007FF7299CFF54

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dpnhupnp.dll",#1

Jump to behavior

Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe

Code function: 24_2_00007FF775548CAC mouse_event,SetForegroundWindow,

24_2_00007FF775548CAC

Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe

Code function: 24_2_00007FF775546418 AllocateAndInitializeSid,GetLastError,CloseHandle,SetLastError,OpenProcessToken,GetLastError,CloseHandle,SetLastError,DuplicateToken,CheckTokenMembership,GetLastError,FreeSid,CloseHandle,CloseHandle,

24_2_00007FF775546418

Source: explorer.exe, 00000006.00000000.280086220.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.317487727.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.297309804.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 00000006.00000000.317834079.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.297726319.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.280400112.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.284101788.0000000005E10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.317834079.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.297726319.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.317834079.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.297726319.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.280400112.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.317834079.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.297726319.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.280400112.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.323729877.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.308538161.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.289794382.0000000008778000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndh

Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: RoInitialize,CoInitializeSecurity,RegisterWindowMessageW,CommandLineToArgvW,wcschr,_o__wcsnicmp,wcsnlen,_o_wcstol,_o__wcsnicmp,_o_wcstol,FindWindowW,GetUserDefaultUILanguage,GetLocaleInfoW,SetProcessDefaultLayout,IsWindow,SetProcessDpiAwareness,PostMessageW,memset,PostQuitMessage,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,GetMessageW,EventUnregister,CloseHandle,EventUnregister,UnhookWinEvent,LocalFree,CloseHandle,RoUninitialize,	24_2_00007FF7754D72C8
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: WindowsGetStringRawBuffer,WideCharToMultiByte,WindowsDeleteString,WindowsDuplicateString,WindowsDeleteString,WindowsDuplicateString,GetUserDefaultUILanguage,LCIDToLocaleName,GetLocaleInfoEx,	24_2_00007FF7754B6068
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: _o__Getdays,_o_free,_o__Getmonths,_o_free,_o____lc_locale_name_func,GetLocaleInfoEx,	24_2_00007FF77553A840
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: _o__W_Getdays,_o_free,_o_malloc,memmove,_o_free,_o__W_Getmonths,_o_free,_o_malloc,memmove,_o_free,_o____lc_locale_name_func,GetLocaleInfoEx,	24_2_00007FF77553CE28
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe	Code function: _o__Getdays,_o_free,_o_calloc,_o__Getmonths,_o_free,_o_calloc,_o_calloc,_o____lc_locale_name_func,GetLocaleInfoEx,Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task,	24_2_00007FF775530A3C

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe

Code function: 32_2_00007FF7299EA0D0 GetProcessHeap,HeapAlloc,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateEventW,CreateNamedPipeW,ConnectNamedPipe,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,LocalFree,

32_2_00007FF7299EA0D0

Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe

Code function: 20_2_00007FF701BE2670 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

20_2_00007FF701BE2670

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFC6FA29400 GetUserNameW,

0_2_00007FFC6FA29400

Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe	Code function: 20_2_00007FF701BD6220 new,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,	20_2_00007FF701BD6220
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe	Code function: 20_2_00007FF701BD5620 new,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,	20_2_00007FF701BD5620
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe	Code function: 20_2_00007FF701BCD4F8 TlsGetValue,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?ContentProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ,new,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?EndDefer@Element@DirectUI@@QEAAXK@Z,?Destroy@Element@DirectUI@@QEAAJ_N@Z,	20_2_00007FF701BCD4F8

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Exploitation for Client Execution	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	313 Process Injection	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Registry Run Keys / Startup Folder	2 Software Packing	NTDS	24 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	31 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Masquerading	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	313 Process Injection	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Rundll32	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
dpnhupnp.dll	66%	Virustotal		Browse
dpnhupnp.dll	63%	Metadefender		Browse
dpnhupnp.dll	84%	ReversingLabs	Win64.Infostealer.Dridex
dpnhupnp.dll	100%	Avira	TR/Crypt.ZPACK.Gen
dpnhupnp.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\4xeLXaDKW\WINSTA.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\WPx7QKO3\UxTheme.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\uRSIQRt4\dxgi.dll	100%	Avira	TR/Crypt.XPACK.Gen7
C:\Users\user\AppData\Local\96P3D\VERSION.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\96P3D\VERSION.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\1XXGC21\DUI70.dll	100%	Avira	TR/Crypt.XPACK.Gen7
C:\Users\user\AppData\Local\96P3D\VERSION.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\RiK2PNsRy\HID.DLL	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\4xeLXaDKW\WINSTA.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\WPx7QKO3\UxTheme.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\uRSIQRt4\dxgi.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\96P3D\VERSION.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\96P3D\VERSION.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\1XXGC21\DUI70.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\96P3D\VERSION.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\RiK2PNsRy\HID.DLL	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\1XXGC21\msdt.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\1XXGC21\msdt.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\96P3D\cmstp.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\96P3D\cmstp.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\M4eXJF\cmstp.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\M4eXJF\cmstp.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
38.2.PresentationHost.exe.7ffc7c2f0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
20.2.DisplaySwitch.exe.1b6db1c0000.0.unpack	100%	Avira	HEUR/AGEN.1202768	Download File
3.2.rundll32.exe.7ffc6f9e0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
40.2.cmstp.exe.1a4aa710000.0.unpack	100%	Avira	HEUR/AGEN.1202768	Download File
3.2.rundll32.exe.2717dff0000.0.unpack	100%	Avira	HEUR/AGEN.1202768	Download File
20.2.DisplaySwitch.exe.7ffc6f9e0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.2.rundll32.exe.7ffc6f9e0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.7ffc6f9e0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
24.2.GamePanel.exe.25bee100000.0.unpack	100%	Avira	HEUR/AGEN.1202768	Download File
14.2.rundll32.exe.20953580000.0.unpack	100%	Avira	HEUR/AGEN.1202768	Download File
38.2.PresentationHost.exe.1f1fd100000.1.unpack	100%	Avira	HEUR/AGEN.1202768	Download File
35.2.cmstp.exe.7ffc7c2f0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
24.2.GamePanel.exe.7ffc6f9e0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.2.rundll32.exe.258372f0000.0.unpack	100%	Avira	HEUR/AGEN.1202768	Download File
35.2.cmstp.exe.200c5250000.0.unpack	100%	Avira	HEUR/AGEN.1202768	Download File
32.2.msdt.exe.15126930000.0.unpack	100%	Avira	HEUR/AGEN.1202768	Download File
32.2.msdt.exe.7ffc6e2a0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.2ac821f0000.1.unpack	100%	Avira	HEUR/AGEN.1202768	Download File
14.2.rundll32.exe.7ffc6f9e0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll64.exe.7ffc6f9e0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
40.2.cmstp.exe.7ffc7c2f0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll64.exe.24c71410000.0.unpack	100%	Avira	HEUR/AGEN.1202768	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://schemas.mi	0%	URL Reputation	safe
http://schemas.micr	0%	URL Reputation	safe
https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameD	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
store-images.s-microsoft.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://mixer.com/api/v1/oauth/xbl/login	GamePanel.exe	false		high
http://schemas.mi	explorer.exe, 00000006.00000000.313547112.000000000EE50000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.293192524.000000000EE50000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.326336701.000000000EE50000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profile.xboxlive.com/users/me/profile/settings?settings=GameDisplayPicRaw	GamePanel.exe	false		high
https://aka.ms/imrx2o	GamePanel.exe	false		high
https://mixer.com/_latest/assets/emoticons/%ls.png	GamePanel.exe	false		high
https://mixer.com/api/v1/users/current	GamePanel.exe	false		high
https://mixer.com/_latest/assets/emoticons/%ls.pngtitleIdaumIdkglIdprocessNamenametypeIdmultimedia	GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr	false		high
https://mixer.com/api/v1/broadcasts/current	GamePanel.exe, GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr	false		high
https://mixer.com/%wsWindows.System.Launcher	GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr	false		high
https://aka.ms/v5do45	GamePanel.exe	false		high
https://mixer.com/api/v1/types/lookup%ws	GamePanel.exe	false		high
https://MediaData.XboxLive.com/broadcasts/Augmenthttps://MediaData.XboxLive.com/screenshots/Augmenth	GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr	false		high
https://aka.ms/wk9ocd	GamePanel.exe, GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr	false		high
https://MediaData.XboxLive.com/broadcasts/Augment	GamePanel.exe	false		high
https://aka.ms/imfx4k	GamePanel.exe	false		high
http://schemas.micr	explorer.exe, 00000006.00000000.313547112.000000000EE50000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.293192524.000000000EE50000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.326336701.000000000EE50000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameD	GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr	false	Avira URL Cloud: safe	low
https://MediaData.XboxLive.com/gameclips/Augment	GamePanel.exe	false		high
https://www.xboxlive.com	GamePanel.exe	false		high
https://mixer.com/api/v1/channels/%d	GamePanel.exe	false		high
https://mixer.com/api/v1/types/lookup%wshttps://mixer.com/api/v1/channels/%wshttps://mixer.com/api/v	GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr	false		high
https://mixer.com/api/v1/channels/%ws	GamePanel.exe	false		high
https://mixer.com/api/v1/chats/%.0fhttps://mixer.com/api/v1/users/currentBEAM_IMAGEGamesGuide::BeamC	GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr	false		high
https://MediaData.XboxLive.com/screenshots/Augment	GamePanel.exe	false		high
https://mixer.com/api/v1/chats/%.0f	GamePanel.exe	false		high
https://aka.ms/ifg0es	GamePanel.exe	false		high
https://mixer.com/%ws	GamePanel.exe	false		high
https://aka.ms/w5ryqnhttps://aka.ms/imfx4kQUITTING	GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr	false		high
https://aka.ms/w5ryqn	GamePanel.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	579430
Start date:	27.02.2022
Start time:	17:43:09
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	dpnhupnp.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@43/17@1/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 33.5% (good quality ratio 24.6%) Quality average: 48.7% Quality standard deviation: 37.9%
HCA Information:	Successful, ratio: 98% Number of executed functions: 42 Number of non-executed functions: 145
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.35.236.56, 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\1XXGC21\msdt.exe	G9q8B9Eh8n.dll	Get hash	malicious	Browse
	3VbZnrTBHG.dll	Get hash	malicious	Browse
	49xUwYLnnn.dll	Get hash	malicious	Browse
	AsXeW7Pz8A.dll	Get hash	malicious	Browse
	qFWVUQUdX0.dll	Get hash	malicious	Browse
	wTopxYoXWq.dll	Get hash	malicious	Browse
	nzWrKJjvIk.dll	Get hash	malicious	Browse
	zB14GfXeGv.dll	Get hash	malicious	Browse
	LN6SM84M58.dll	Get hash	malicious	Browse
	GyN6sdIk01.dll	Get hash	malicious	Browse
	Wgal9J7On9.dll	Get hash	malicious	Browse
	QAUAey7NkL.dll	Get hash	malicious	Browse
	hZOjgJ8W5g.dll	Get hash	malicious	Browse
	x9JJcyY3yM.dll	Get hash	malicious	Browse
	jpxuuiPpMX.dll	Get hash	malicious	Browse
	2epPHr8ygJ.dll	Get hash	malicious	Browse
	1dFEdjZZkL.dll	Get hash	malicious	Browse
	6EQVZUrZtt.dll	Get hash	malicious	Browse
	DUctBNntJw.dll	Get hash	malicious	Browse
	3XSR1oCsva.dll	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\1XXGC21\DUI70.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1351680
Entropy (8bit):	6.395884203288439
Encrypted:	false
SSDEEP:	12288:qZgJtlQepQn+NDo7nIgegQCLDF/B9wvj/cLvVZFuwg51:qZK6F7nVeRmDFJivohZFVO
MD5:	3CC9749FD256A9E45E0003772762292C
SHA1:	DF8B170A18069DE9B54BA7069424141A66F3E3E4
SHA-256:	7B82E724E1DF34A91E82DBF0185A62576737B491611375DA37153F2DE6220630
SHA-512:	F39551D6091C6EA61554A1535E334A4C4F2F0CD244B7765DDF89B7522541FCC1B7C64D7BD91F759ACCBC2AF1E9E870E735E65C75F487B42C577CACAA79D82752
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.7...}^.........." ..... ...p.......$.........@..........................................`..........................................@..dQ..$...<....................................................................................0..(............................text............ .................. ..`.rdata..Co...0...p...0..............@..@.data....;.......@..................@....pdata..8...........................@..@.rsrc...............................@..@.reloc..1...........................@..B.vxl............. ..................@..@.qwubgr.$....0... ...0..............@..@.eer....

C:\Users\user\AppData\Local\1XXGC21\msdt.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1560576
Entropy (8bit):	6.10038070749878
Encrypted:	false
SSDEEP:	24576:tnPfp054tZwxDl6XH4qvIReK1odddGdBnyE0k26kVZnBm:VC4tAqNK7utRB
MD5:	8BE43BAF1F37DA5AB31A53CA1C07EE0C
SHA1:	F2C9EB38775B91C4DE45AA25CDDDB86F5F056BF5
SHA-256:	BD59B4362F8590C5009B28830FF11B339B37FF142FB873204368905A9C843A08
SHA-512:	B30BDD7C3B71D58140F642196D5E44ED4C8B11A35DB65D37414C49F7FE64DD0C63DDEE4A0FDF5E75BB0BEB69FE0AA1D609C252F05D5661E7DCD4B6A4274151C7
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: G9q8B9Eh8n.dll, Detection: malicious, Browse Filename: 3VbZnrTBHG.dll, Detection: malicious, Browse Filename: 49xUwYLnnn.dll, Detection: malicious, Browse Filename: AsXeW7Pz8A.dll, Detection: malicious, Browse Filename: qFWVUQUdX0.dll, Detection: malicious, Browse Filename: wTopxYoXWq.dll, Detection: malicious, Browse Filename: nzWrKJjvIk.dll, Detection: malicious, Browse Filename: zB14GfXeGv.dll, Detection: malicious, Browse Filename: LN6SM84M58.dll, Detection: malicious, Browse Filename: GyN6sdIk01.dll, Detection: malicious, Browse Filename: Wgal9J7On9.dll, Detection: malicious, Browse Filename: QAUAey7NkL.dll, Detection: malicious, Browse Filename: hZOjgJ8W5g.dll, Detection: malicious, Browse Filename: x9JJcyY3yM.dll, Detection: malicious, Browse Filename: jpxuuiPpMX.dll, Detection: malicious, Browse Filename: 2epPHr8ygJ.dll, Detection: malicious, Browse Filename: 1dFEdjZZkL.dll, Detection: malicious, Browse Filename: 6EQVZUrZtt.dll, Detection: malicious, Browse Filename: DUctBNntJw.dll, Detection: malicious, Browse Filename: 3XSR1oCsva.dll, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+..eo..6o..6o..6...7m..6...7q..6...7@..6o..6...6...7\..6...7k..6..X6n..6...7n..6Richo..6................PE..d...4............."......b...r.......].........@...................................._.....`.......... ............................................... ..P........"...................^..T............................................................................text....`.......b.................. ..`.rdata...^.......`...f..............@..@.data...p...........................@....pdata...".......$..................@..@.rsrc...P.... ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1930224
Entropy (8bit):	1.9511202288226894
Encrypted:	false
SSDEEP:	3072:LvyYYIF4cmwcTigBmZWRHLxgMNnVYvkkVp66oB4E7p6:LvyYBF4R/igoZWRryMNnqz3
MD5:	97411B8A84E5980E509E500C3209E5C0
SHA1:	23398F8DA469DEAF10C32773062A6A62B7B004B4
SHA-256:	2C968556FCAD7EBB9A866B21A9F3F3DFCD0CA490CAF8F6B2ECDB423B9D24D3EF
SHA-512:	1D5E598B51B37E8A92FA188A8D59C67B7522480B46AFB5D2033D4380A3C5A120D0DB2BE6FE62B636A23AD83F757B7A1803B77A0EA19DF3C51B9BD36B0F06CB6A
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ..zd..)d..)d..)m.T)R..)...(g..)...(q..)...(c..)...(E..)d..)...)...({..)..8)e..)...(e..)Richd..)........PE..d....[~..........."...... ........... .........@.............................`....................... .........................................\.......(3......d........c...P..X.......T....................K..(....J...............K..x............................text............ .................. ..`.imrsiv......0...........................rdata..6....@.......$..............@..@.data...(...........................@....pdata..d...........................@..@.rsrc...(3.......4..................@..@.reloc..X....P......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\4xeLXaDKW\WINSTA.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1073152
Entropy (8bit):	6.158853615581382
Encrypted:	false
SSDEEP:	12288:fZgJtlQepQn+NDo7nIgegQCLDF/B9wvj/cLvVZFuw:fZK6F7nVeRmDFJivohZFV
MD5:	B4329EA1517938DC6AAB87CBCFB1A3BF
SHA1:	64AFFCC0C5F83C296CAB67DB1E21DED763F8B2A9
SHA-256:	226C6EF8E18A396860447D0A5371663A6A24EF303DF337BCB43505C127CC8DFC
SHA-512:	B7F7F766D8F7A08D0141C041F6EA4675D17DBE8AD9DDECC5FDD98E8F2DD58427FAECEFA5A9F11E5D278FEDC789A35B79352294ACC423BD05E9BA763CC461FA60
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.7...}^.........." ..... ...0.......$.........@.............................`............`..........................................@..m...$...<....................................................................................0..(............................text............ .................. ..`.rdata..Co...0...p...0..............@..@.data....;.......@..................@....pdata..8...........................@..@.rsrc...............................@..@.reloc..1...........................@..B.vxl............. ..................@..@.qwubgr.$....0... ...0..............@..@.eer....

C:\Users\user\AppData\Local\96P3D\VERSION.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1069056
Entropy (8bit):	6.141902843002243
Encrypted:	false
SSDEEP:	12288:HZgJtlQepQn+NDo7nIgegQCLDF/B9wvj/cLvVZFuw:HZK6F7nVeRmDFJivohZFV
MD5:	7D34C94AEC52AB539CE9621C7ACBF5E7
SHA1:	90E2CE7C119C169CFEE312CF196EAC52C2E62079
SHA-256:	87B15D5897BA84E39B2D96E521FC0ADDE0966A1322808F3E79D36CA24B370951
SHA-512:	A7E45DB172222317FE9EEB735CEA34AC69E2B22DE08ECB7F8D1889AAC85B9FA03EFAE9C86EF0E2E847907A6C9D656F017DF215A646557A1F85CCAF7E95FF15E8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.7...}^.........." ..... ... .......$.........@.............................P............`..........................................@..+...$...<....................................................................................0..(............................text............ .................. ..`.rdata..Co...0...p...0..............@..@.data....;.......@..................@....pdata..8...........................@..@.rsrc...............................@..@.reloc..1...........................@..B.vxl............. ..................@..@.qwubgr.$....0... ...0..............@..@.eer....

C:\Users\user\AppData\Local\96P3D\cmstp.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	92672
Entropy (8bit):	5.749238064237604
Encrypted:	false
SSDEEP:	1536:7oIXq0f2yF9sDb/RjxgnvkmVUqAVnKUMjbWg+I/87BM/Z4j8Qi1Yv9V:0Izw/RooolWIk7BM/ZNQi1EV
MD5:	2A9828E0C405422D166E0141054A04B3
SHA1:	84AA48946D4F9A9DFE4C1AF6F96C44B643229A73
SHA-256:	94152FB98573FE31C0CE49D260D760DD173741D663414DE718A37AAC7E8EF11F
SHA-512:	B9B0472706C11D3AECDAB055D4CF319EDD50E8C97B7099D1DC7B768812E804975392E327A1E62301077AB92C1CA97E706628B07172892AB09753FBDD9A07277D
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l....X...X...X...Y...X...Y...X...Y...X...Y...X...XQ..X...Y...X...X...X...Y...XRich...X................PE..d....mg..........."............................@..........................................`.......... .......................................M...............p..................X....B..T...............................................H............................text............................... ..`.rdata.."l.......n..................@..@.data........`.......R..............@....pdata.......p.......T..............@..@.rsrc................Z..............@..@.reloc..X............h..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\M4eXJF\VERSION.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1069056
Entropy (8bit):	6.141896454346896
Encrypted:	false
SSDEEP:	12288:6ZgJtlQepQn+NDo7nIgegQCLDF/B9wvj/cLvVZFuw:6ZK6F7nVeRmDFJivohZFV
MD5:	28BA9C651ADD8C1F86960D3B39C833FA
SHA1:	60E90D2DF79CFC0672F07A5895C4A10F641C5369
SHA-256:	0556D99CCE10073214B4DB3C7D9AEF79C1B5F60F4F34EB47929689756D7C2964
SHA-512:	69A1362D037D52FD8D10FB1EE159FF54E9776A7C0F707D2886B5D510A82A1CC06F939DC5FC15CCAD0CA62447F8FE200FB8C0D11C48994F55466E46A526E52B36
Malicious:	false
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.7...}^.........." ..... ... .......$.........@.............................P............`..........................................@..+...$...<....................................................................................0..(............................text............ .................. ..`.rdata..Co...0...p...0..............@..@.data....;.......@..................@....pdata..8...........................@..@.rsrc...............................@..@.reloc..1...........................@..B.vxl............. ..................@..@.qwubgr.$....0... ...0..............@..@.eer....

C:\Users\user\AppData\Local\M4eXJF\cmstp.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	92672
Entropy (8bit):	5.749238064237604
Encrypted:	false
SSDEEP:	1536:7oIXq0f2yF9sDb/RjxgnvkmVUqAVnKUMjbWg+I/87BM/Z4j8Qi1Yv9V:0Izw/RooolWIk7BM/ZNQi1EV
MD5:	2A9828E0C405422D166E0141054A04B3
SHA1:	84AA48946D4F9A9DFE4C1AF6F96C44B643229A73
SHA-256:	94152FB98573FE31C0CE49D260D760DD173741D663414DE718A37AAC7E8EF11F
SHA-512:	B9B0472706C11D3AECDAB055D4CF319EDD50E8C97B7099D1DC7B768812E804975392E327A1E62301077AB92C1CA97E706628B07172892AB09753FBDD9A07277D
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l....X...X...X...Y...X...Y...X...Y...X...Y...X...XQ..X...Y...X...X...X...Y...XRich...X................PE..d....mg..........."............................@..........................................`.......... .......................................M...............p..................X....B..T...............................................H............................text............................... ..`.rdata.."l.......n..................@..@.data........`.......R..............@....pdata.......p.......T..............@..@.rsrc................Z..............@..@.reloc..X............h..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RiK2PNsRy\HID.DLL

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1069056
Entropy (8bit):	6.146958184893933
Encrypted:	false
SSDEEP:	12288:FZgJtlQepQn+NDo7nIgegQCLDF/B9wvj/cLvVZFuw:FZK6F7nVeRmDFJivohZFV
MD5:	EAD848991934B10FD663BB3E31D43D74
SHA1:	E544561E5A33491ADB5D7854E8FEB315262CE7BD
SHA-256:	411EB58C6A93FC5E0570D7641BC1E0989136349379DA4871E320D3715401A9E6
SHA-512:	3ABE5D6844119578BC9A683CEC740C6497DCB91794E7DACACB0AE3D12E30B3B1DDB3CE010B2D371DC25757A8CB22E2F928D0216EB81309B6713D2208EC449D73
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.7...}^.........." ..... ... .......$.........@.............................P............`..........................................@......$...<....................................................................................0..(............................text............ .................. ..`.rdata..Co...0...p...0..............@..@.data....;.......@..................@....pdata..8...........................@..@.rsrc...............................@..@.reloc..1...........................@..B.vxl............. ..................@..@.qwubgr.$....0... ...0..............@..@.eer....

C:\Users\user\AppData\Local\RiK2PNsRy\tabcal.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	82944
Entropy (8bit):	5.705817452511626
Encrypted:	false
SSDEEP:	1536:Q77RYSqLmKbndnBRdv2RWUUTtj11VM0bJDrdfW2jbJK:QuxLmKbndDdv2WUczVMKrdfZbs
MD5:	F04F239BA5FED275E652372222D1BE00
SHA1:	883C7915ADD2B47D1012E52321D670A4A29ABB53
SHA-256:	CE81E5BFF4C0A646EFD86791DB938A7F5E148666F518990B156FE208F8454423
SHA-512:	61B80BC6E68057C425C624DC4FC8A551F60F6E4DA60A7F5A6D6520FE92E0B61D1B63B16DF70A5019C3F0AFFE8064CD072BBADC3C69E1DB8833E1E3ABA9C45529
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d.. ... ... ...).`.>...O..."...O...2...O...&...O...7... ...$...O...)...O...!...O...!...Rich ...................PE..d...r.T,.........."............................@....................................&.....`.......... ...............................................0..@r......................\|...p...T...................................................,........................text...J........................... ..`.rdata..f4.......6..................@..@.data....!..........................@....pdata..............................@..@.didat..P.... ......................@....rsrc...@r...0...t..................@..@.reloc..\|............B..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\WPx7QKO3\CloudNotifications.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	77072
Entropy (8bit):	6.115516882753233
Encrypted:	false
SSDEEP:	1536:PBw6bK5qGy2vbnG4bhimIHw28N6GgIpdNtgdNttP+O1K9dr3uhyZb3NnPg5:FbK522vDfnp28a+O1AdCoZxno5
MD5:	D9FF4C8DBC1682E0508322307CB89C0F
SHA1:	52FF480ABF6A6CE9BC32BD3B467C028C35849C6F
SHA-256:	E99A6238FDF53700DE8588E1C1128D52680C1DCAAD4E32B38EF2170395495D29
SHA-512:	C068F98855514994AA7CD66ED02E3FD05B7E81EAD714F83CC158B65AAC6DE12A1D324375C41FEC5C1B6A3F1D6D8639EBFF71D510A720148A33E645ED066DAF2C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................=.....................................e............Q............Rich....................PE..d................."............................@.............................p.......*............... ......................................p........@.. .... ..L........%...`......P...T............................................... .......`....................text.............................. ..`.imrsiv..................................rdata...W.......X..................@..@.data...x...........................@....pdata..L.... ......................@..@.didat.......0......................@....rsrc... ....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\WPx7QKO3\UxTheme.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1069056
Entropy (8bit):	6.155376692081572
Encrypted:	false
SSDEEP:	12288:7ZgJtlQepQn+NDo7nIgegQCLDF/B9wvj/cLvVZFuw:7ZK6F7nVeRmDFJivohZFV
MD5:	788F93041CC68AAF0D2981E3664C4513
SHA1:	C570BCFAD5BDBBFE27125E0B4D18CFFDFF193DCE
SHA-256:	CD4DED826CB26B1FE448CCC265AEDD60A17D3452BE8920008E49967651FDF953
SHA-512:	946E4D6B553DC66AF809AF36D46A8449ED30A4B94CEEAB5D41CFC7B548AECD65EF2BBC0346BDD6A3CE326FB76105BAD69C9498AE7F2B29D4AA241E1533056EF3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.7...}^.........." ..... ... .......$.........@.............................P............`..........................................@......$...<....................................................................................0..(............................text............ .................. ..`.rdata..Co...0...p...0..............@..@.data....;.......@..................@....pdata..8...........................@..@.rsrc...............................@..@.reloc..1...........................@..B.vxl............. ..................@..@.qwubgr.$....0... ...0..............@..@.eer....

C:\Users\user\AppData\Local\a6o\PresentationHost.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	259072
Entropy (8bit):	6.5074250085194665
Encrypted:	false
SSDEEP:	6144:8kfs4/kfxzJTbHfyH5KNXwy3Odjp19k5KNXf:fs4ixzJTbHmKVwy3OdLaKV
MD5:	E3053C73EA240F4C2F7971B3905A91CF
SHA1:	1848AD66BD55E5484616FB85E80BA58BE1D5BA4B
SHA-256:	0BACCDB2B5ACB7B3C2E9085655457532964CAFFF1AE250016CE1A80E839B820C
SHA-512:	167BCC3E2552286F7D985A65674DA2FF0D0AA6A7F0C4C3B43193943B606E0133C06EEB33656EFBB8B827AC9221FB1BA00A49ADCC2489BD4F38DF62A015806DE3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3/.]\|.]\|.]\|...\|.]\|...\|..]\|..^}.]\|..Y}.]\|.\\|..]\|..\}.]\|..T}..]\|..X}.]\|..\|.]\|.._}.]\|Rich.]\|........................PE..d..../............"..........&.................@.............................0............`.......... .......................................p..,........j......l............ ..,....d..T............................#...............$...............................text...o........................... ..`.rdata..............................@..@.data................r..............@....pdata..l............t..............@..@.rsrc....j.......l...~..............@..@.reloc..,.... ......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\a6o\VERSION.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1069056
Entropy (8bit):	6.141888354644453
Encrypted:	false
SSDEEP:	12288:+ZgJtlQepQn+NDo7nIgegQCLDF/B9wvj/cLvVZFuw:+ZK6F7nVeRmDFJivohZFV
MD5:	D4D5B95886C89B810B29F8FF8818337B
SHA1:	7CDAC1ACF63AEEB8E21F7B60789EB18D38322771
SHA-256:	1C9BFFF102C998B55137C47A7B541741D341F5BE2C1758A82E06B7537396B3DD
SHA-512:	885439E76F4995FB9F4553B867AA8BB4789ED9AE8B76CB34161F9FB17A559324C620088C7C3C3DA770E4FCDB3F385DA8D7C59E2A606A59634B8FA80D14D53EAB
Malicious:	false
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.7...}^.........." ..... ... .......$.........@.............................P............`..........................................@..+...$...<....................................................................................0..(............................text............ .................. ..`.rdata..Co...0...p...0..............@..@.data....;.......@..................@....pdata..8...........................@..@.rsrc...............................@..@.reloc..1...........................@..B.vxl............. ..................@..@.qwubgr.$....0... ...0..............@..@.eer....

C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1292288
Entropy (8bit):	6.159394598062476
Encrypted:	false
SSDEEP:	24576:tg6uRV8QrFa8Zdntp/LEz2INhgITVXTvlHQroF:tgJVbFaqtpDEznyQVjvZQroF
MD5:	4EF330EFAE954723B1F2800C15FDA7EB
SHA1:	3E152C0B10E107926D6A213C882C161D80B836C9
SHA-256:	0494166D4AE6BB7925E4F57BB6DFAC629C95AE9E03DFC925F8232893236BD982
SHA-512:	C122CD7A245EF6A6A7B7DECAB6500BDC11E4C57B8E35F8462CC0615E44E54071E6BF79B69BB8519470ACBAF0D2E62ABC45C38CBF0606261792EDB4A84790EC61
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.ur.`.!.`.!.`.!...!P`.!... .`.!... .`.!... 4`.!... 9`.!.`.!de.!... .`.!...!.`.!...!.`.!... .`.!Rich.`.!........PE..d................"......H..........0..........@.............................@....................... ...................................................u......`................:..p...T....................@..(...pp..............8@..H... ...@....................text....F.......H.................. ..`.imrsiv......`...........................rdata......p.......L..............@..@.data...............................@....pdata..`............~..............@..@.didat.......p......................@....rsrc....u.......v..................@..@.reloc...:.......<...\|..............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\uRSIQRt4\dxgi.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1069056
Entropy (8bit):	6.142847456522913
Encrypted:	false
SSDEEP:	12288:TZgJtlQepQn+NDo7nIgegQCLDF/B9wvj/cLvVZFuw:TZK6F7nVeRmDFJivohZFV
MD5:	7F99325FD34A10C1AD7942EC2C79D921
SHA1:	672047B806244B31EF978C237F5C248580CEDCCB
SHA-256:	DADA800E9EF0A9ED81DF2CC3FE254A261E7D6B246082A596CEC98EF52FE786D6
SHA-512:	67A1CEFC2FADD32E5A59C3E03ABE5217083736FECBAA0F07888BF2A55328F0563EBAA39B93580CEEA25BAA2073D18BA2B33A5A846333CA5C8092FDB220E9B412
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.7...}^.........." ..... ... .......$.........@.............................P............`..........................................@......$...<....................................................................................0..(............................text............ .................. ..`.rdata..Co...0...p...0..............@..@.data....;.......@..................@....pdata..8...........................@..@.rsrc...............................@..@.reloc..1...........................@..B.vxl............. ..................@..@.qwubgr.$....0... ...0..............@..@.eer....

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	1450
Entropy (8bit):	7.319876797981463
Encrypted:	false
SSDEEP:	24:UHzfK1Iv8tUyNY46eYIi9voySd5cKrM7RSzIpwAgTUL8LSeeBweiiJVEWybp0VgP:UT2K+Uxe8NVSbrwSzqwxCe2wcEWc92A
MD5:	85E52B4A28FEE63F46413C9EB25206D5
SHA1:	0140AAD8B9AD754C5D35200991F581514E5C2314
SHA-256:	4956E2A4D0F745E7B325478B6E5E5F6C345D9BB422AF69E386E854043EA4D289
SHA-512:	D990279BCAE61753CAFA3CCE11527F8A90F7756F7A1777E4B11B95BF211053CDA6394E13776AD14704EFB790CD0D4B3D0E58CFEA6E7B51B30B38BC6E9FE27635
Malicious:	false
Preview:	........................................user.....................RSA1....................T\|.uo9.?R(....NHQ.n.H.I....O..0...r..%0...s.2ETw...$........i..$-.[..;...E].ea...M&O..+u,h..n.T.B..w..z...I....X..y..Sr\|.....................z..O..........L.M.5.t.xY.....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....eU.S...K..X.-.Jv....B.s....U............. ...,.u.>......A.W..~.+U..........:nm=.;...j...^x.........SU...D.....6.vK..+Ej...0..~Yj..j....s.Q }#.r......L.q.u...H.Nd.?...R.....Z&...q.Z.B5.e..w.\|,.)#...'..........7e....@...+..-q.'...5"..B~.....2.Eqy23...(;.....3....yj..-.........\...A.`3..2..=.=..Tg..C~.3....h..=.....L.lb.g".k.....cY....q2.2..3.(......C.+....`.'J....1.~..f/T....u8K....g.!..^P?[m..z..E.d.......Kc..6.pC.m....X..(..H..lm.@.K.py&Ss.Y...M..h..h.....67.`...5.,%..b......L\...2.z.$...C."../:E.F4../....i...@.kS.....s..S.2...B..$q/......f?..l...iT.}.<..G7..6..k.gH.h.]y.......T!..k5..<.p.r@.....t.......-.d.........hZk

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	6.159361029232143
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	dpnhupnp.dll
File size:	1064960
MD5:	cf22fca6a1c8035cb38867787f16be21
SHA1:	85cae7532a21983295a2c0aad5889e8dbd024c9f
SHA256:	3a52c4f27db221ed975af3d38ac4b9060203b9c6fb3532cdc61b969e21ca666c
SHA512:	0a1e9e8f6d149d6cada2b29257087819a7a09ebf47f31e31c03b0cd26241f487a695faa9d23ce509b413f2585be426e310b8308818445ad039328293bd17cd4c
SSDEEP:	12288:JZgJtlQepQn+NDo7nIgegQCLDF/B9wvj/cLvVZFuw:JZK6F7nVeRmDFJivohZFV
File Content Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb......qb.;...{qb......qb

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x1400424b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x5E7D9D05 [Fri Mar 27 06:28:21 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	4a2e61e1749a0183eccaadb9c4ef6ec2

Entrypoint Preview

Instruction
dec eax
mov dword ptr [00070639h], ecx
dec eax
lea ecx, dword ptr [FFFFF2F2h]
dec esp
mov dword ptr [0007064Bh], eax
dec esp
mov dword ptr [00070654h], edi
dec esp
mov dword ptr [00070655h], esi
dec eax
xor eax, eax
dec eax
inc eax
dec eax
add ecx, eax
dec esp
mov dword ptr [00070655h], esp
dec eax
dec ecx
dec eax
mov dword ptr [00070653h], esi
dec eax
test eax, eax
je 00007F54089D45BDh
dec eax
mov dword ptr [0007060Fh], esp
dec eax
mov dword ptr [00070600h], ebp
dec eax
mov dword ptr [00070649h], ebx
dec eax
mov dword ptr [0007063Ah], edi
dec eax
test eax, eax
je 00007F54089D459Ch
dec esp
mov dword ptr [000705FEh], ecx
dec esp
mov dword ptr [0007060Fh], ebp
dec eax
mov dword ptr [000705D0h], edx
jmp ecx
dec eax
add edi, ecx
retn 0008h
ud2
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push esi
dec eax
sub esp, 00000080h
dec eax
mov dword ptr [esp+78h], 58225FC8h
mov dword ptr [esp+60h], 2DFAE652h
mov al, byte ptr [esp+77h]
mov dl, al
add dl, FFFFFF85h
mov byte ptr [esp+77h], dl
mov word ptr [esp+5Eh], 3327h
dec esp
mov eax, dword ptr [esp+78h]
inc esp
mov ecx, dword ptr [esp+64h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x103010	0x22b	.rqfw
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa9924	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbf000	0x3d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1000	0x0	.text
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc0000	0xefc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x43000	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x418cc	0x42000	False	0.781412760417	data	7.78392111205	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x43000	0x66f43	0x67000	False	0.700313827367	data	7.87278268617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xaa000	0x13ba7	0x14000	False	0.0782836914062	data	2.51707039551	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0xbe000	0x138	0x1000	False	0.061279296875	PEX Binary Archive	0.599172422844	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xbf000	0x69e	0x1000	False	0.123291015625	data	1.07831823765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc0000	0xf31	0x1000	False	0.416748046875	data	5.36145191459	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.vxl	0xc1000	0x14d4	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.qwubgr	0xc3000	0x1124	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eer	0xc5000	0x1e66	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xwwauf	0xc7000	0x9cd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pkc	0xc8000	0x42a	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.npkda	0xc9000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vhs	0xca000	0x1af	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.iaywj	0xcb000	0x1455	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.nasi	0xcd000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zhvprh	0xce000	0x6cd0	0x7000	False	0.00177873883929	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.yatdsp	0xd5000	0x543	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.njso	0xd6000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.lgliat	0xd8000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ntqjh	0xd9000	0xbf6	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.sucsek	0xda000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.qsxjui	0xdb000	0x9cd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.twctcm	0xdc000	0x1124	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.nms	0xde000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ogj	0xdf000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vrkgb	0xe1000	0x706	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gikfw	0xe2000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ktl	0xe3000	0x9cd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.crcn	0xe4000	0x5a7	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wtfr	0xe5000	0x1ee	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.hep	0xe6000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ywg	0xe7000	0xd33	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.sqsp	0xe8000	0x2da	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tkyonf	0xe9000	0x1f2a	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.lmr	0xeb000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.nmvll	0xec000	0x1f2a	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.uvboq	0xee000	0x389	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pck	0xef000	0x3ba	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.cui	0xf0000	0x128f	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bjpf	0xf2000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tdsza	0xf3000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ljyns	0xf4000	0x128f	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.uvvcd	0xf6000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.dhcna	0xf7000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ntjkji	0xf8000	0x3ba	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.copgfj	0xf9000	0x1f2a	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zmu	0xfb000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.nqzul	0xfc000	0x3ba	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.qgbg	0xfd000	0x389	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.obih	0xfe000	0x543	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.igwjz	0xff000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.mkzlg	0x100000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ovmzdw	0x101000	0x1e66	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rqfw	0x103000	0x23b	0x1000	False	0.07958984375	data	1.11634042299	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xbf0a0	0x2dc	data	English	United States
RT_MANIFEST	0xbf380	0x56	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	GetServiceDisplayNameW
KERNEL32.dll	LoadLibraryA, HeapUnlock

Exports

Name	Ordinal	Address
GetFileVersionInfoA	1	0x14000f7e4
GetFileVersionInfoByHandle	2	0x140002ba4
GetFileVersionInfoExA	3	0x14000d900
GetFileVersionInfoExW	4	0x14001482c
GetFileVersionInfoSizeA	5	0x14003fdcc
GetFileVersionInfoSizeExA	6	0x14002b8cc
GetFileVersionInfoSizeExW	7	0x14001c354
GetFileVersionInfoSizeW	8	0x140029090
GetFileVersionInfoW	9	0x14000ba2c
VerFindFileA	10	0x140033224
VerFindFileW	11	0x140035218
VerInstallFileA	12	0x140015484
VerInstallFileW	13	0x1400206e8
VerLanguageNameA	14	0x140029e8c
VerLanguageNameW	15	0x14003d800
VerQueryValueA	16	0x140010250
VerQueryValueW	17	0x1400314a0

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights
InternalName	dpnhup
FileVersion	1.56
CompanyName	Microsoft C
ProductName	Sysinternals Streams
ProductVersion	6.1
FileDescription	Thai K
OriginalFilename	dpnhupnp.d
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 27, 2022 17:43:53.441113949 CET	60784	53	192.168.2.3	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 27, 2022 17:43:53.441113949 CET	192.168.2.3	8.8.8.8	0xe615	Standard query (0)	store-images.s-microsoft.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 27, 2022 17:43:53.470438004 CET	8.8.8.8	192.168.2.3	0xe615	No error (0)	store-images.s-microsoft.com	store-images.s-microsoft.com-c.edgekey.net		CNAME (Canonical name)	IN (0x0001)

Target ID:	0
Start time:	17:43:58
Start date:	27/02/2022
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\dpnhupnp.dll"
Imagebase:	0x7ff7cf9b0000
File size:	140288 bytes
MD5 hash:	4E8A40CAD6CCC047914E3A7830A2D8AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Target ID:	1
Start time:	17:43:59
Start date:	27/02/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dpnhupnp.dll",#1
Imagebase:	0x7ff74a650000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	17:43:59
Start date:	27/02/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\dpnhupnp.dll,GetFileVersionInfoA
Imagebase:	0x7ff6f85c0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.357902587.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	17:43:59
Start date:	27/02/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\dpnhupnp.dll",#1
Imagebase:	0x7ff6f85c0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.278695271.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	17:44:01
Start date:	27/02/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff720ea0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	9
Start time:	17:44:02
Start date:	27/02/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\dpnhupnp.dll,GetFileVersionInfoByHandle
Imagebase:	0x7ff6f85c0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000009.00000002.285131581.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	14
Start time:	17:44:06
Start date:	27/02/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\dpnhupnp.dll,GetFileVersionInfoExA
Imagebase:	0x7ff6f85c0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000E.00000002.293533164.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	18
Start time:	17:44:39
Start date:	27/02/2022
Path:	C:\Windows\System32\DisplaySwitch.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\DisplaySwitch.exe
Imagebase:	0x7ff7df870000
File size:	1930224 bytes
MD5 hash:	97411B8A84E5980E509E500C3209E5C0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	20
Start time:	17:44:41
Start date:	27/02/2022
Path:	C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe
Imagebase:	0x7ff701bc0000
File size:	1930224 bytes
MD5 hash:	97411B8A84E5980E509E500C3209E5C0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000014.00000002.392236668.00007FFC6F9E1000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Show Windows behavior

Target ID:	21
Start time:	17:44:54
Start date:	27/02/2022
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wusa.exe
Imagebase:	0x7ff75cc10000
File size:	308736 bytes
MD5 hash:	04CE745559916B99248F266BBF5F9ED9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	22
Start time:	17:44:54
Start date:	27/02/2022
Path:	C:\Windows\System32\GamePanel.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\GamePanel.exe
Imagebase:	0x7ff707610000
File size:	1292288 bytes
MD5 hash:	4EF330EFAE954723B1F2800C15FDA7EB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	24
Start time:	17:44:56
Start date:	27/02/2022
Path:	C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe
Imagebase:	0x7ff7754a0000
File size:	1292288 bytes
MD5 hash:	4EF330EFAE954723B1F2800C15FDA7EB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000018.00000002.424452492.00007FFC6F9E1000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Target ID:	31
Start time:	17:45:09
Start date:	27/02/2022
Path:	C:\Windows\System32\msdt.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msdt.exe
Imagebase:	0x7ff7021e0000
File size:	1560576 bytes
MD5 hash:	8BE43BAF1F37DA5AB31A53CA1C07EE0C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	32
Start time:	17:45:15
Start date:	27/02/2022
Path:	C:\Users\user\AppData\Local\1XXGC21\msdt.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\1XXGC21\msdt.exe
Imagebase:	0x7ff7299c0000
File size:	1560576 bytes
MD5 hash:	8BE43BAF1F37DA5AB31A53CA1C07EE0C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000020.00000002.463842556.00007FFC6E2A1000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Show Windows behavior

Target ID:	34
Start time:	17:45:27
Start date:	27/02/2022
Path:	C:\Windows\System32\cmstp.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmstp.exe
Imagebase:	0x7ff792300000
File size:	92672 bytes
MD5 hash:	2A9828E0C405422D166E0141054A04B3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	35
Start time:	17:45:29
Start date:	27/02/2022
Path:	C:\Users\user\AppData\Local\M4eXJF\cmstp.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\M4eXJF\cmstp.exe
Imagebase:	0x7ff7de0b0000
File size:	92672 bytes
MD5 hash:	2A9828E0C405422D166E0141054A04B3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000023.00000002.491431291.00007FFC7C2F1000.00000020.00000001.01000000.0000000E.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Show Windows behavior

Target ID:	37
Start time:	17:45:40
Start date:	27/02/2022
Path:	C:\Windows\System32\PresentationHost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\PresentationHost.exe
Imagebase:	0x7ff77cd10000
File size:	259072 bytes
MD5 hash:	E3053C73EA240F4C2F7971B3905A91CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	38
Start time:	17:45:41
Start date:	27/02/2022
Path:	C:\Users\user\AppData\Local\a6o\PresentationHost.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\a6o\PresentationHost.exe
Imagebase:	0x7ff76ed90000
File size:	259072 bytes
MD5 hash:	E3053C73EA240F4C2F7971B3905A91CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000026.00000002.520892941.00007FFC7C2F1000.00000020.00000001.01000000.00000010.sdmp, Author: Joe Security

Show Windows behavior

Target ID:	39
Start time:	17:45:54
Start date:	27/02/2022
Path:	C:\Windows\System32\cmstp.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmstp.exe
Imagebase:	0x7ff792300000
File size:	92672 bytes
MD5 hash:	2A9828E0C405422D166E0141054A04B3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	40
Start time:	17:45:55
Start date:	27/02/2022
Path:	C:\Users\user\AppData\Local\96P3D\cmstp.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\96P3D\cmstp.exe
Imagebase:	0x7ff72be30000
File size:	92672 bytes
MD5 hash:	2A9828E0C405422D166E0141054A04B3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000028.00000002.548047896.00007FFC7C2F1000.00000020.00000001.01000000.00000012.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	42.6%
Total number of Nodes:	399
Total number of Limit Nodes:	46

Executed Functions

Function 00007FFC6FA2A2C0 Relevance: 5.0, APIs: 2, Instructions: 2002COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9554a771582ca0b9738559290b340a39a7c58fd3e71f6d1f1ea8d444545380a
Instruction ID: e1fa681cf601b57ccb4b1e22246d3b164f6e7f13655b290e89249d865fef592a
Opcode Fuzzy Hash: a9554a771582ca0b9738559290b340a39a7c58fd3e71f6d1f1ea8d444545380a
Instruction Fuzzy Hash: 9303AD26B0CBAEC6EB259B11D5402BA67A1FB45B88F484436CA0D47797FF3CE945C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA159F0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFC6FA27770: NtClose.NTDLL ref: 00007FFC6FA27799

ExitProcess.KERNEL32 ref: 00007FFC6FA15C91

Strings

-R+, xrefs: 00007FFC6FA15C7B

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: CloseExitProcess
String ID: -R+
API String ID: 3487036407-215093852
Opcode ID: a2a8c28b3ee7f0fa8bf544a5d9906ba940d891420d0fd709915c8590ce408372
Instruction ID: c5733aa1be0fee03aa556c59e1956c331a6ba6cafbbbbca251da52268a18cd50
Opcode Fuzzy Hash: a2a8c28b3ee7f0fa8bf544a5d9906ba940d891420d0fd709915c8590ce408372
Instruction Fuzzy Hash: 05812C22B1C66ED9FB10EBA5C4512FD23A6AF94388F855032DE4D569CBFF28E505C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA3ED10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileExW.KERNELBASE ref: 00007FFC6FA3ED6D

Strings

., xrefs: 00007FFC6FA3EDEA

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID: .
API String ID: 1974802433-248832578
Opcode ID: 5588d055546eb8cf66efa63037f07df379a20e7f6d9627be0340d4208e6e69ea
Instruction ID: 8fa11d735a84ba9999a38277a9c887d00ce0f9b2d4d17f21b0e51ac787873d80
Opcode Fuzzy Hash: 5588d055546eb8cf66efa63037f07df379a20e7f6d9627be0340d4208e6e69ea
Instruction Fuzzy Hash: 3A419123A0C66DC1EB644A14D14037963A1DF44BA8F284635DB6C877DAFFACEC96C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA07880 Relevance: 2.9, Strings: 2, Instructions: 383
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)8GV, xrefs: 00007FFC6FA07C59
)8GV, xrefs: 00007FFC6FA07D3D

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: )8GV$)8GV
API String ID: 0-993736920
Opcode ID: 3711d9fbecb415313570ebbb9bb183def5a52c947dce29ce66411354ce6716ba
Instruction ID: fa94cc2478d77f95944f893622368dacd9af06716af7cfea4d765850f9ab4f53
Opcode Fuzzy Hash: 3711d9fbecb415313570ebbb9bb183def5a52c947dce29ce66411354ce6716ba
Instruction Fuzzy Hash: 37F15D22B1C56ED5EB10EB61E8512FD6361AF94388F845032EA4E47A9BFF3CE545C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA3DDC0 Relevance: 2.4, APIs: 1, Instructions: 882COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 00007FFC6FA3EB81

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: e3c5db53bafe4e33eb6ebb8252a414bc0777859787fa4279c39abb1afb630ecb
Instruction ID: 1afb7d6b132231f3bf6d8a343a99c80533b9d73266a90a038e6711f35d95fa9e
Opcode Fuzzy Hash: e3c5db53bafe4e33eb6ebb8252a414bc0777859787fa4279c39abb1afb630ecb
Instruction Fuzzy Hash: AB82CF62B0CBAEC6EB648B1494802B967A1FB45B84F484435CB4D87797FF7CE949C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA2CA50 Relevance: 2.3, APIs: 1, Instructions: 784COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5974580d677f27582c2e7808952499b910dd612dca587cb931af837cf1dab6d
Instruction ID: cc3057f2d96f11bcc49c5da88f51198030a48d3ba0960bd6b6f7b44040d3ec6f
Opcode Fuzzy Hash: c5974580d677f27582c2e7808952499b910dd612dca587cb931af837cf1dab6d
Instruction Fuzzy Hash: 97728C22B1CBAEC5EB258B1594447B967A2FF49B88F884036CA4D07797EF3CE545C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA4D520 Relevance: 1.7, APIs: 1, Instructions: 237
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL ref: 00007FFC6FA4D5C0

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: e25f91d4ec7704f865dd44938a66bed721d62b213e4dfdd918b4760a7e869e4e
Instruction ID: 0904693be4267359bff300bf38bbdcb1a646690c8dfd350485e44b7b6e8d4175
Opcode Fuzzy Hash: e25f91d4ec7704f865dd44938a66bed721d62b213e4dfdd918b4760a7e869e4e
Instruction Fuzzy Hash: DBB13936B0D65EDAE750EB25D1412AE37A6FF44788F444035DA8E47B96EF38E424C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA297D0 Relevance: 1.7, APIs: 1, Instructions: 185
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 00007FFC6FA299EE

Part of subcall function 00007FFC6FA3EC70: FindNextFileW.KERNELBASE(?,?,D353BBDF,00007FFC6FA2990E), ref: 00007FFC6FA3EC9B

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: FileFindLoadNext
String ID:
API String ID: 50669962-0
Opcode ID: 8ae045245011a34f88152a78bb84e1250efdef914e004368085cefc9dfb048a4
Instruction ID: f0a0f93a36018d6efca16592d3a5449294a72ec2fce429e697b588296f55e8aa
Opcode Fuzzy Hash: 8ae045245011a34f88152a78bb84e1250efdef914e004368085cefc9dfb048a4
Instruction Fuzzy Hash: 8A817D22B2C6AEC5EA14EB21D4612FE6361EF95754F885131EA4D07ACBFE3CE505C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA29400 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 00007FFC6FA29443

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 61134290c5f0672a3f6bf35b943af87a7f429b15799ed0f7774ee38327f57094
Instruction ID: 77f0b81df9ec7b82cac658f1d08cb53bb50421bbf959871ec240158c1ef95adb
Opcode Fuzzy Hash: 61134290c5f0672a3f6bf35b943af87a7f429b15799ed0f7774ee38327f57094
Instruction Fuzzy Hash: 7A010C61B2C56EC2EE10EB55E8512BA9311FFC4784F485031E98E0778BEF2CE105C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA27770 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

NtClose.NTDLL ref: 00007FFC6FA27799

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 860ba978492d36cdfe31f6537ec1931d4b76ea568ca190dfd252f9a33af48d82
Instruction ID: a250c808aff7d19c1d2e9840fdb008e6f91434557449ca431c3723a15fb0712a
Opcode Fuzzy Hash: 860ba978492d36cdfe31f6537ec1931d4b76ea568ca190dfd252f9a33af48d82
Instruction Fuzzy Hash: 84D05E51B2D61DC1FF2567A1A2423B412A09FA9704F0C4030CE8D0A3CBFE2C9A82C332

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA15020 Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

-R+, xrefs: 00007FFC6FA1529C

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: -R+
API String ID: 0-215093852
Opcode ID: 4689c6a6c8faaed6adda941e0a6d09318eaac1eaa5bdc1b6e19979631bc4cf96
Instruction ID: 6b73a774e84e7cffc0c02a28476b3f4d058762c1913ad3d15d510d0e9556faaa
Opcode Fuzzy Hash: 4689c6a6c8faaed6adda941e0a6d09318eaac1eaa5bdc1b6e19979631bc4cf96
Instruction Fuzzy Hash: 9B715B22B1C66E89FB10EB64E4912FE67A5FF94344F984035DA4D17A8BEF38E445C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA33150 Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a87f18a61a818c4bd4d6f9470d0c0ba478eb8fcb6f6f9b961852b18027112592
Instruction ID: e33e2b9bdfcb3f3db02bd48a9864723a5202a5ff0c26a9738c094b4d17793749
Opcode Fuzzy Hash: a87f18a61a818c4bd4d6f9470d0c0ba478eb8fcb6f6f9b961852b18027112592
Instruction Fuzzy Hash: F272BD62B1CBAEC5EA248B1594413B967A0FB45F84F454036CB8E8778AFF7CE545C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA1AA70 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b52c0054d56aefd0f3e1567eddfd226f434cc3305f3d4ff0dfe5c57373c99d56
Instruction ID: 817bd35db4ce8bd0c3b57ac670c7d42591c2b37e014f649ac9b07df8d0fae866
Opcode Fuzzy Hash: b52c0054d56aefd0f3e1567eddfd226f434cc3305f3d4ff0dfe5c57373c99d56
Instruction Fuzzy Hash: 9F22AF26B0C66EC6EA20EB61E0512BE6261FF85784F454239DA0E477D7FE3CE509C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA47650 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e671008534e80604538bd923785f75ee5c173f21ecf6df136e96451e37028845
Instruction ID: 3bfebc8c515e9693c024645d8be69af675e8b18ad48a4fe5c06fc9b112eb552e
Opcode Fuzzy Hash: e671008534e80604538bd923785f75ee5c173f21ecf6df136e96451e37028845
Instruction Fuzzy Hash: E861C431B1C6AE81FE64A621551157A6591EF847A4F180235EEAD467CBFF3CF841CA30

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA176E0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 00007FFC6FA1780F

Strings

d, xrefs: 00007FFC6FA177F6
UsS, xrefs: 00007FFC6FA1784B
)8GV, xrefs: 00007FFC6FA177CC
UsS, xrefs: 00007FFC6FA17AE7

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: ConsoleFree
String ID: )8GV$UsS$UsS$d
API String ID: 771614528-2529742583
Opcode ID: fe77994c02c4c18a5344a767264b09122eac9de7f449874fa6967c2ee9c58cdd
Instruction ID: cdf19b90379dddff70cd716d63e2c8ee8e1f2f10d75d1f76ab01f725adc9f973
Opcode Fuzzy Hash: fe77994c02c4c18a5344a767264b09122eac9de7f449874fa6967c2ee9c58cdd
Instruction Fuzzy Hash: 9591C022B1C66EC6EA50EB24E0511BA6351FF98780F995131EE5E477CBFE2CE841C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA42E60 Relevance: 6.3, APIs: 4, Instructions: 289
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFC6FA42F59
RegEnumKeyW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFC6FA42FB4
RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFC6FA43039
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002,?), ref: 00007FFC6FA43164

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: Close$EnumOpen
String ID:
API String ID: 138425441-0
Opcode ID: 9040a30d361a83406cf626564ceae3e4d7b26da50e6fb5ff6255cba964b20aea
Instruction ID: 9463872ef2cf1eb0ff7442c5f9f4ce771ffe81953694b5a6f5dd5278a599360d
Opcode Fuzzy Hash: 9040a30d361a83406cf626564ceae3e4d7b26da50e6fb5ff6255cba964b20aea
Instruction Fuzzy Hash: 31C19521B0D7ADC2EE609B55A4413B96390EFC57A0F484235EAED477C7EE6CE805DB20

Uniqueness

Uniqueness Score: -1.00%

Function 0000024C71412264 Relevance: 6.2, APIs: 4, Instructions: 230
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 0000024C714123BE
VirtualProtect.KERNELBASE ref: 0000024C71412478
RtlAvlRemoveNode.NTDLL ref: 0000024C714125BE
VirtualProtect.KERNELBASE ref: 0000024C71412684

Memory Dump Source

Source File: 00000000.00000002.298527724.0000024C71410000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024C71410000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24c71410000_loaddll64.jbxd

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
Instruction ID: 08f31e939bf53c574677366668ff108e6d2adc79befdc230865215728fd45f7f
Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
Instruction Fuzzy Hash: 99B15476619BC486D770CF1AE440B9AB7A4F7C9B90F208126EE8D53B58DF39C8519F40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA3F550 Relevance: 3.1, APIs: 2, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec0a7225e8e6c00049340723db4e1e7198fb52ab2bc5e590aae07ecbfda9d15
Instruction ID: 2fa5d5ae62f94ff1368def512726ad4fb6dd257c81d524b8f909498d649c1e2c
Opcode Fuzzy Hash: aec0a7225e8e6c00049340723db4e1e7198fb52ab2bc5e590aae07ecbfda9d15
Instruction Fuzzy Hash: 1A51F722B2C6AEC1E6689A21A4503BA6255FF84784F184439DB4E877C7FF7DE405C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA3F7A0 Relevance: 3.1, APIs: 2, Instructions: 115
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE ref: 00007FFC6FA3F866
ReadFile.KERNELBASE ref: 00007FFC6FA3F8D4

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: db028594bc8b5677cbc4ad6c23936fd200019b0bac19abf828ee229ab7d43dc6
Instruction ID: 208e92518c91dd3f4963886f2398a386904ef75e0bca7e1d1f045f015ccf0c42
Opcode Fuzzy Hash: db028594bc8b5677cbc4ad6c23936fd200019b0bac19abf828ee229ab7d43dc6
Instruction Fuzzy Hash: B141A622F2C6ADD2EA58AB25A04017E6395EF94780F140135EB4D8779BFF7CE406DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA42810 Relevance: 3.1, APIs: 2, Instructions: 76
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFC6FA2961D), ref: 00007FFC6FA42885
RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFC6FA2961D), ref: 00007FFC6FA428E8

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 505d3e8216d65752d9c9970fe8de9b0105d3b943a84e5339b5d033298b12e6c9
Instruction ID: d456db817f7e3582a9a13c0a045a0cd58498161a1bdeaf5e1b22d3551df60959
Opcode Fuzzy Hash: 505d3e8216d65752d9c9970fe8de9b0105d3b943a84e5339b5d033298b12e6c9
Instruction Fuzzy Hash: 4621D827B1D66982EA50CF55A80012EA391EF847E4F0C4131EE9C47BD9EF3CE481CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA41850 Relevance: 1.6, APIs: 1, Instructions: 144
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNELBASE ref: 00007FFC6FA419AE

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 2cf95efc385c725b9022cf8212db04d77c482d4e4406951c86c10693420f5340
Instruction ID: 9cbed28774c49db2b6ba86feebf05aae2b7b520ce9f49e0485e53a89d7408ba0
Opcode Fuzzy Hash: 2cf95efc385c725b9022cf8212db04d77c482d4e4406951c86c10693420f5340
Instruction Fuzzy Hash: 3C518532B1D36DC6EA65AB2190012B92251EF88B84F580435EA9D4778BFF3CE852C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA41490 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FFC6FA414EB

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 2eccd0c63b57d71c448d16ee564a8a11a0e937c987636d1f9c740f04a7ca8c8e
Instruction ID: 8bae3d7a92224076380a519bf1428768eb934a7d52d6ebdbb626750ed377f50a
Opcode Fuzzy Hash: 2eccd0c63b57d71c448d16ee564a8a11a0e937c987636d1f9c740f04a7ca8c8e
Instruction Fuzzy Hash: A221AF32B0CB5EC2EA109F65A1401A973A5FF88784F944036DB9D07B4AEF3CE121CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA3F629 Relevance: 1.6, APIs: 1, Instructions: 53
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC6FA3F9E1), ref: 00007FFC6FA3F6CC

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9933a6296932c9aaeac43b8e72c576d6d43d9e66245f160a84ba2bfbc0e42396
Instruction ID: 9d538a49589f948576000934a304e1699b0af72e496e36fe9224e3e18a350bae
Opcode Fuzzy Hash: 9933a6296932c9aaeac43b8e72c576d6d43d9e66245f160a84ba2bfbc0e42396
Instruction Fuzzy Hash: CA11C423A2C2BEC2E6749B10A0003BA6395FB44780F180139DB8E47793EF7DE445C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA3F642 Relevance: 1.6, APIs: 1, Instructions: 51filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC6FA3F9E1), ref: 00007FFC6FA3F6CC
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC6FA3F9E1), ref: 00007FFC6FA3F75A

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: ab920c4048ecd73485d9a24abe9911eec550e0ad73fe64493c44082e69fe9c96
Instruction ID: 0b836df29fd901527eef9fb5b8e377048d28a69610c2c4d0e05f36aa57e05446
Opcode Fuzzy Hash: ab920c4048ecd73485d9a24abe9911eec550e0ad73fe64493c44082e69fe9c96
Instruction Fuzzy Hash: 3F11C223B2C6AEC2E6649B11A0003BA7395FB84780F180139DB8E87796EF7CE445C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA3EC70 Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,?,D353BBDF,00007FFC6FA2990E), ref: 00007FFC6FA3EC9B

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 26ebda7149b16bce636ef64988408f2f4fd758443eccbcd7e202da9d4eacb6a9
Instruction ID: 48ee5a22517bc62c2b06262b3c13829b5d446a8b66db600c1402105858fef296
Opcode Fuzzy Hash: 26ebda7149b16bce636ef64988408f2f4fd758443eccbcd7e202da9d4eacb6a9
Instruction Fuzzy Hash: 8511F162A1C2AE82FBA45B25918167D13A1DF54788F041035DF4D872C6FAADEC99C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA3F658 Relevance: 1.6, APIs: 1, Instructions: 50filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC6FA3F9E1), ref: 00007FFC6FA3F6CC
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC6FA3F9E1), ref: 00007FFC6FA3F75A

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: e80f8483cf94c30f6301f3d3c985100ccdfca77954115487aecc5a17041d3c9f
Instruction ID: e5d020631e5a9c319a2e51f2e00f0f8d4799878edb30eab07caef710e464b6b6
Opcode Fuzzy Hash: e80f8483cf94c30f6301f3d3c985100ccdfca77954115487aecc5a17041d3c9f
Instruction Fuzzy Hash: 2111CE23B2C2AEC2E6749B1160407BB6395FB84780F180139DB8E47792EF3CE445C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA3F668 Relevance: 1.5, APIs: 1, Instructions: 47filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC6FA3F9E1), ref: 00007FFC6FA3F6CC
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC6FA3F9E1), ref: 00007FFC6FA3F75A

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: 6e284fec9c092ab559da79d84b2b54fba405a3312493b2d376a7f6576a005246
Instruction ID: 71fcef52c34cf3f22ea3ffad4c1c4ef9231f46a5defae81728ef8e901042eec4
Opcode Fuzzy Hash: 6e284fec9c092ab559da79d84b2b54fba405a3312493b2d376a7f6576a005246
Instruction Fuzzy Hash: 7601A123B2C6AEC2E6759B11B0003BA6395FB88780F580139DB8E47796EF7CE441C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA426A0 Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32 ref: 00007FFC6FA42716

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: af68b27f32d806152594ea98ebc8f2426a04b51a09888dca3b9f639ab6fe49d2
Instruction ID: 0e043d110f2cb2e0e2bb48c299704b6c0c6642c2060f91422f3dba81b5327340
Opcode Fuzzy Hash: af68b27f32d806152594ea98ebc8f2426a04b51a09888dca3b9f639ab6fe49d2
Instruction Fuzzy Hash: 53113376608B89C6D7209F11F44059AB7A4FB88B80F588135EFDD43B09EF38D551CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA270F0 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

RtlCreateHeap.NTDLL ref: 00007FFC6FA2713D

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 7e47ca28742369fe6618816808a4c8b1d75f0f49f581dd722c821a23b829cda3
Instruction ID: 7a3c3c14bda012c020072eed971cd9f8a95a8bb6ad790ba5bf02d2f12aad73a7
Opcode Fuzzy Hash: 7e47ca28742369fe6618816808a4c8b1d75f0f49f581dd722c821a23b829cda3
Instruction Fuzzy Hash: DA018F25B2CA6EC2E6518B10FA51A6563A1EF8A7C4F0C8034DE8C0A7A7FE3CD551C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA294A0 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32 ref: 00007FFC6FA294E3

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 493c924839c8f486efe9302bf07efba55ae8e24e31a758d15e6e508aa6b42a41
Instruction ID: faef42ac267d346805644d3e9b070f89427e31d04ce29c58eb5e34b302e00279
Opcode Fuzzy Hash: 493c924839c8f486efe9302bf07efba55ae8e24e31a758d15e6e508aa6b42a41
Instruction Fuzzy Hash: 55011E61B2C56EC2EA10EB55E8512BA9311FFC8784F485031E98E4778BEF2CE155C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA27190 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 00007FFC6FA271EC

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: BoundaryDeleteDescriptor
String ID:
API String ID: 3203483114-0
Opcode ID: 4cc1cfa08cb3aa26b208f28932105458a4a2f75863f8a1a8a56e0b8e89d82dcb
Instruction ID: 24c2950ded9d0fef200f65599a3d43fc2d4351d534453b625602d5e3903aeb87
Opcode Fuzzy Hash: 4cc1cfa08cb3aa26b208f28932105458a4a2f75863f8a1a8a56e0b8e89d82dcb
Instruction Fuzzy Hash: 7EF05804F1D36F82FE6893A2581027101826FCA740E1C8434C81D8A3ABFE2CEA42D231

Uniqueness

Uniqueness Score: -1.00%

Function 0000024C71412060 Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000024C714129A2), ref: 0000024C714120B0

Memory Dump Source

Source File: 00000000.00000002.298527724.0000024C71410000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024C71410000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24c71410000_loaddll64.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
Instruction ID: 82e06450e2e057b405073b08d3fdfc1d9c449853baa33a9f9c1f21ab4a51d2cd
Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
Instruction Fuzzy Hash: 053129B6615A9086D790DF1AE45579A7BB4F389BD4F205026EF8D87B18DF3AC4428B00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFC6FA0C030 Relevance: 9.5, Strings: 7, Instructions: 762COMMON

Download Yara Rule

Strings

GNOP, xrefs: 00007FFC6FA0C361
3050, xrefs: 00007FFC6FA0C328
0020, xrefs: 00007FFC6FA0C4D9
UsS, xrefs: 00007FFC6FA0C053
3050, xrefs: 00007FFC6FA0C4D2
4040, xrefs: 00007FFC6FA0C4FA
0020, xrefs: 00007FFC6FA0C321

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 0020$0020$3050$3050$4040$GNOP$UsS
API String ID: 0-786335679
Opcode ID: 5be17ce47cb696ad8ebe08059e3a04d8274828d0908c5d2498a1ef30804e777d
Instruction ID: f2e435e8880853351fabc61b12e0b056c72dab55f0e815e6c40d7d140d27f970
Opcode Fuzzy Hash: 5be17ce47cb696ad8ebe08059e3a04d8274828d0908c5d2498a1ef30804e777d
Instruction Fuzzy Hash: E5724122A1C69ED5EB20EF20D4912ED2765FF94388F845032EA4D4769BFF38D645C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA19990 Relevance: 7.1, Strings: 5, Instructions: 866COMMON

Download Yara Rule

Strings

vfoR, xrefs: 00007FFC6FA1A518
vfoR, xrefs: 00007FFC6FA1A5A0
vfoR, xrefs: 00007FFC6FA1A39F
S4, xrefs: 00007FFC6FA19EFA
D, xrefs: 00007FFC6FA1A37B

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: S4$D$vfoR$vfoR$vfoR
API String ID: 0-739406038
Opcode ID: 9f81d7648c501c679a01b7c8bfebcff3f359ab3110e0c3c4bcb0409a87ab8b81
Instruction ID: e8b949838482a6f011aa711afcd890cfb38d2a3faecde97dda2c926ad85e518d
Opcode Fuzzy Hash: 9f81d7648c501c679a01b7c8bfebcff3f359ab3110e0c3c4bcb0409a87ab8b81
Instruction Fuzzy Hash: EA82AC32A2C69AC5EB10DB60E4905ED6761FF84794F814236EA5E47ADBFF38D508C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA1BAE0 Relevance: 6.9, Strings: 5, Instructions: 645COMMON

Download Yara Rule

Strings

vfoR, xrefs: 00007FFC6FA1C25F
vfoR, xrefs: 00007FFC6FA1C2E3
S4, xrefs: 00007FFC6FA1BDCB
vfoR, xrefs: 00007FFC6FA1C0C2
vfoR, xrefs: 00007FFC6FA1BE17

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: S4$vfoR$vfoR$vfoR$vfoR
API String ID: 0-2269768260
Opcode ID: ad1c61b5abb7709118fef60bedef370a1d41792bb72744018df3e1a3b7ec9870
Instruction ID: d0c73a3bed036e5cdc7724eb1f95dffb4ac34c27e4886da0143d83243e9956f9
Opcode Fuzzy Hash: ad1c61b5abb7709118fef60bedef370a1d41792bb72744018df3e1a3b7ec9870
Instruction Fuzzy Hash: AF42DF21B1C66EC1EA10EBA195502FE6291AF857E4F454235EA5E07BDBFF3CE506C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA54FF0 Relevance: 5.7, Strings: 4, Instructions: 682COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00007FFC6FA5536B
ERCP, xrefs: 00007FFC6FA5511D
VUUU, xrefs: 00007FFC6FA553C4
VUUU, xrefs: 00007FFC6FA5534B

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU
API String ID: 0-2165971703
Opcode ID: 591c415930979aab0714090d7240fd92d9ed515d5c4c0def523605ced274e22d
Instruction ID: 5bf741c4d98ffb1a2e9d17ff8a5756b9093fdb9778ceeb102f8c09faae87d788
Opcode Fuzzy Hash: 591c415930979aab0714090d7240fd92d9ed515d5c4c0def523605ced274e22d
Instruction Fuzzy Hash: 4352A272A0D6AECEEB668E69D4403BD37A1FB0475CF184135DA5E5BA86EB3CE440C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA06FE0 Relevance: 4.3, Strings: 3, Instructions: 509COMMON

Download Yara Rule

Strings

)8GV, xrefs: 00007FFC6FA075FD
@, xrefs: 00007FFC6FA076ED
)8GV, xrefs: 00007FFC6FA0747C

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: )8GV$)8GV$@
API String ID: 0-2802744955
Opcode ID: be4ed7d546273f48a43cc3949a30825a3f966d05a4d232db6a547afc854aff41
Instruction ID: b546344ae3d82acb4c8774f1d1c05707824bb72369aef53c9ca28559368fad8b
Opcode Fuzzy Hash: be4ed7d546273f48a43cc3949a30825a3f966d05a4d232db6a547afc854aff41
Instruction Fuzzy Hash: 41323B22B2C6AED5EB10EB61D8512FE6761EF94388F845031EA4D4769BFF38E505C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9E6790 Relevance: 4.2, Strings: 3, Instructions: 406COMMON

Download Yara Rule

Strings

*/*, xrefs: 00007FFC6F9E6CE2
POST, xrefs: 00007FFC6F9E6CD6
GET, xrefs: 00007FFC6F9E686D, 00007FFC6F9E687B

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: */*$GET$POST
API String ID: 0-3233530491
Opcode ID: 6a5464faf8c14e7bbf553d431dd16a1925e01ededdcf9ee096d392032e91729e
Instruction ID: 7e67a4b1e7946773284d5aadce8c100cf8c37d5ce869ec0708d93541e1cd15d6
Opcode Fuzzy Hash: 6a5464faf8c14e7bbf553d431dd16a1925e01ededdcf9ee096d392032e91729e
Instruction Fuzzy Hash: A3126D36A1CA9AD5EB10DF60E8512EE7761FB85388F844031EA4D47B9BEF38D149C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA191F0 Relevance: 4.1, Strings: 3, Instructions: 321COMMON

Download Yara Rule

Strings

vfoR, xrefs: 00007FFC6FA19592
vfoR, xrefs: 00007FFC6FA194F3
0, xrefs: 00007FFC6FA19296

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 0$vfoR$vfoR
API String ID: 0-4254161263
Opcode ID: cd8951c80b0ea57377bc0f64a2a05ecad260469982a5483db1c6db2a3b164e50
Instruction ID: d3cee4f64a1539e2e277f732e60272af143ce746128c5fcaca8bde727b90ff88
Opcode Fuzzy Hash: cd8951c80b0ea57377bc0f64a2a05ecad260469982a5483db1c6db2a3b164e50
Instruction Fuzzy Hash: B7D18F22B1C6AAC5EB10EB61E5501FE6365EF89784F894035EA4D47A9BFE38E505C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA1B250 Relevance: 2.9, Strings: 2, Instructions: 387COMMON

Download Yara Rule

Strings

vfoR, xrefs: 00007FFC6FA1B705
vfoR, xrefs: 00007FFC6FA1B5F3

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: Close
String ID: vfoR$vfoR
API String ID: 3535843008-516101275
Opcode ID: 12c8d0d41247167074268dd0a62a7e8d080d29695c84f2185fcc578680d2d952
Instruction ID: 4a80aca5290644d8f6e71fd20df833f68406467d63a1e279c9cde6c10adf46ec
Opcode Fuzzy Hash: 12c8d0d41247167074268dd0a62a7e8d080d29695c84f2185fcc578680d2d952
Instruction Fuzzy Hash: D1F18E22B1C5AED5EB10EB70E4911FD2361AF94384F894036EA0E57ADBFE38E505D360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9E2980 Relevance: 2.9, Strings: 2, Instructions: 387COMMON

Download Yara Rule

Strings

UsS, xrefs: 00007FFC6F9E2992
UsS, xrefs: 00007FFC6F9E2AEF

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: UsS$UsS
API String ID: 0-3680756722
Opcode ID: 190c78d6fe256d3509561c12582c30a495d30e964611086cf493d19d9ba03174
Instruction ID: 84248d040e704cf96a8f64ff5ab15a758f40455e1ea7627518f90cc9e1e14f1a
Opcode Fuzzy Hash: 190c78d6fe256d3509561c12582c30a495d30e964611086cf493d19d9ba03174
Instruction Fuzzy Hash: 8902F722B2C5AED9EB10EB60D4A12FD6365EF94344F845031EA4D47ADBFE28E645C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9E18D0 Relevance: 2.8, Strings: 2, Instructions: 320COMMON

Download Yara Rule

Strings

UsS, xrefs: 00007FFC6F9E1CCF
UsS, xrefs: 00007FFC6F9E18EA

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: UsS$UsS
API String ID: 0-3680756722
Opcode ID: 5c28192ead8197b9c5e80147933d5d0a08f0e57e755b73299ee2e05799834e0c
Instruction ID: 535cfaa2e01281956b49b89b5195ad4a9bc9e6d06aad216661eb7d58da21b3b7
Opcode Fuzzy Hash: 5c28192ead8197b9c5e80147933d5d0a08f0e57e755b73299ee2e05799834e0c
Instruction Fuzzy Hash: 65F12722B2C5AED5EB10EB60D8911FD6365FF91348F844132E64E47ADBBF28E645C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA42CA0 Relevance: 2.6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

Strings

,q,\, xrefs: 00007FFC6FA42D9E
,q,\, xrefs: 00007FFC6FA42DDB

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: ,q,\$,q,\
API String ID: 0-1092452903
Opcode ID: da22d920ff5cc6227cc0f6e061e432e43b1ab4f4e1d95c9d1540ba4b916ccb75
Instruction ID: 87fc4ea295292231b831d52641771cc81ddfd0044380b2240fcb64f7f014c3a4
Opcode Fuzzy Hash: da22d920ff5cc6227cc0f6e061e432e43b1ab4f4e1d95c9d1540ba4b916ccb75
Instruction Fuzzy Hash: A6413D12F2C67ED4FB14EB7598510FD62A1AF98784B984035EA0E97ACBFE2CD501C230

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA16130 Relevance: 2.5, Strings: 1, Instructions: 1270COMMON

Download Yara Rule

Strings

UsS, xrefs: 00007FFC6FA16190

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: UsS
API String ID: 0-2967771648
Opcode ID: 38292c9ac6e7e5dd10b919c58137f360e7008a42d0787533f405ae3a1fd5d327
Instruction ID: 1ed6603f4bccfc6d91b39dcc020f4c9503c8d221d9d866d4768121f352e77d5c
Opcode Fuzzy Hash: 38292c9ac6e7e5dd10b919c58137f360e7008a42d0787533f405ae3a1fd5d327
Instruction Fuzzy Hash: 38D24B22A1C6AED5EB60EB20C4912FD2365EF95348F855031EA4D876DBFF28E645C730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9EC5A0 Relevance: 2.1, Strings: 1, Instructions: 865COMMON

Download Yara Rule

Strings

GET, xrefs: 00007FFC6F9EC5B5

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: GET
API String ID: 0-1805413626
Opcode ID: 191bd874223b941efcdc37b276927ba136f876b1b1cf62d8a1eba65c660f0a7c
Instruction ID: 59eaf550259a9c666a66c8876fd673f9a7db7ef41d6027ff09e482955f0d7278
Opcode Fuzzy Hash: 191bd874223b941efcdc37b276927ba136f876b1b1cf62d8a1eba65c660f0a7c
Instruction Fuzzy Hash: E7826D22E1C66EC5EB50DB2590913BE6B61EF85748F445032EA8E476CBEE3DE446C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9F9D70 Relevance: 2.1, APIs: 1, Instructions: 609COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f804f7894b327b0970bb908ac1e239350b84a3789e018404dcef07800529f1cd
Instruction ID: d03870ed745efbd4a7f8291f2d5d928d35b3b940ad06e5dc4df6f31270bfa95a
Opcode Fuzzy Hash: f804f7894b327b0970bb908ac1e239350b84a3789e018404dcef07800529f1cd
Instruction Fuzzy Hash: 56524B22B1D6AE89FB20EB61D8513FD2361EF94758F844031EA4D46ADBFF28E545C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9F5420 Relevance: 1.9, Strings: 1, Instructions: 680COMMON

Download Yara Rule

Strings

,q,\, xrefs: 00007FFC6F9F5611

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: Close
String ID: ,q,\
API String ID: 3535843008-3313482636
Opcode ID: 2c7c437138329b27b7c38f6ea0a614364d194ac4e271b8b161b2580c3d574676
Instruction ID: 29b82190a1231cf7bb3fd53309942f9ce51b070b346deb1eb4187f60180ec9d0
Opcode Fuzzy Hash: 2c7c437138329b27b7c38f6ea0a614364d194ac4e271b8b161b2580c3d574676
Instruction Fuzzy Hash: 57626722B1C66ED5FB10EB65D4912FD2761EF94384F848032EA4E47ADBFE28E545C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9F3CD0 Relevance: 1.8, Strings: 1, Instructions: 572COMMON

Download Yara Rule

Strings

z, xrefs: 00007FFC6F9F452E

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID: z
API String ID: 1964310414-1657960367
Opcode ID: 1e707f74714288df0667b0df01b82e277c3d87d6d76ba15377dbc88d48ddda99
Instruction ID: 6bad52f571f1a7acd1c049d700b8097b5653dcb8362adbd420b76ae9958c87cb
Opcode Fuzzy Hash: 1e707f74714288df0667b0df01b82e277c3d87d6d76ba15377dbc88d48ddda99
Instruction Fuzzy Hash: 7E524B32B18AA9E6F748EB30D6512ED7365FB84344F848036E71D47686EF38A165C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA05050 Relevance: 1.8, Strings: 1, Instructions: 566COMMON

Download Yara Rule

Strings

!hMy, xrefs: 00007FFC6FA050CA

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: !hMy
API String ID: 0-318797071
Opcode ID: 2d843baf34b2fd8d5bc90b995860dada836707dc61b81bacbb5f51131095915e
Instruction ID: ec88c166d80c8ca03b2fbaf8cbde730adf718516706c2d1ca00dbe8f1859e160
Opcode Fuzzy Hash: 2d843baf34b2fd8d5bc90b995860dada836707dc61b81bacbb5f51131095915e
Instruction Fuzzy Hash: 3D426E32A1C6AEC9EA24EB24E0512FE67A1EF95348F844031D69E42697FF2CE544C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA0A310 Relevance: 1.7, Strings: 1, Instructions: 488COMMON

Download Yara Rule

Strings

'Q|, xrefs: 00007FFC6FA0A42A

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: CloseEnumValue
String ID: 'Q|
API String ID: 858281747-3964534801
Opcode ID: 5c29c68aef5bf57122700dcf6e8e62fb19da7612d1f22e43b0a148901773b041
Instruction ID: b3c6c5473f54ce451667323e4f291406d13fae3271f4e0c641dbdee6e5e862bd
Opcode Fuzzy Hash: 5c29c68aef5bf57122700dcf6e8e62fb19da7612d1f22e43b0a148901773b041
Instruction Fuzzy Hash: 1A225C22B1C56ED5EA20EB60E0912FD6366EF94788F844131EA4E476DBFE3CE505C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA14360 Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFC6FA148D7

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: f93daec1b69f50950a46521c9e13a37ddad6beb34a235d4e63775584177f1095
Instruction ID: 9535754c65cca60629bfbec6fc950541afb3029ec2dc8bd24470d863bf0d35e4
Opcode Fuzzy Hash: f93daec1b69f50950a46521c9e13a37ddad6beb34a235d4e63775584177f1095
Instruction Fuzzy Hash: 47225922B1C6AEC5FA10EB65D4513FD2761AF81388F845131EA4E46ADBFF2CE549C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA04140 Relevance: 1.7, Strings: 1, Instructions: 430COMMON

Download Yara Rule

Strings

Content-Type, xrefs: 00007FFC6FA0446F

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: Content-Type
API String ID: 0-2058190213
Opcode ID: ae2b7497b0f30d54529c1fb632152f60ce501d36a27229cda4a6615c475e73e5
Instruction ID: bbc7dea038539344a4de672c1edefacba3e670d9792532cc210a7432d6a7ef08
Opcode Fuzzy Hash: ae2b7497b0f30d54529c1fb632152f60ce501d36a27229cda4a6615c475e73e5
Instruction Fuzzy Hash: CE125722B1C66ED6EB24EB60E0912FD63A4BF55788F845035DE4E46687FE3CE509C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA069C0 Relevance: 1.7, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

0, xrefs: 00007FFC6FA06C02

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 4a6d2e05d5d2ca01074d2b38cf9bc1e6586cf75b6ae7b38315789dffdcc95acf
Instruction ID: 9eab670dcb06eea9c81b2be9fcee2e2b0f4fea28280555d599c4e9bc773ecaba
Opcode Fuzzy Hash: 4a6d2e05d5d2ca01074d2b38cf9bc1e6586cf75b6ae7b38315789dffdcc95acf
Instruction Fuzzy Hash: 66F1A332B0C7ADC6EB14DB25A5502BE67A1FB86B88F444035EA4D47B9AEF3CD445C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA13CF0 Relevance: 1.6, Strings: 1, Instructions: 364COMMON

Download Yara Rule

Strings

-R+, xrefs: 00007FFC6FA142F6

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: -R+
API String ID: 0-215093852
Opcode ID: c4ac2ce24f8d8de888a696dd0a36769e48b06038051a5fbdc44cb656dec2df64
Instruction ID: 8f7d0120fb55b95997ba80c42de9f18453c623b1d3e704cfb4f231e826b560f8
Opcode Fuzzy Hash: c4ac2ce24f8d8de888a696dd0a36769e48b06038051a5fbdc44cb656dec2df64
Instruction Fuzzy Hash: 10028D22A1C6AED5EB10EB60D4911FD6765FF90348F849032EA4D47ADBEF38E545C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA011B0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

, xrefs: 00007FFC6FA012AB

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 827202f5d2b5b2e60ad1ac815b4e038e1c503d1a990c37d258570859f0d0a253
Instruction ID: bbade43b10ab4b1d2a483003f248479a5aec186d45daa59bd2510cdf38879435
Opcode Fuzzy Hash: 827202f5d2b5b2e60ad1ac815b4e038e1c503d1a990c37d258570859f0d0a253
Instruction Fuzzy Hash: F2B17D21B1C66E85EB14EB7190512FD2761AF89788F884035DE0E5BBCBFE39E506C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA0F6B0 Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

, xrefs: 00007FFC6FA0F82E

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c52085b52813831b42183e47ad3d99a7f7d6d7082d4d86fa951259cb7f88e0df
Instruction ID: fe9a3d132f47d2934a4d726e7338620ffd396c25699bc9973950c8cc58606427
Opcode Fuzzy Hash: c52085b52813831b42183e47ad3d99a7f7d6d7082d4d86fa951259cb7f88e0df
Instruction Fuzzy Hash: AD81D425B1D26EC6E914A761A11137E6261EFC9B84F888438DA4E4778BFE3CE805C731

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA03D50 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

`ngU, xrefs: 00007FFC6FA03E7E

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: `ngU
API String ID: 0-1771476526
Opcode ID: 99573f904c5d6b3ad7913296c3be0af2c30b65ad59d47746cb0cd9dafcb922a0
Instruction ID: c0a7dbfa332b86474600b630fcc88547544c678d039a28b6ca5162ca7a9e37fb
Opcode Fuzzy Hash: 99573f904c5d6b3ad7913296c3be0af2c30b65ad59d47746cb0cd9dafcb922a0
Instruction Fuzzy Hash: 6C915122B1C56ED9FB14EF61E0912FD2371AF94788F845032EA4D57A8BEE28E545C370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA5B7A0 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00007FFC6FA5B7EF

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: ERCP
API String ID: 0-1384759551
Opcode ID: 5c0459b61386457cc212822abbe1eb74425903cd16e4a0cba1d06804f81f7a37
Instruction ID: 1b21021d58567e272e13c18c83374e168d80f857d83be892ab9a75e787014eb6
Opcode Fuzzy Hash: 5c0459b61386457cc212822abbe1eb74425903cd16e4a0cba1d06804f81f7a37
Instruction Fuzzy Hash: B341D967B244598BE3189E2598212BA2791F7E87817008538FBD7C3B86ED7CDE01C354

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA30650 Relevance: .9, Instructions: 875COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd217a5175e934a3dd36d34768e08ac5d7c4076d3c65c3f50597a0699602e69f
Instruction ID: 4ddc4368cb0c738c5f589a17c84c89731a9f646a561d3bb0b5147693fee5e252
Opcode Fuzzy Hash: fd217a5175e934a3dd36d34768e08ac5d7c4076d3c65c3f50597a0699602e69f
Instruction Fuzzy Hash: 1282B022B1CBADC2EA648B1594403B967A1FB45B88F859036DB4D87787FF7CE845C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA34BC0 Relevance: .8, Instructions: 806COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 938572b376330c988c2ab532f803d7d936e039e3a94341f4623fef4a4037a9e3
Instruction ID: 1bbabcfb9d57ddf237989153f2353656e04dcedc1d9bfcb62162a36d258556a1
Opcode Fuzzy Hash: 938572b376330c988c2ab532f803d7d936e039e3a94341f4623fef4a4037a9e3
Instruction Fuzzy Hash: D572D122B0C7AEC9EA658B1994402B867A5FF45B84F894036CB4D87797FF7CE941C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA35840 Relevance: .8, Instructions: 796COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8924dbe6c7d405e2cff27ca73bd22417ad998fd89c4a4b63178fafe79df92f65
Instruction ID: feb549d57353d7095beabc9543e8e3ce95b1596e954c91ca58544f2049e03107
Opcode Fuzzy Hash: 8924dbe6c7d405e2cff27ca73bd22417ad998fd89c4a4b63178fafe79df92f65
Instruction Fuzzy Hash: 5D72D122B0C7AEC5EA658B1994406B967A1FF46B84F894036CB4D87797FF7CE941C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9F7410 Relevance: .7, Instructions: 747COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d8e2e209c00f75e11c67d77bead091f106e32e877392286763fd22477f5be851
Instruction ID: 62beacd93c571861fb9ec2e7492147bc6e9c0568b936c44db7615f911d5f33f7
Opcode Fuzzy Hash: d8e2e209c00f75e11c67d77bead091f106e32e877392286763fd22477f5be851
Instruction Fuzzy Hash: F6723C22B2C65ED4EB00EB60D4911ED6765EF95384FC45036EA4E8799BFF2CE609C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA2F870 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3faeac1cbfb6292ffdda141fe1e23e6e0c6ce6059580f73432d93193a345a3b9
Instruction ID: f4579ff675d9c56d78ebf3b1964788b2f882fc77f075ff3aeebb7b0c1aab9c1d
Opcode Fuzzy Hash: 3faeac1cbfb6292ffdda141fe1e23e6e0c6ce6059580f73432d93193a345a3b9
Instruction Fuzzy Hash: AA529F22B1CBADC6EA648B15D4543B967A1FB85B88F489035DA4D4779BFF3CE940C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA5EF80 Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a27784a074e2bb7dca5615da6ac60503d5b4f0c137b04b5a13c1ab1661bc6fbb
Instruction ID: 0cb9d3e94a3483a91bdfbc3ef4be83eca7040bc17afc081626558c9986adbd4f
Opcode Fuzzy Hash: a27784a074e2bb7dca5615da6ac60503d5b4f0c137b04b5a13c1ab1661bc6fbb
Instruction Fuzzy Hash: 4E625FB7A18669CBD7658F25C08052C37B1F758F68B25523ACF0D4778ADB38E891CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9FE9B0 Relevance: .7, Instructions: 675COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 84beafdb039b1081e4f9ed33b1d63d8a4b018f90d70022e3aa100a5b63227653
Instruction ID: 5fcaaa6b2f4093575d0e06cf7065a13a86f29e75bd95a00403ae3be53a0eebd9
Opcode Fuzzy Hash: 84beafdb039b1081e4f9ed33b1d63d8a4b018f90d70022e3aa100a5b63227653
Instruction Fuzzy Hash: 1A626E22B2C66ED5EB50EB60D4911FD6761EF84384F845032EA4E47A9BFF2CE548C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9E6E90 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aad6c12c6f4205963c672b76a8099d02b26c8d99045ba3237d2967ca350f401
Instruction ID: 7809b12665bd4d26c4250847924e6d4ca3cbec21b29433fad5a662d1dd9a68f5
Opcode Fuzzy Hash: 4aad6c12c6f4205963c672b76a8099d02b26c8d99045ba3237d2967ca350f401
Instruction Fuzzy Hash: 2C525B21B2C66EC5EA10EB60E4516FA6361FF84784F845031EA4E47B9BFE3CE506C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9F8670 Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715062e220f59cf9500e4b1a395658f8ab7f47472dd04a4be2b1a5b16cc3dca4
Instruction ID: 68602751cd58cc8ca040e52bdf76b76d7428d5b68e9034e37596c9e0e1023b8a
Opcode Fuzzy Hash: 715062e220f59cf9500e4b1a395658f8ab7f47472dd04a4be2b1a5b16cc3dca4
Instruction Fuzzy Hash: 6A426722B1C6AE89EB54EB61D4912FD6365EF80394F844132EA4D47ACBFF38E545C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA04800 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e648facd1d502af1e49e6eb6358983bc58e1ad11de91e4235a1da34ba6cd2659
Instruction ID: 8117a658ef6b70b8cf06ed5ad0a2d5e4ff98f12d5c457d88f7b906ccc9b29738
Opcode Fuzzy Hash: e648facd1d502af1e49e6eb6358983bc58e1ad11de91e4235a1da34ba6cd2659
Instruction Fuzzy Hash: 3832B022B1C66DC9EB10EB75D4912ED2761FB95B98F486036EE0E4778BEE38D045C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9F23F0 Relevance: .5, Instructions: 542COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7139bcd1ce5fdb58b7d546cb367074c75fbad7a78bf90e696654dd1ca0ba9ac0
Instruction ID: 2465b5d40ccb6d8c7523ce524a3728d943af3c726e5f5d07bf88a0b747b93814
Opcode Fuzzy Hash: 7139bcd1ce5fdb58b7d546cb367074c75fbad7a78bf90e696654dd1ca0ba9ac0
Instruction Fuzzy Hash: 4E326A22B1C6AED5EA10EB60D4911FD6761EF94388F845132EA4E47ADBFE3CE145C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9EB100 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16dea1e3c739009a0f3e1ac8366c1456fe6298dd4187c04af5b77b77fa2332cb
Instruction ID: eafd7d857964a84ef4a0a390b14c585084bb6fe4d76ab9f1b86ec90922a7729e
Opcode Fuzzy Hash: 16dea1e3c739009a0f3e1ac8366c1456fe6298dd4187c04af5b77b77fa2332cb
Instruction Fuzzy Hash: 5F425922A1C66ED5EB00EF20D4956FD6365FF90388F845032EA4D47A9BEF38E549C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9FD890 Relevance: .5, Instructions: 528COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996240fad6b35de64fc793b92b35b26cdcc948d61e990141f48373fa04fa355f
Instruction ID: a6dc43a76f07879d306fcb2badfea336ea507f32e3620df8e79448ed01a927c5
Opcode Fuzzy Hash: 996240fad6b35de64fc793b92b35b26cdcc948d61e990141f48373fa04fa355f
Instruction Fuzzy Hash: 10327F22B1DAAAC9EB10DF65D8512FD23A1FF84788F484135EA4D47B8AEF38D545C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA189F0 Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf3bbf9f7806764439d6e39547c55a4600bd87bd8b1462e0748042ecacfab7a1
Instruction ID: 5849c953ac3ed3e45b01f1e89406cb2d424c4bfb13f74b0186f9e447b1a03433
Opcode Fuzzy Hash: bf3bbf9f7806764439d6e39547c55a4600bd87bd8b1462e0748042ecacfab7a1
Instruction Fuzzy Hash: 17228E32B0C6AEC5EB10EB21D5952BE2395AF85B94F464239DE0E477C7EE38E505C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9F95C0 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a7c8d5628b2e1b56f0ddad685cb498a928b002692723bfd0881aa84ca68f43
Instruction ID: 9bdac9ef59776c63ade83e52225e35731916d8945b22d6ecef87af5df874d055
Opcode Fuzzy Hash: b9a7c8d5628b2e1b56f0ddad685cb498a928b002692723bfd0881aa84ca68f43
Instruction Fuzzy Hash: 23124A22B1C6AE85FB20EF60D8512FD2365EF94784F844035EA4E46ADBFE38E545C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA4E400 Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49b644cad6694cd14e8da8a75c2b99da55971c1b9b2318d785b08d65ed4a64b
Instruction ID: 94baf80062bbc77f592e82fa0748483cbd811faa5f1ca9632b9a38df40ee37c2
Opcode Fuzzy Hash: d49b644cad6694cd14e8da8a75c2b99da55971c1b9b2318d785b08d65ed4a64b
Instruction Fuzzy Hash: 92020F6690C2BEC5FB75CB24808037A7AE1EF11718F554136DACE826E7EA2CE941D731

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9EDE20 Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a31171ef1d09154c8bb64f43a5a6c94ab0abf716ba086a025094ebfeb533d6
Instruction ID: d88fcc584f973566d804a424478bcd03117e25b2b2498fb09eafc66a4bda498d
Opcode Fuzzy Hash: a7a31171ef1d09154c8bb64f43a5a6c94ab0abf716ba086a025094ebfeb533d6
Instruction Fuzzy Hash: 85225922B1C69ED5EB10EB71D4912ED6761FB94384F849036EA4E87A9BFF2CD105C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9E5C20 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d2b93ebdf18556efae1baa4f9cd6940db842e628aaa6e187870812b7cc1f0b
Instruction ID: ba7377dca55f517263d4858c7bc2c0adaac322dca86b56f95b462897cdf0c712
Opcode Fuzzy Hash: 50d2b93ebdf18556efae1baa4f9cd6940db842e628aaa6e187870812b7cc1f0b
Instruction Fuzzy Hash: 7D227B22B2C66ED5EA00EB24D4556FE2365FF95784F845032EA4D4369BEF3CE50AC720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA482A0 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f214e6889ff07b5cdff74ab9c3a83d51ae64ba2f67ed0e5182fd07676cd33270
Instruction ID: e3ccb5114cc4634af938a6238c8365d2c6bb92f55c872861d5a92ebbaac0a858
Opcode Fuzzy Hash: f214e6889ff07b5cdff74ab9c3a83d51ae64ba2f67ed0e5182fd07676cd33270
Instruction Fuzzy Hash: 0A024D21B1C66E86FB64EB61A4512FA2395AF88788F484135EE5D477CBFF28F501C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA49410 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141879225045fb0130bba94e189b1d8bd3edad3111932d99e478955394790145
Instruction ID: d8c8b775c818ded487f639151c58dd5fbdb7ec5b96cf31452fbf73f8e8dc872b
Opcode Fuzzy Hash: 141879225045fb0130bba94e189b1d8bd3edad3111932d99e478955394790145
Instruction Fuzzy Hash: DF027B36B0C66ECAEB10DF25D2901AD23A5EF89784F554135DE4E8778BEE38E805C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9EBB20 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f12b039721c9f9441b328414c886d93419b1b5e6ea1361f51a92b464c44b6d
Instruction ID: f812a43860861b272b6d47c22f000868c0090a25c2d0d2d729eb03593454240c
Opcode Fuzzy Hash: 81f12b039721c9f9441b328414c886d93419b1b5e6ea1361f51a92b464c44b6d
Instruction Fuzzy Hash: 6D124F22B2C6AED5EB50EB25D4912FD6761FF84384F845032EA4D47A8BEE3CE505C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA4B260 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e98e18ea4c1e019747492c3fad16cfa81370afad5f2d5b4c6495e82c5679beda
Instruction ID: b688b3ad687d88851bd0135c5249a2c1c1a996293d0ff8518756d2533772f27a
Opcode Fuzzy Hash: e98e18ea4c1e019747492c3fad16cfa81370afad5f2d5b4c6495e82c5679beda
Instruction Fuzzy Hash: C7128D22B2C66ED9EB00EB61D8911FD6365FF94784F845032EA4D47A9BEF38E505C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA0872B Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf9948244fb180f3218659b2276fec5f0e0b2484f239b0f5a362a7c94b9c646
Instruction ID: 417313462ebbeb7e3705d46daa68325b351c47898520421a3617173d99ebb4e0
Opcode Fuzzy Hash: ecf9948244fb180f3218659b2276fec5f0e0b2484f239b0f5a362a7c94b9c646
Instruction Fuzzy Hash: 0D127C22B2C6AED8EB10EB70D4512ED2765EF91388F845132E64D47ADBEF38D644C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA106A0 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25436a7cbd74014a54dbca1e2ad640bb45033137a792dd7e05ffba4b7717c84d
Instruction ID: bd7a33783182054f217bb8cc270c4fb1d3a54f3a2f123c1d26bdabb37c65dd57
Opcode Fuzzy Hash: 25436a7cbd74014a54dbca1e2ad640bb45033137a792dd7e05ffba4b7717c84d
Instruction Fuzzy Hash: 77026C22B2C66ED5EB00EB60E4911ED6765FF94384F845036EA4D43A9BFF38E505C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9F08B0 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5bd0618e608784adac2a6ccecd2ba7583a7e321574bdf58de7476e057eceed6
Instruction ID: fc9019f2a6397a37b9863f0c188cdb8141e04dc41bc2d6bba26b55375d88f7f2
Opcode Fuzzy Hash: e5bd0618e608784adac2a6ccecd2ba7583a7e321574bdf58de7476e057eceed6
Instruction Fuzzy Hash: 8F024C62B18A6AD9EB11DF71C0912ED2725FB40748F805036EF4E57A8BEF39E509C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9F8FC0 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab26bde139a577f634ec716a25e385d05db8043f997b8ff14e02340ecc886974
Instruction ID: 349d6463dfc08928a662eb3c65a3db5e63a3c99215a2477f2885e79d8c2dd4a4
Opcode Fuzzy Hash: ab26bde139a577f634ec716a25e385d05db8043f997b8ff14e02340ecc886974
Instruction Fuzzy Hash: E4F15C22B1D6AEC5FB14EB60D8512FD2365EF94358F840135EA4E46ACBFE78E505C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9FE110 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ec38e4ac026a108be6877a1dfe6106ad33bdfe1698d2cb138a23c9dd75d2af
Instruction ID: 53485d171e53078e094d8284b452fe53fedd305ed409410154b37d4166938ac3
Opcode Fuzzy Hash: 70ec38e4ac026a108be6877a1dfe6106ad33bdfe1698d2cb138a23c9dd75d2af
Instruction Fuzzy Hash: C3023C22B2C56ED5FB10EB60D4916FD6361EF94384F844036EA4E87ADBFE28E545C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA4C780 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0587336b5e8e9ea409aa9731ab8c88bc8b42dff9bbafb05a3faf29ffd6b24f2
Instruction ID: c515de61531e57eb8d3c4a0113f95952cd7db233ecda731864a1175b5e70b747
Opcode Fuzzy Hash: c0587336b5e8e9ea409aa9731ab8c88bc8b42dff9bbafb05a3faf29ffd6b24f2
Instruction Fuzzy Hash: 6EF10B22B2C59ED9EB10EB60D8912FD6365EF94348F885032E64D469DBFF38D649C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9FA7D0 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f35c15e9e5d2534eefbfa35af379077ca060a314e0d68523628a075ba671c5
Instruction ID: 877346d9a88c75205a1cd7e1a1473429ffd0e776f5d6dfc5ccb8d2207898e803
Opcode Fuzzy Hash: 49f35c15e9e5d2534eefbfa35af379077ca060a314e0d68523628a075ba671c5
Instruction Fuzzy Hash: AFE16B22B1C6AED9FB10EB64D4612FD6365EF90348F845031EA4E47ACBFE28E545C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA0D550 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623638aa73f52889be8d1c31f433fa6a904df7df3d8eb3ae4ee5af1cf35276be
Instruction ID: 57bf8b511c55566c41b7d04a853a265f0fb4ee7f1daa87283150baa3d3c7cda3
Opcode Fuzzy Hash: 623638aa73f52889be8d1c31f433fa6a904df7df3d8eb3ae4ee5af1cf35276be
Instruction Fuzzy Hash: 33E15F22B2CA9ED5EB00EB60E4511EE6761FF94388F945032EA4D47ADBFF28D545C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA45B50 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c2437e9efd40f163505b5ee16583e4bba0e0d31fdf673491ef8b3244613bb6
Instruction ID: 406109469fff7bc2be0a735328ff1a90ae965c3fba4fc44a9a3d72c2a7042fb2
Opcode Fuzzy Hash: e6c2437e9efd40f163505b5ee16583e4bba0e0d31fdf673491ef8b3244613bb6
Instruction Fuzzy Hash: 1AC1391362C1E48BD7558B3664502BABE90EF953C8F5C0175EECD96ADBEA2CC214DB30

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA0DAA0 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019c3818e49e7492b17d3b444b1d0ddf21397838769942b4d133398172001bc0
Instruction ID: 0e795759729115dd471cbfd799e813ed8a2afeb46acd2758f0da20a6ac76e757
Opcode Fuzzy Hash: 019c3818e49e7492b17d3b444b1d0ddf21397838769942b4d133398172001bc0
Instruction Fuzzy Hash: 3AD19122B2C99ED1EB00EB71E4512EE6765FB94384F845036EA4D83A9BFF38D505C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA10D10 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cddc44d860aa59944bf5c23a4df4552e0da28415d8bd1abcc74885b13133f392
Instruction ID: 5c06a5e247d33f8965b1458d2440772ffc06e04064da5df166df75f996c63599
Opcode Fuzzy Hash: cddc44d860aa59944bf5c23a4df4552e0da28415d8bd1abcc74885b13133f392
Instruction Fuzzy Hash: 31C17F22F0C66EC9FB20EB7590512BE26A1AF84388F495035EE4D576DBFE38E515C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA0AC80 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: ccad621333b4d7c3af3512ed35376928892a56cea35c16817b0be71c12e5a4d6
Instruction ID: 51d84df3784e12f78c18a02f8247ca796becb8630fe3e716b4bf612106dd2f7d
Opcode Fuzzy Hash: ccad621333b4d7c3af3512ed35376928892a56cea35c16817b0be71c12e5a4d6
Instruction Fuzzy Hash: C3D12B22B1CA6ED5EA00EB60E4912FD6365FF80784F849031EA4D47ADBEF38E515C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA40770 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e42092f548368cb371c2b483d487d87f6b6e0d7345918813f4e9e68c14427a
Instruction ID: 4b98618d109aa8ce4684e909fd6b6e40fe991f98d12be820bb35e2a3c15eb32a
Opcode Fuzzy Hash: 78e42092f548368cb371c2b483d487d87f6b6e0d7345918813f4e9e68c14427a
Instruction Fuzzy Hash: F6C15C22B1C66EC5FB10EBA1C4552BD23A1AF64788F849031DE4D576DBFE38E506D360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA40F30 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f517ed78391c7fc8f6e750fc61c14f38bf71b43654d3e29c65c5cd78ea3ef9
Instruction ID: a04b4709cbf6fdb18a5f0d22fe29d63e117f975c0e27a186482f30097e978091
Opcode Fuzzy Hash: b0f517ed78391c7fc8f6e750fc61c14f38bf71b43654d3e29c65c5cd78ea3ef9
Instruction Fuzzy Hash: 81C1BF22B0C66EDAEB15DB65D4502BC23A1EF84358F484235DA6D47ACBFF38E565C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA03910 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 307f0f14a74e58f75e681ef2cc5d2378040a00e8304d47f44f5e290cb001da96
Instruction ID: 83ff74909495d2d236f086f63ad2cf6becf352c0a82ded77c4ec097932cf1674
Opcode Fuzzy Hash: 307f0f14a74e58f75e681ef2cc5d2378040a00e8304d47f44f5e290cb001da96
Instruction Fuzzy Hash: 7DB13B26B2C62EC8EB04EA61D4515FD2366BF85BC8B895035EE0D57B8BEE3DD405C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA4B960 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53df476ed79f7d9c769377299a110c3beb3ff81f1d379afcb21d6d55ad6852e6
Instruction ID: e6b3382e7659b25e6c0d9b0e06de43fcf6625dd76a513e60ee85d921023e63e8
Opcode Fuzzy Hash: 53df476ed79f7d9c769377299a110c3beb3ff81f1d379afcb21d6d55ad6852e6
Instruction Fuzzy Hash: 11C15B22B1C66ED9FB10EBA1D4912FC2365AF54788F844536DE4D57A8BFE38E109C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA11D30 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cad23cfa913dfa6fb0abbc5f4e592e6c29b1c2ccc840bf6cb863661cf4785d8
Instruction ID: 3c25131ab2f61704a80695150d7c7289bda50945e36f57fdad444d1fb324f9da
Opcode Fuzzy Hash: 6cad23cfa913dfa6fb0abbc5f4e592e6c29b1c2ccc840bf6cb863661cf4785d8
Instruction Fuzzy Hash: D0C15D22B1C6AED9FB20EBA0D4512FD23A5AF95348F854131DE0D66ADBFE38D505C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA125C0 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c6439e09a40265a4e95b22acf488c3e8bcb13a6b9fe0244e0b503cf04d4d59
Instruction ID: 3709feaaaac9522d563f19e023038cb66f69c2154dd1ef60eca21c2d8bcb8df4
Opcode Fuzzy Hash: 83c6439e09a40265a4e95b22acf488c3e8bcb13a6b9fe0244e0b503cf04d4d59
Instruction Fuzzy Hash: 78B16D22B1C59EC6EA14EB21D4612FE63A1AF95784F854036EA4E4779BFE3CD504C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA44390 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6932f466916dd60a901800d8cf2606beabf989d8d377ac7c79455be2081a79f4
Instruction ID: eefca4386827a677a206e8a210e75f0142dd3a5249706432c7ca351056e6333a
Opcode Fuzzy Hash: 6932f466916dd60a901800d8cf2606beabf989d8d377ac7c79455be2081a79f4
Instruction Fuzzy Hash: 9CA1F621A1C7AEC2EA618E25A9103BA66D5BF84384F555135EE9D477CAFF3CD801C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA4E48B Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a38545368d800816d91fafedca056006431c0b1922fe48b29b4c2ab83955551
Instruction ID: 555e95dc50ce7832105d88f9df70014ddd36def019424dc4067e746ae1e10aed
Opcode Fuzzy Hash: 3a38545368d800816d91fafedca056006431c0b1922fe48b29b4c2ab83955551
Instruction Fuzzy Hash: 56A1006680C2BEC5FB65CB25808137ABBF1EF11309F154132DACE425E7EA2CA945D731

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA47AF0 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9aa67c4f42f0dc04bfc4c3fc88b13842e585507a9ff165ebfaf896c41a7855b
Instruction ID: b11d736a5ab921f1baa8ba6db7da51fd1dcd83b523b31acb6bca9da69869865b
Opcode Fuzzy Hash: c9aa67c4f42f0dc04bfc4c3fc88b13842e585507a9ff165ebfaf896c41a7855b
Instruction Fuzzy Hash: 47A1A122B0C6AEC5EB50DB6194416BA22D5EF98784F490235DE4D47B9BFF3CD906C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9E7A40 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 416f41ac475a1bb2d945df44cd1e44e91a0a7360b86ad90bd37f89514c6d65ab
Instruction ID: 9bb402e820afdd86209c482989985ed48f3b585ba4be079b204c25b7bf6b01f7
Opcode Fuzzy Hash: 416f41ac475a1bb2d945df44cd1e44e91a0a7360b86ad90bd37f89514c6d65ab
Instruction Fuzzy Hash: 65B14B21B2C69ED5EA00EB61E4511FE6361FF85784F845032EA4E47B9BEE3CE506C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA4E4AD Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
Instruction ID: 9dfe736217acac0433e97f1565d006b73f3089a149bac923131cade991ff5036
Opcode Fuzzy Hash: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
Instruction Fuzzy Hash: 94A1006280C2BEC5FB65CB25808137ABBF1EF11719F154132DACE425E7EA2CA945DB31

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA4E4B6 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
Instruction ID: 95d492d16a36efe42f5272bb8bc2ce4e995b6435840f802bbe008c70309abbf5
Opcode Fuzzy Hash: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
Instruction Fuzzy Hash: B4A1006280C2BEC5FB65CB25808137ABAF1EF11719F154131DACE425E7EA2CA945DB31

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA4E49D Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
Instruction ID: 8905058919b6e229306c40038fe8a71219d03efb52b4104d83a4fe39a6ea4678
Opcode Fuzzy Hash: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
Instruction Fuzzy Hash: C9A1006280C2BEC5FB65CB25808137ABBF1EF11719F154132DACE425E7EA2CA945DB31

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA4E4A6 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
Instruction ID: 04bc3f7a8daa4a177eb4b3f5bbc9af608b0387cb952411aba086f745c8889fd9
Opcode Fuzzy Hash: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
Instruction Fuzzy Hash: EEA1006280C2BEC5FB65CB25808137ABBF1EF11719F154132DACE425E7EA2CA945DB31

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA4E494 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
Instruction ID: 85136b2c62bef04b4824aadbf121f3402b93f4d439f0c922bbbd8585797eb1ad
Opcode Fuzzy Hash: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
Instruction Fuzzy Hash: B4A1006280C2BEC5FB65CB25808137ABBF1EF11719F154132DACE425E7EA2CA945DB31

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9E1010 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569d583be82325c813b668e3fae29fac5c2c643f185a7702baf3db750c305004
Instruction ID: 0283d982689138db5396011f8d3b4256d1166cf9cd59165642e3f9ef35e91028
Opcode Fuzzy Hash: 569d583be82325c813b668e3fae29fac5c2c643f185a7702baf3db750c305004
Instruction Fuzzy Hash: 8E918136B0D66EC5EB50EB61E5506BD23A5AF95784F448035DE0E47B8AFE3CE446C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9F65E0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975ee6b00cb24c07f036f3d819f996ca31b4416a8dd4e4182c2abd7e3d10cb05
Instruction ID: 1a53917f78005f72110b7bb716421e80dfa82a8256b413dde70f95b92bc804f0
Opcode Fuzzy Hash: 975ee6b00cb24c07f036f3d819f996ca31b4416a8dd4e4182c2abd7e3d10cb05
Instruction Fuzzy Hash: 01A14922B1CA6ED9FB14EB70D4611FC2365AF95348F844036EA0D57ACBFE28E545C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA0F1F0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d75a7698afae9605d3e224dd0ee04e26992e4c800efa125f3cbc6bda377ff7ab
Instruction ID: 3ca35e14a65c46e7701b98ed618a029ef6780550ad7e5a0081d17c545bc71359
Opcode Fuzzy Hash: d75a7698afae9605d3e224dd0ee04e26992e4c800efa125f3cbc6bda377ff7ab
Instruction Fuzzy Hash: 95A16B22B2C6AED5EA10EB20E4511FD6365EF94788F884035EA4D57A9BFF3CE505C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9F8340 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e81a262cda3168bcad7e7504a26cb2082127080fdf78040bff04c52d5a9599
Instruction ID: d44262acbc27fc8dc939263311f5072cdca29da3dff7e2a9ad6e5842b1ddb044
Opcode Fuzzy Hash: d7e81a262cda3168bcad7e7504a26cb2082127080fdf78040bff04c52d5a9599
Instruction Fuzzy Hash: 64912A22B1DA6ED9FB04EBB1D4912FC1365AF95388F845435DA0D57ACBFE28E509C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA0E9A0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: eb2f47225f8944379eb6ee4fb096a61c92ce38a4da04381e0fef862b7584f394
Instruction ID: 3d8a77872ac02ad22f40bc742cc425be7a9e2570427686d6485f49baa994e92d
Opcode Fuzzy Hash: eb2f47225f8944379eb6ee4fb096a61c92ce38a4da04381e0fef862b7584f394
Instruction Fuzzy Hash: 41918F22B2C56AD5EB10EB61E4925FE6365FF94384F845032EA4D43A9BEF2CD504C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA5BF6F Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bcda5f2e61e4c1def9d688b2f5660763abb74eff223fccdf401fc2a77c4feb5
Instruction ID: 798d049ca1871071eec1f35a88a12be1274d01359ce4ca03bb3e8080d78ee672
Opcode Fuzzy Hash: 3bcda5f2e61e4c1def9d688b2f5660763abb74eff223fccdf401fc2a77c4feb5
Instruction Fuzzy Hash: BD816F72A1C2ADCBE765CF29D088B6D36A9FB04744F114539DE0D87786EB39E840CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA1F870 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b85e566c5cd1b3efafa7de1cf7fdb180de4cf711e5ead7e0c2a340013c9006fe
Instruction ID: 4fc7bc7d9271893fb87bb6d6bb4a8c8ed885f9c62eabbffd77a7c299c06784d8
Opcode Fuzzy Hash: b85e566c5cd1b3efafa7de1cf7fdb180de4cf711e5ead7e0c2a340013c9006fe
Instruction Fuzzy Hash: 4D818566A1CAEEC6EB21DB2AD44007D6B61F785BD0F1A4136CE8E07756EE3CE441C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA082E0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f3b5d1f381441116eef44686c6cbc86ac4360f19897277b7bf3a5d517a81fc
Instruction ID: fba0213537de89fc488c58814b5cfdf34ca5f7ba2ca9863e13dab01696fabeee
Opcode Fuzzy Hash: f1f3b5d1f381441116eef44686c6cbc86ac4360f19897277b7bf3a5d517a81fc
Instruction Fuzzy Hash: 45916C22B1C66ECAF720DB60E4512FE23A5AF94748F895431DA4D436DBFF28E444C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA10300 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8bba41df0b631ae6b7206df5ab0a6277447c4f11eb6ec05468c548c9ecf811
Instruction ID: 3bfa264b23357b61954768bd2b120f4ee6fa0fec656bb939446ec7d535542797
Opcode Fuzzy Hash: ce8bba41df0b631ae6b7206df5ab0a6277447c4f11eb6ec05468c548c9ecf811
Instruction Fuzzy Hash: 7A915B22B0C66ED6EB10EBB0D5512FD2361AF80358F855132DA1D979DBFF28E519C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA46950 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8adc0b036d941ec198f692a244335db4514cc05e594f38ae55f616912a3bd7
Instruction ID: 78df11afc34084999910fc56cec5c9875f54fad03214a614651b339d33d959d4
Opcode Fuzzy Hash: 6f8adc0b036d941ec198f692a244335db4514cc05e594f38ae55f616912a3bd7
Instruction Fuzzy Hash: FF815E22B1C66ED5EB00EB71D4911FD63A5AF95788B884136EA4D47BCBFF28D505C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA12E10 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15b9d46af9fd614f4ce3e6585b09a2992937cc7e29b610393335479b4fa4217
Instruction ID: 71d6becac6ccd38ea84d5523567b091b5c6dd9307fe0e8ef475f5b16783f078c
Opcode Fuzzy Hash: a15b9d46af9fd614f4ce3e6585b09a2992937cc7e29b610393335479b4fa4217
Instruction Fuzzy Hash: 73717A21B1D66ED5EB24EB61D5512BD2292DF84B88F494035EA0D07BCBFE2DEA05C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA47EC0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dcde41e0a7583d518310dfbb963ee780db1660248ca706961fee8ac5049723c
Instruction ID: 002b4490bc27182d2ad3543426cb321124f79f7f1a700b99f489c1958c0fdd1b
Opcode Fuzzy Hash: 4dcde41e0a7583d518310dfbb963ee780db1660248ca706961fee8ac5049723c
Instruction Fuzzy Hash: 1861F121B1C66E80FA50EB26A5516BA5391AFC57D0F484236EEAD877C7FE2CE401C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA4A6B0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c36971f46e003a861835c282887fceece629fa51251a8ea25984ac83311837
Instruction ID: 465fec34a2a4dc21777fdff7b7a82e494a17c36f4590a10a9fdae2603a333060
Opcode Fuzzy Hash: 90c36971f46e003a861835c282887fceece629fa51251a8ea25984ac83311837
Instruction Fuzzy Hash: 34713F26B0DA2EC9EB14DF75D0612BD23A1EF84B48F544436DE4D47B9AEE38E509C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA3F2C0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798e347792bcf9b81b96428d86b51cfbcdcb2c80bf44afc999fdb096d1e74fe6
Instruction ID: 042fb34f555c4c375a58ad1682d428408ed2e7a091c3203ae899e6cbd854cb51
Opcode Fuzzy Hash: 798e347792bcf9b81b96428d86b51cfbcdcb2c80bf44afc999fdb096d1e74fe6
Instruction Fuzzy Hash: 49616D22B2C66ED5FB14EB60C0512BD2261EF98788F894435DA0D97ACBFE3DE501C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9E1620 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4dc2bfabc17449b75592575b237d49754ff1d7599ab7260522444cf79d2ee90
Instruction ID: f961fecbceb0f9f109cfe839fee60e3afff145c3a464a5b982ab34d891582f3d
Opcode Fuzzy Hash: b4dc2bfabc17449b75592575b237d49754ff1d7599ab7260522444cf79d2ee90
Instruction Fuzzy Hash: 0761B322B2C6AEC1FA20EB25D0516BE6361FF85780F845131EA4D47ACBFE6DD501CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA121D0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 5f7246672c4f2635fbe3e27ea1a26ce7b975931ce3ef8d289913ee3dc210ec60
Instruction ID: 704b751acabc16d7853cbb4446fd554cd51fc18fc2f21a189eb15ab10c868a70
Opcode Fuzzy Hash: 5f7246672c4f2635fbe3e27ea1a26ce7b975931ce3ef8d289913ee3dc210ec60
Instruction Fuzzy Hash: 1B717E32B1C699DAEB10DF60D4512ED77A1FB84348F884032EA4D47A8BEF78D549CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA4AAA0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 4dcd3f3a9430773343392af874a3cec46446313b628ad8462b91bb3a054a98e1
Instruction ID: 573c1b04b60f2cd3d09bc6b66b2117250ec69030c99c2fcea14429315e23ebaf
Opcode Fuzzy Hash: 4dcd3f3a9430773343392af874a3cec46446313b628ad8462b91bb3a054a98e1
Instruction Fuzzy Hash: 53517332B1C66ED6FB50EB61E4512FE6362EF94344F845031EA4D47A9BEE2CE544CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9FE770 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cfd4d3a38dcc9c286a30951bdd9187095240217e9738b6b55d4f719d628df71
Instruction ID: a0046ecde37f459508a3f195cc6696cb4c7ec8122b33efedbc2ee25b4bc7be34
Opcode Fuzzy Hash: 0cfd4d3a38dcc9c286a30951bdd9187095240217e9738b6b55d4f719d628df71
Instruction Fuzzy Hash: 21518F32B1C69EC5FA14EB25E0912BD63A1FF85B84F444135EA4D43A9BEE3CE545CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA03340 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a7ff3bafcc2a37528706618fae0f8a897251bd7c282e2d47e5eb98ccc3a526
Instruction ID: d45ed69e8349ad055a1d3a77cd39d5303383c763329ab4eb1d2a4733ce6aebb1
Opcode Fuzzy Hash: 26a7ff3bafcc2a37528706618fae0f8a897251bd7c282e2d47e5eb98ccc3a526
Instruction Fuzzy Hash: 32615C32608B99C5E750DF31A441AED33A9FB88B88F985138DE9C0B35AEF399055D734

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA4A490 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afce4a609fee308c5c1a4a340bcf7788c831058de8912a446226ba177db32512
Instruction ID: e5a5ca2e9f5dc857f578af568c4270f9db094eec62306a9b140205f218e5cf4a
Opcode Fuzzy Hash: afce4a609fee308c5c1a4a340bcf7788c831058de8912a446226ba177db32512
Instruction Fuzzy Hash: 7051A122B2C5AED1EA40EB22E5516AE6365FF85BC0F845032EE4D43B9BEE3DD504C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA11B30 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88a559203c7cebfbd6855f8d2fd484b342d8cb8f626eff4b2b47ba49cdf8c80
Instruction ID: 5cdcd30591cedd5365725e7ce4501bde4f2ffb517d454a5cdb734c568d96bc14
Opcode Fuzzy Hash: c88a559203c7cebfbd6855f8d2fd484b342d8cb8f626eff4b2b47ba49cdf8c80
Instruction Fuzzy Hash: 6E517C22B1C56ED9FB10DBA0D4516FD2365AF98788F858031EE0D46ACBFE38E505C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA10020 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b3305b9fafefbf6d9665b48dca7e44a69e4cfd2294423a0bed973e24c3a70c7
Instruction ID: 8128239be76f3abfbdc12ffaa8aa0924d1143633d391e4fe94e48e18edf09db1
Opcode Fuzzy Hash: 2b3305b9fafefbf6d9665b48dca7e44a69e4cfd2294423a0bed973e24c3a70c7
Instruction Fuzzy Hash: 9351BF22A1C66ED1EA10EB21D4515BE3364FF88790F864132EA4D83693EF3CE565C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA0E7B0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aacf1b87ad202d489a6ee4605f568d3ec7abe8f771595ee9debb43a7f5fc339
Instruction ID: 49d474e7161e3c1b6e960e1295569f1f5da71e6caab75bc15005cefb5405b607
Opcode Fuzzy Hash: 5aacf1b87ad202d489a6ee4605f568d3ec7abe8f771595ee9debb43a7f5fc339
Instruction Fuzzy Hash: 1E517222B1C56ED5FB50EB71E4912FD6361AF94348F880036EA4D4699BEF3CE548D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA42AE0 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c5eff94ab1069691c4844bc6226e708b04ada7520549e9c415e38db7fabc1b
Instruction ID: 8c9e2daeb57694eb1a1d1c1dfd15e060d2155735d9508d9043ac6bb1840fa612
Opcode Fuzzy Hash: a0c5eff94ab1069691c4844bc6226e708b04ada7520549e9c415e38db7fabc1b
Instruction Fuzzy Hash: 6D413D12F2C67EC4FB14EB7598511BD62A1AF88784F984035EE4E57ACBEE2CD501C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA03610 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d8bc27a582ef8d29315fb647332a4b76fe57972c11c4165758e2aa1f2c7868
Instruction ID: f2e9085c7730375e905ec30ed915235d98522643d4b1b502ad7f9d261515d740
Opcode Fuzzy Hash: e4d8bc27a582ef8d29315fb647332a4b76fe57972c11c4165758e2aa1f2c7868
Instruction Fuzzy Hash: 6C51EB32618B98C5E744DF35A4413DD33A8FB48F88F58413AEA8D4B79AEF349156C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA15CD0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5522483151d29cc1ab9e0e0eb5f9bdd0ac6375b7f5cd2107375de97b23ccdb
Instruction ID: 3284b3eba6a954ee3f7c2c9fb53796cbb1e9811e5f05d1da05bd9083fae9ac83
Opcode Fuzzy Hash: 8d5522483151d29cc1ab9e0e0eb5f9bdd0ac6375b7f5cd2107375de97b23ccdb
Instruction Fuzzy Hash: 6C51F37270D759CAE764DF74A1413AE3692EB89348F584139E64E0BBCAEF39D402C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA092C0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 38d7dda58c0679c6977d4be68162329fe93ef909192df4c5a73cbb15fa83e01e
Instruction ID: 3e717ab35cd6995a26a1a7e881a26c0a900d7c8414973b9bd0aa1931573902b0
Opcode Fuzzy Hash: 38d7dda58c0679c6977d4be68162329fe93ef909192df4c5a73cbb15fa83e01e
Instruction Fuzzy Hash: B9516A32718B9AE2E748DF21E5403E9B368FB88344F948025DB9C57696EF38E576C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA02F50 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d55567f7f273d0114b6f9410826bea7b15bcd4cc08515cb4158118f754d9868c
Instruction ID: 09841ec030cc323f633939c21ae6375c506c32e50feb6267026824e8f3c4e566
Opcode Fuzzy Hash: d55567f7f273d0114b6f9410826bea7b15bcd4cc08515cb4158118f754d9868c
Instruction Fuzzy Hash: 9951F832618BA485E744DF35E4402DD37A8FB48F88F58813AEA8D4B65AEF358156C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6FA45760 Relevance: .1, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b1fead93054258a54130b91537c3a8daa966aa2fadcba53e9f14037a1a1fe7d
Instruction ID: 8282f17a2324f59656a2a946aae4599d3d9642adc7dbd1dd3f580041e0302b11
Opcode Fuzzy Hash: 4b1fead93054258a54130b91537c3a8daa966aa2fadcba53e9f14037a1a1fe7d
Instruction Fuzzy Hash: 5531E666B0CAADCAF6644B0EA4103797691EF98340F988235DACD437C6FE6CE801D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9E5350 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f9d156710a96b2c26b0618203b3b02571b95e83806bfe28e8d5b0c11668b02
Instruction ID: 8fe4b80a50784255e8f741006f5fa0956e451dbb4a1eeaf8ee6163f553fa453d
Opcode Fuzzy Hash: 25f9d156710a96b2c26b0618203b3b02571b95e83806bfe28e8d5b0c11668b02
Instruction Fuzzy Hash: 32310E32718B9891E648DF25D5802ED73A9FB88B84FA88035E35C47696DF79D167C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6F9E7E80 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC6F9E0000, based on PE: true

Associated: 00000000.00000002.298711594.00007FFC6F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298769225.00007FFC6FA63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298780550.00007FFC6FA76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.298785028.00007FFC6FA78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc6f9e0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288751330fbc12dfa7c57884471a2cf55a6adf9df6ede5974d900619b2209c55
Instruction ID: 4cad63c3ef83ca8b44c560e43ee25c7b87533a30df2f81966f59583b7667e16c
Opcode Fuzzy Hash: 288751330fbc12dfa7c57884471a2cf55a6adf9df6ede5974d900619b2209c55
Instruction Fuzzy Hash: 9931D132608B8880D744DF35D9912ED72E9FF98B88FAC8035D64C4A5A6DF7AC157D320

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 2332, Parent PID: 4592COMMON

Execution Graph

Execution Coverage:	18.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	15
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000002717DFF2264 Relevance: 6.2, APIs: 4, Instructions: 230
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 000002717DFF23BE
VirtualProtect.KERNELBASE ref: 000002717DFF2478
RtlAvlRemoveNode.NTDLL ref: 000002717DFF25BE
VirtualProtect.KERNELBASE ref: 000002717DFF2684

Memory Dump Source

Source File: 00000003.00000002.357671453.000002717DFF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002717DFF0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2717dff0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
Instruction ID: e3052225f0278073abe6a9957b917f36723059585bdf700b733946bc692c57a3
Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
Instruction Fuzzy Hash: E5B153B6618BC586D770CB1AE44079EB7A0F7C9B84F108126EECD97B58DB79C8528F40

Uniqueness

Uniqueness Score: -1.00%

Function 000002717DFF2060 Relevance: 1.3, APIs: 1, Instructions: 67
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000002717DFF29A2), ref: 000002717DFF20B0

Memory Dump Source

Source File: 00000003.00000002.357671453.000002717DFF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002717DFF0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2717dff0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
Instruction ID: ac1dd054dc080b90f147f3499722d689d8738f63c15788ead3b32648277a95da
Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
Instruction Fuzzy Hash: BA317F72619B8486D790CF1AE45479A7BB0F789BC4F204026EF8D87B58DF3AC452CB00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 4356, Parent PID: 4532COMMON

Execution Graph

Execution Coverage:	18.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	15
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000002AC821F2264 Relevance: 6.2, APIs: 4, Instructions: 230
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 000002AC821F23BE
VirtualProtect.KERNELBASE ref: 000002AC821F2478
RtlAvlRemoveNode.NTDLL ref: 000002AC821F25BE
VirtualProtect.KERNELBASE ref: 000002AC821F2684

Memory Dump Source

Source File: 00000004.00000002.278432359.000002AC821F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002AC821F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ac821f0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
Instruction ID: 81381394bd03947390c8d42aba0d2c30343a6e570534b0219a7e190f9dc36cc0
Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
Instruction Fuzzy Hash: 64B142B6618AC58AD770CB1AF44079AB7A0F7C9B80F208126EE9D53B58DB7DC8518F40

Uniqueness

Uniqueness Score: -1.00%

Function 000002AC821F2060 Relevance: 1.3, APIs: 1, Instructions: 67
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000002AC821F29A2), ref: 000002AC821F20B0

Memory Dump Source

Source File: 00000004.00000002.278432359.000002AC821F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002AC821F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ac821f0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
Instruction ID: d88c9cb1e6b15a62ac2e510abbef6714ff57ce9adbecaf480d26f28ef7712170
Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
Instruction Fuzzy Hash: 93315C72615B8086D790CF1AE45479ABBB0F389BD4F204026EF8D87B18DF3AC8428B00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 5880, Parent PID: 4592COMMON

Execution Graph

Execution Coverage:	18.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	15
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00000258372F2264 Relevance: 6.2, APIs: 4, Instructions: 230
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00000258372F23BE
VirtualProtect.KERNELBASE ref: 00000258372F2478
RtlAvlRemoveNode.NTDLL ref: 00000258372F25BE
VirtualProtect.KERNELBASE ref: 00000258372F2684

Memory Dump Source

Source File: 00000009.00000002.284894658.00000258372F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000258372F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_258372f0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
Instruction ID: 4a014388ea619e492e8777bec06d57f8bb1ce26be70a10d61d3ef5b754e961c5
Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
Instruction Fuzzy Hash: D3B15576618BC586D770CB1AE44079EB7A0F7C9B80F108026EE8D93B58DF79C9518F44

Uniqueness

Uniqueness Score: -1.00%

Function 00000258372F2060 Relevance: 1.3, APIs: 1, Instructions: 67
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000258372F29A2), ref: 00000258372F20B0

Memory Dump Source

Source File: 00000009.00000002.284894658.00000258372F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000258372F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_258372f0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
Instruction ID: 62e0620c2fbb13f673f86e62b9a967b04eb41252ddd763a61d69c2b6e3b2a985
Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
Instruction Fuzzy Hash: A9315AB2615B8086D790CF1AE45479A7BB0F389FC4F204026EF8E97B18DF7AC4428B04

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 7008, Parent PID: 4592COMMON

Execution Graph

Execution Coverage:	18.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	15
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000020953582264 Relevance: 6.2, APIs: 4, Instructions: 230
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00000209535823BE
VirtualProtect.KERNELBASE ref: 0000020953582478
RtlAvlRemoveNode.NTDLL ref: 00000209535825BE
VirtualProtect.KERNELBASE ref: 0000020953582684

Memory Dump Source

Source File: 0000000E.00000002.293287425.0000020953580000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020953580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_20953580000_rundll32.jbxd

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
Instruction ID: e3623857dfd2e5971de96b7613b6663d368bdcf02dfa635f7a78e8c90e922df3
Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
Instruction Fuzzy Hash: 23B16776618BC486D730CB1AE44079EBBA0F7C9B80F508126EE8D57B59DB3DC8828F40

Uniqueness

Uniqueness Score: -1.00%

Function 0000020953582060 Relevance: 1.3, APIs: 1, Instructions: 67
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000209535829A2), ref: 00000209535820B0

Memory Dump Source

Source File: 0000000E.00000002.293287425.0000020953580000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020953580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_20953580000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
Instruction ID: ec2c996029a32db265c95461b5620b533cf58b8cdb1252f52bb1736f10cb31ae
Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
Instruction Fuzzy Hash: 56315E72615B9086D790CF1AE49579A7BB0F389BC4F205126EF8D87B19DF39C4828B00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: DisplaySwitch.exePID: 1740, Parent PID: 3352COMMON

Execution Graph

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	15
Total number of Limit Nodes:	1

Executed Functions

Function 000001B6DB1C2264 Relevance: 6.2, APIs: 4, Instructions: 230
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 000001B6DB1C23BE
VirtualProtect.KERNELBASE ref: 000001B6DB1C2478
RtlAvlRemoveNode.NTDLL ref: 000001B6DB1C25BE
VirtualProtect.KERNELBASE ref: 000001B6DB1C2684

Memory Dump Source

Source File: 00000014.00000002.390873491.000001B6DB1C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B6DB1C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b6db1c0000_DisplaySwitch.jbxd

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
Instruction ID: 7afbb0c95793967120ca1c285993a848fd82bc1b04083c1d4e64f3e5a0b1f1f1
Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
Instruction Fuzzy Hash: ECB15176618BC486D7708B5AE440BDAB7A0F7D9B80F148126EEC993B58DB7DC8528F40

Uniqueness

Uniqueness Score: -1.00%

Function 000001B6DB1C2060 Relevance: 1.3, APIs: 1, Instructions: 67
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001B6DB1C29A2), ref: 000001B6DB1C20B0

Memory Dump Source

Source File: 00000014.00000002.390873491.000001B6DB1C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B6DB1C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b6db1c0000_DisplaySwitch.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
Instruction ID: ad1a065f43f3fd3e31679e774f89fb117585f2bfd54988bdaf52cb16b392bd8f
Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
Instruction Fuzzy Hash: 70315AB2615B9086D790DF1AE45579A7BB0F389BC4F204026EF8D87B18DF3AC4928B00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF701BC1250 Relevance: 726.3, APIs: 399, Strings: 10, Instructions: 10503memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32 ref: 00007FF701BC1298

Part of subcall function 00007FF701BD72A0: LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,00007FF701BC12B6), ref: 00007FF701BD732E

CompareStringOrdinal.KERNEL32 ref: 00007FF701BC12F9
CompareStringOrdinal.KERNEL32 ref: 00007FF701BC131D
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC13BB
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC13C9
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC177F
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC178D
memset.MSVCRT ref: 00007FF701BC17C1
GetModuleHandleExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BC17F5
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BC1892
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC18F7
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC1909
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BC192C
memset.MSVCRT ref: 00007FF701BC1946
memcpy.MSVCRT ref: 00007FF701BC195F
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC19CB
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC1A20
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC1A3A
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC1A48

Part of subcall function 00007FF701BCC808: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCC81D
Part of subcall function 00007FF701BCC808: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCC82B

GetCurrentThreadId.KERNEL32 ref: 00007FF701BC1AC6
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC1B1F
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC1B39
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC1B47
wcscmp.MSVCRT ref: 00007FF701BC1BD4
wcscmp.MSVCRT ref: 00007FF701BC1BF0
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF701BC1C01
GetProcessMitigationPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1 ref: 00007FF701BC1C1B
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF701BC1C72
~SyncLockT.VCCORLIB ref: 00007FF701BC1C86
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BC1CE6
memset.MSVCRT ref: 00007FF701BC1CFE
memcpy.MSVCRT ref: 00007FF701BC1D17
~SyncLockT.VCCORLIB ref: 00007FF701BC1D2C
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC1DA2
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC1DB5
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC1E13
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC1E21
memcpy.MSVCRT ref: 00007FF701BC1E51
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC2033
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC2044
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC207C
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC208A
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC20A8
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC20B6
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC20C8
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC20D6
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC20E1
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC20EF
GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BC212B
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC213D
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC2170
memcpy.MSVCRT ref: 00007FF701BC2312
memcpy.MSVCRT ref: 00007FF701BC247C
memcpy.MSVCRT ref: 00007FF701BC2747
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC29F7
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC2A08
memcpy.MSVCRT ref: 00007FF701BC2A7C
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC2A97
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC2AA5
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC2B18
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC2B26
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC300C
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC301E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC303D
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC304E
memcpy.MSVCRT ref: 00007FF701BC3070
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC307D
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3090
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3100
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC310E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3144
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3152
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3165
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3173
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3186
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3194
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC319E
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC31AC
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC31D6
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC31E4
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC31FF
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC320D
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3220
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC322E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3241
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC324F
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3259
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3267
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC331B
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC332C
memcpy.MSVCRT ref: 00007FF701BC33D6
memcpy.MSVCRT ref: 00007FF701BC342A
memcpy.MSVCRT ref: 00007FF701BC3477
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC34B4
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC34C2
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC368A
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC369B
GetModuleHandleExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BC3707
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC3711
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BC3745
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC383A
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3848
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3863
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3871
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3884
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3892
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC38A5
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC38B3
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC38BD
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC38CB
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC38DD
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC38EB
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC38FA
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3908
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3921
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC392F
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3942
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3950
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3963
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3971
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC397B
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3989
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3998
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC39A6
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3B3B
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3B4D
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3B73
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3B84
memcpy.MSVCRT ref: 00007FF701BC3BA9
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3BC3
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3BD4
memcpy.MSVCRT ref: 00007FF701BC3BEC
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3C0C
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3C1D
memcpy.MSVCRT ref: 00007FF701BC3C39
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3C63
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3C71
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3C84
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3C92
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3CA5
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3CB3
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3CBD
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3CCB
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3D00
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3D0E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3D21
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3D2F
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3D42
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3D50
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3D5A
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3D68
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3DAE
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC3DBC
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC4275
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC4283
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC42D7
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC42E5
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC4459
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC446A
memcpy.MSVCRT ref: 00007FF701BC4498
memcpy.MSVCRT ref: 00007FF701BC497F
memset.MSVCRT ref: 00007FF701BC49EE
memset.MSVCRT ref: 00007FF701BC4A23
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC4A65
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC4A76
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC4E35
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC4E43
memset.MSVCRT ref: 00007FF701BC4E74
GetModuleHandleExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BC4EB0
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BC4F54
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC4FB6
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC4FC8
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BC4FE8
memset.MSVCRT ref: 00007FF701BC5004
memcpy.MSVCRT ref: 00007FF701BC501D
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC50B5
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC50C6
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC5467
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC5475
memset.MSVCRT ref: 00007FF701BC54A9
GetModuleHandleExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BC54D8
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BC557C
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC55E2
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC55F4
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BC561A
memset.MSVCRT ref: 00007FF701BC5637
memcpy.MSVCRT ref: 00007FF701BC5650
memset.MSVCRT ref: 00007FF701BC5682
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC56F0
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC5770
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC579F
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC57AD
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC57EB
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC57F9
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC5A52
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC5A63
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC5E28
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC5E36
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC5E8F
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC5E9E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC5F64
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC5F72
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC6020
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC6049
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC60D1
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC60DF
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC619C
memset.MSVCRT ref: 00007FF701BC6233
memset.MSVCRT ref: 00007FF701BC62A5
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC62CF
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BC6343
memset.MSVCRT ref: 00007FF701BC6364
memcpy.MSVCRT ref: 00007FF701BC637D
memset.MSVCRT ref: 00007FF701BC63C0
memset.MSVCRT ref: 00007FF701BC6516
memset.MSVCRT ref: 00007FF701BC6527
memset.MSVCRT ref: 00007FF701BC6545
memset.MSVCRT ref: 00007FF701BC65EA
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC6669
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC66EE
memset.MSVCRT ref: 00007FF701BC673D
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC6763
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC67D9
memset.MSVCRT ref: 00007FF701BC6A9A
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC6AC2
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC6B3A
memset.MSVCRT ref: 00007FF701BC6D6A
memset.MSVCRT ref: 00007FF701BC6E12
memset.MSVCRT ref: 00007FF701BC729E
memset.MSVCRT ref: 00007FF701BC72AF
memset.MSVCRT ref: 00007FF701BC72CF
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC7307
memset.MSVCRT ref: 00007FF701BC737D
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC73F0
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC77CF
memset.MSVCRT ref: 00007FF701BC790F
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC796F
memset.MSVCRT ref: 00007FF701BC7A10
memset.MSVCRT ref: 00007FF701BC7A22
memset.MSVCRT ref: 00007FF701BC7A41
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC7A7B
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC7B05
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC7B13
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC7B53
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC7B61
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC7B9A
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC7BA8
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BC7C54
memset.MSVCRT ref: 00007FF701BC7C6C
memcpy.MSVCRT ref: 00007FF701BC7C85
memset.MSVCRT ref: 00007FF701BC7CC7
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC7D03
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC7D14
memset.MSVCRT ref: 00007FF701BC8133
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC819D
memset.MSVCRT ref: 00007FF701BC856A
memset.MSVCRT ref: 00007FF701BC857C
memset.MSVCRT ref: 00007FF701BC8595
memset.MSVCRT ref: 00007FF701BC8644
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BC86AE
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC8B05
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC8B13
memset.MSVCRT ref: 00007FF701BC8B45
GetModuleHandleExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BC8B81
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BC8C1B
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC8C76
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC8C88
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BC8CA9
memset.MSVCRT ref: 00007FF701BC8CC1
memcpy.MSVCRT ref: 00007FF701BC8CDA
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BC8D91
memset.MSVCRT ref: 00007FF701BC8DA9
memcpy.MSVCRT ref: 00007FF701BC8DC2
~SyncLockT.VCCORLIB ref: 00007FF701BC8DEA
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC8E38
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC8E4B
memcpy.MSVCRT ref: 00007FF701BC8E6E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC8E97
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC8EA5
memcpy.MSVCRT ref: 00007FF701BC8ECC
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC8F82
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC8F93
memcpy.MSVCRT ref: 00007FF701BC924D
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC942C
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC943D
memcpy.MSVCRT ref: 00007FF701BC94B2
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC94D2
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC94E0
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9546
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9555
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9A4F
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9A5E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9A7F
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9A90
memcpy.MSVCRT ref: 00007FF701BC9AB5
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9AC2
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9AD5
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9B45
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9B53
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9B90
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9B9E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9BB4
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9BC2
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9BD8
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9BE6
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9BF2
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9C00
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9C32
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9C40
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9C66
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9C74
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9C8A
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9C98
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9CAE
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9CBC
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9CC8
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9CD6
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9D96
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9DA6
memcpy.MSVCRT ref: 00007FF701BC9DF8
memcpy.MSVCRT ref: 00007FF701BC9E4C
memcpy.MSVCRT ref: 00007FF701BC9E99
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9ED8
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BC9EE6
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA102
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA113
GetModuleHandleExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BCA181
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BCA18B
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BCA1BB
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA3E9
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA3FB
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA426
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA437
memcpy.MSVCRT ref: 00007FF701BCA45C
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA47A
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA48B
memcpy.MSVCRT ref: 00007FF701BCA4AA
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA4CB
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA4DC
memcpy.MSVCRT ref: 00007FF701BCA4F8
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA522
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA530
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA543
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA551
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA564
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA572
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA57F
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA58D
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA5BE
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA5CC
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA5DF
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA5ED
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA600
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA60E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA61B
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA629
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA669
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCA677
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAB67
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAB75
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCABCE
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCABDC
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAD78
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAD89
memcpy.MSVCRT ref: 00007FF701BCADBA
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCADFC
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAE0A
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAE29
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAE37
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAE4C
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAE5A
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAE6F
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAE7D
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAE8A
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAE98
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAEAA
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAEB8
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAECA
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAED8
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAEED
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAEFB
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAF10
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAF1E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAF33
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAF41
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAF4C
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAF5A
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAF6C
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCAF7A
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCB0E9
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCB0F7
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCB115
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCB123
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCB135
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCB143
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCB14E
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BCB15C
~SyncLockT.VCCORLIB ref: 00007FF701BCB1EC

Strings

h, xrefs: 00007FF701BC64F9
, xrefs: 00007FF701BC8A62
z, xrefs: 00007FF701BC3789
Microsoft-Windows-Core-AllowMultiMon, xrefs: 00007FF701BC1F58, 00007FF701BC25BF, 00007FF701BC273A
Default, xrefs: 00007FF701BC1BE9
WinSta0, xrefs: 00007FF701BC1BCD
NtQuerySystemInformation, xrefs: 00007FF701BC373E, 00007FF701BCA1B4
Segoe UI Light, xrefs: 00007FF701BC59BD
z, xrefs: 00007FF701BC3828
ntdll.dll, xrefs: 00007FF701BC36D9, 00007FF701BCA156

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: Heap$Process$Free$Alloc$memset$memcpy$ErrorLast$Library$Module$AddressHandleProc$LockSync$CompareCurrentLocalOrdinalStringwcscmp$CommandFileLineMitigationNamePolicyThread
String ID: $Default$Microsoft-Windows-Core-AllowMultiMon$NtQuerySystemInformation$Segoe UI Light$WinSta0$h$ntdll.dll$z$z
API String ID: 197246612-3753395123
Opcode ID: 86dceb8d1b2c5de5102eae9393e4218585d124689459783405e9f0b10218c2ea
Instruction ID: ead1126b7e088c5f2020167b3f31d52d907d11437460c81a888a375a26f7f096
Opcode Fuzzy Hash: 86dceb8d1b2c5de5102eae9393e4218585d124689459783405e9f0b10218c2ea
Instruction Fuzzy Hash: B224C372B086918AE728DF35DC542A9B7E2FF48788F90A139DA0E47B94DF78E544C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BCFCD8 Relevance: 37.9, APIs: 25, Instructions: 396
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF701BCFCFE
TlsSetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF701BCFD52
CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF701BCFD64
SHSetThreadRef.SHLWAPI ref: 00007FF701BCFDC8
SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF701BCFDF9
TranslateMessage.USER32 ref: 00007FF701BCFE49
DispatchMessageW.USER32 ref: 00007FF701BCFE53
PeekMessageW.USER32 ref: 00007FF701BCFE6D
SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF701BCFEB4
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF701BCFECC
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF701BCFEF1
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF701BCFF5D
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF701BCFF8F
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF701BCFFF9

Part of subcall function 00007FF701BD0448: GetCurrentThreadId.KERNEL32 ref: 00007FF701BD04D5
Part of subcall function 00007FF701BD0448: SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF701BD0AEC), ref: 00007FF701BD04ED

ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF701BD0045
GetTickCount64.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF701BD00A9
GetTickCount64.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF701BD00D8

Part of subcall function 00007FF701BCF868: GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF701BCF893
Part of subcall function 00007FF701BCF868: OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF701BCF8DB
Part of subcall function 00007FF701BCF868: ReleaseSemaphore.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF701BCF8FB
Part of subcall function 00007FF701BCF868: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BCF905
Part of subcall function 00007FF701BCF868: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF701BCF92C

GetTickCount64.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF701BD00F1
GetTickCount64.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF701BD011C
GetTickCount64.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF701BD0148
GetTickCount64.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF701BD0168
SHSetThreadRef.SHLWAPI ref: 00007FF701BD01B8
CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF701BD01D5
SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF701BD021B
TlsSetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF701BD0299

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: Tick$Count64$EventExclusiveLockThread$CurrentMessageRelease$AcquireCountSemaphoreValue$CloseDispatchErrorHandleInitializeLastOpenPeekProcessTranslateUninitialize
String ID:
API String ID: 909974647-0
Opcode ID: dcf8d808901e6dc9c9139d8875dcbebaaf71311092c698a7de56fe113e8b8830
Instruction ID: c138b343b53b281b0630ab15048edda1db49805fd4a88bf971203be3505676b1
Opcode Fuzzy Hash: dcf8d808901e6dc9c9139d8875dcbebaaf71311092c698a7de56fe113e8b8830
Instruction Fuzzy Hash: F1025C36A09A0286EB24AF26EC4027DB3E5FF44B48F846535DA4E43A95DFBCE545C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BCD4F8 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF701BCD6C4: CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF701BCD708

TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF701BCD537
?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z.DUI70 ref: 00007FF701BCD56A
StrToID.DUI70 ref: 00007FF701BCD586
?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70 ref: 00007FF701BCD592
new.LIBCMT ref: 00007FF701BCD5D9
?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z.DUI70 ref: 00007FF701BCD628
?EndDefer@Element@DirectUI@@QEAAXK@Z.DUI70 ref: 00007FF701BCD652
?Destroy@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF701BCD69F

Strings

ErrorText, xrefs: 00007FF701BCD57F
ErrorMain, xrefs: 00007FF701BCD556

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: DirectElement@$Create$Defer@Descendent@Destroy@ElementElement@2@1FindInstanceListener@Listener@2@@Parser@V12@V32@@Value
String ID: ErrorMain$ErrorText
API String ID: 2284811954-3654061084
Opcode ID: 65c2cbe7a3777ad7cdfc99a68c914de29ab49f7a647c8dd7c4afdfa13cf7734f
Instruction ID: e6f0d166a3caf39184df8ee86ab306bdd55844cf0b270ca9cff6a059dff9480a
Opcode Fuzzy Hash: 65c2cbe7a3777ad7cdfc99a68c914de29ab49f7a647c8dd7c4afdfa13cf7734f
Instruction Fuzzy Hash: C2518729B08B4381FB50AB56EC40139E7A0EF88BC8F846135EA4E47764DFBCE455C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BD4EC8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoW.USER32 ref: 00007FF701BD4F1C
?GetValue@Element@DirectUI@@QEAAPEAVValue@2@P6APEBUPropertyInfo@2@XZHPEAUUpdateCache@2@@Z.DUI70 ref: 00007FF701BD4F46
ARGBColorFromEnumI.DUI70 ref: 00007FF701BD4F6B
#120.UXTHEME ref: 00007FF701BD4F8A
#121.UXTHEME ref: 00007FF701BD4FA2
?Release@Value@DirectUI@@QEAAXXZ.DUI70 ref: 00007FF701BD506E
StrToID.DUI70 ref: 00007FF701BD5086
?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70 ref: 00007FF701BD5092
?SetValue@Element@DirectUI@@QEAAJP6APEBUPropertyInfo@2@XZHPEAVValue@2@@Z.DUI70 ref: 00007FF701BD50AB

Strings

Icon, xrefs: 00007FF701BD5077

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: Direct$Element@Value@$Info@2@Property$#120#121Cache@2@@ColorDescendent@EnumFindFromInfoParametersRelease@SystemUpdateV12@Value@2@Value@2@@
String ID: Icon
API String ID: 1974209762-3316025061
Opcode ID: b51a53d5fd1ab61deda7b444282f5feb30e422af8a09e9b03c93abf8fc6a3917
Instruction ID: 22313e75689423a39eacf6e787bfe6cc52ed20c662b4710f0f0da8432a163c95
Opcode Fuzzy Hash: b51a53d5fd1ab61deda7b444282f5feb30e422af8a09e9b03c93abf8fc6a3917
Instruction Fuzzy Hash: F251E532D18F4186E356AB359814175E3E4FF59B88F849332E94E63760EFBCE4928760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BE1670 Relevance: 12.2, APIs: 8, Instructions: 153COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF701BE16FE
RtlQueryWnfStateData.NTDLL ref: 00007FF701BE171F
LocalFree.KERNEL32 ref: 00007FF701BE17B6
LocalFree.KERNEL32 ref: 00007FF701BE17C9
LocalFree.KERNEL32 ref: 00007FF701BE1804
LocalFree.KERNEL32 ref: 00007FF701BE181E
LocalFree.KERNEL32 ref: 00007FF701BE184D
LocalFree.KERNEL32 ref: 00007FF701BE185B

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: FreeLocal$DataQueryStatememset
String ID:
API String ID: 146083357-0
Opcode ID: 7226858e0fe6559325a601bd4cde9789fa55a69d2fd2200c0bd5bbae810a1dac
Instruction ID: 0ddeeaa124a0e5fb173d5a0fc999fce185653bb3c84d8896ee26171b4a68ef23
Opcode Fuzzy Hash: 7226858e0fe6559325a601bd4cde9789fa55a69d2fd2200c0bd5bbae810a1dac
Instruction Fuzzy Hash: 8C51B372B08A8282E715DB2AAC4056AE7E1FF88BD8F94D131DE5D47B58DF7CD0458720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BD6EBC Relevance: 12.1, APIs: 8, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,?,00007FF701BD6CCC,?,?,?,?,?,00007FF701BCC9C9), ref: 00007FF701BD6EEB
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,00007FF701BD6CCC,?,?,?,?,?,00007FF701BCC9C9), ref: 00007FF701BD6EFE
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,00007FF701BD6CCC,?,?,?,?,?,00007FF701BCC9C9), ref: 00007FF701BD6F10
TlsSetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,?,00007FF701BD6CCC,?,?,?,?,?,00007FF701BCC9C9), ref: 00007FF701BD6F70
?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ.DUI70(?,?,?,?,?,00007FF701BD6CCC,?,?,?,?,?,00007FF701BCC9C9), ref: 00007FF701BD6F89
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,00007FF701BD6CCC,?,?,?,?,?,00007FF701BCC9C9), ref: 00007FF701BD6F93
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,00007FF701BD6CCC,?,?,?,?,?,00007FF701BCC9C9), ref: 00007FF701BD6FA1
TlsSetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,?,00007FF701BD6CCC,?,?,?,?,?,00007FF701BCC9C9), ref: 00007FF701BD6FAF

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: Heap$Value$Process$AllocDestroy@DirectFreeParser@
String ID:
API String ID: 3318439361-0
Opcode ID: c9be4a4f4667149e593d7ee37d4fa6044913236d4de35381b173ad1052fd43f5
Instruction ID: d359e773fd5f9063460a4ab8b82f32e0dc5f216da0ab89bab863499c402c25b2
Opcode Fuzzy Hash: c9be4a4f4667149e593d7ee37d4fa6044913236d4de35381b173ad1052fd43f5
Instruction Fuzzy Hash: 77215039B18B4282E714BF65EC84179F3A1BF94B48FD4A538DA1D47764DFACE8448720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BE2670 Relevance: 9.0, APIs: 6, Instructions: 50timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF701BE26A1
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF701BE26AF
GetCurrentThreadId.KERNEL32 ref: 00007FF701BE26BB
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF701BE26C7
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF701BE26D7
QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0 ref: 00007FF701BE26F2

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: 072c9b548032650f1a14b84e31538f112425de265649adb8b3cce5dfefab901d
Instruction ID: 60b5ed9a77a930dc8dc068cf5e1eed580ef09a795ddda0d9e8a7179d65fb5201
Opcode Fuzzy Hash: 072c9b548032650f1a14b84e31538f112425de265649adb8b3cce5dfefab901d
Instruction Fuzzy Hash: 25112926A04F418AEB10EF60EC541A873E4FF0875CB802A35EA6D83754EFBCD5A48350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BD5E1C Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f017351312c739ff35a25d48345cd7d34d82a073ed3e297bf249bf9f922325
Instruction ID: 45747a6d8fedcbd7c7f6ccc1bbdeaea4ebdfaf799d3770b8ae71093c6b97dd88
Opcode Fuzzy Hash: d3f017351312c739ff35a25d48345cd7d34d82a073ed3e297bf249bf9f922325
Instruction Fuzzy Hash: E231E62790C68386F7387B25DC043B89AB0EF45B0AF98A174D69D0B2D0EFACD8418331

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BCD6C4 Relevance: 4.7, APIs: 3, Instructions: 162comCOMMON

Download Yara Rule

APIs

CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF701BCD708

Part of subcall function 00007FF701BCC8A4: GetCurrentThreadId.KERNEL32 ref: 00007FF701BCC8BF
Part of subcall function 00007FF701BCC8A4: GetThreadDesktop.USER32 ref: 00007FF701BCC8C7
Part of subcall function 00007FF701BCC8A4: GetUserObjectInformationW.USER32 ref: 00007FF701BCC8FE
Part of subcall function 00007FF701BCC8A4: CompareStringOrdinal.KERNEL32 ref: 00007FF701BCC924

LocalFree.KERNEL32 ref: 00007FF701BCD8B2
LocalFree.KERNEL32 ref: 00007FF701BCD8C0

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: FreeLocalThread$CompareCreateCurrentDesktopInformationInstanceObjectOrdinalStringUser
String ID:
API String ID: 1760516675-0
Opcode ID: ec768492e916f68b3a1d08d3a1bbf32b19db0b6e4d11a9ad7388654bf4690dc8
Instruction ID: 81b78152b85c4d22089ad0bbe8128329aefb8e47355e45eaf97d5846d2682275
Opcode Fuzzy Hash: ec768492e916f68b3a1d08d3a1bbf32b19db0b6e4d11a9ad7388654bf4690dc8
Instruction Fuzzy Hash: EF614B2AB14A16C6FB10EF6ADC843A9A7A4FF48B88F905132DE0D47B68CF79D445C350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BCE2D8 Relevance: 4.6, APIs: 3, Instructions: 57COMMON

Download Yara Rule

APIs

FindResourceExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000000,00007FF701BCD7BF), ref: 00007FF701BCE31A
LoadResource.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000000,00007FF701BCD7BF), ref: 00007FF701BCE32B
LockResource.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000000,00007FF701BCD7BF), ref: 00007FF701BCE339

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: Resource$FindLoadLock
String ID:
API String ID: 2752051264-0
Opcode ID: 1bfd26673452516af80897550d9f44b142c54a95868243531a7f2233927ebebe
Instruction ID: a6fd97e5db7b0eb4a5e3dcf0d0c662e6c5f58b6d53153713412e6b7da0fbdaf2
Opcode Fuzzy Hash: 1bfd26673452516af80897550d9f44b142c54a95868243531a7f2233927ebebe
Instruction Fuzzy Hash: B1119022B0569282EF65EB46AC80139A7E0BF84BC4F989035EE4D47794DF7CE442C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BD6220 Relevance: 3.1, APIs: 2, Instructions: 72COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF701BD6249
?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z.DUI70 ref: 00007FF701BD62ED

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: DirectElementElement@Listener@Listener@2@@
String ID:
API String ID: 3443632610-0
Opcode ID: 001a1b6c401ed2979238ae72e1ce3b02d9adf70b04341faf7d2c3cef46a62418
Instruction ID: b9c4693f294151f64596bbba7d3a96374e0506bb8280e67e2a04b90a75698d75
Opcode Fuzzy Hash: 001a1b6c401ed2979238ae72e1ce3b02d9adf70b04341faf7d2c3cef46a62418
Instruction Fuzzy Hash: 12314D36A05B4286EB54AF26E840329A3A4EF48F98F99A135CE4D47758EF7CD4558310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BD5620 Relevance: 3.1, APIs: 2, Instructions: 71COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF701BD5649
?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z.DUI70(?,?,?,00007FF701BCD394), ref: 00007FF701BD56E0

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: DirectElementElement@Listener@Listener@2@@
String ID:
API String ID: 3443632610-0
Opcode ID: e0a937adfbac5481d4fe0f1a03b2f7fd5a957c3a685b1d61ec9c9076b561c47d
Instruction ID: 92fc2534b949911900d2e2df261a20174361c2f7081c63ffa89875dc6865c09c
Opcode Fuzzy Hash: e0a937adfbac5481d4fe0f1a03b2f7fd5a957c3a685b1d61ec9c9076b561c47d
Instruction Fuzzy Hash: EA315036605B42C1EB24AF26EC50268A2F4FF48F98F99A131DA5D47768EF7CD4518320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BE24E0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BE24EB

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f8ee7c4c598514478e85258730a7256447fa1f8a213d9236415c02e1d0c27cff
Instruction ID: 680ec4dbaa8337ff33180dea1c366eace5ee7c95b6fc3aa6405ab4baa0d7fb83
Opcode Fuzzy Hash: f8ee7c4c598514478e85258730a7256447fa1f8a213d9236415c02e1d0c27cff
Instruction Fuzzy Hash: 7CB09254E26403C1E704BB22AC8506052F07F5831CFC06470C10E84120EF9C919A8720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BCF868 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 104
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF701BCF893

Part of subcall function 00007FF701BCF7F0: _vsnwprintf.MSVCRT ref: 00007FF701BCF830

OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF701BCF8DB
ReleaseSemaphore.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF701BCF8FB
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BCF905
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF701BCF919
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF701BCF92C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BCF937
TlsAlloc.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF701BCF942
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BCF94F
CreateSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-2-1 ref: 00007FF701BCF978
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BCF986
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF701BCF99E
TlsFree.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF701BCF9C2

Strings

ComTaskPool:%d, xrefs: 00007FF701BCF899

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: ErrorLast$Semaphore$CloseHandle$AllocCreateCurrentFreeObjectOpenProcessReleaseSingleWait_vsnwprintf
String ID: ComTaskPool:%d
API String ID: 2468636831-4207256202
Opcode ID: e5335e606b3442891abfb80f0a8f1540713e6a0e3ec7ad84c4a87f599a27c65f
Instruction ID: fa081c18ca5b9fa6228f6997324b01927752b4fd64f7f4768fd4e0f542a7c0c1
Opcode Fuzzy Hash: e5335e606b3442891abfb80f0a8f1540713e6a0e3ec7ad84c4a87f599a27c65f
Instruction Fuzzy Hash: FD41B835A08B4282F720BB25ACC42B9E2E2FF48759FD06139D94E82694DFFCE405C630

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BD6884 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 51
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThemeName.UXTHEME ref: 00007FF701BD68C0
PathRemoveFileSpecW.SHLWAPI ref: 00007FF701BD68CF
PathAppendW.SHLWAPI ref: 00007FF701BD68E1
PathAppendW.SHLWAPI ref: 00007FF701BD68F4
PathAppendW.SHLWAPI ref: 00007FF701BD6906
LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BD6917
ExpandEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF701BD6937
LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BD694C

Strings

ShellStyle.dll, xrefs: 00007FF701BD68FA
Shell, xrefs: 00007FF701BD68D5
%SystemRoot%\System32\ShellStyle.dll, xrefs: 00007FF701BD6930

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: Path$Append$LibraryLoad$CurrentEnvironmentExpandFileNameRemoveSpecStringsTheme
String ID: %SystemRoot%\System32\ShellStyle.dll$Shell$ShellStyle.dll
API String ID: 2893153931-2559496398
Opcode ID: b8c4515e8a48cbd9938dc03a02545a37f1cc50d20ee9ce112717691b84040ff0
Instruction ID: f14c6bf74fa9271b7f53361fb62cdb4107376834c123821abd487f2150d62055
Opcode Fuzzy Hash: b8c4515e8a48cbd9938dc03a02545a37f1cc50d20ee9ce112717691b84040ff0
Instruction Fuzzy Hash: F221773662894792EB61AB11EC406A9F3A0FF84B4DFC47031D14E46564EFBCE649C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BD50D4 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

?Initialize@TouchButton@DirectUI@@QEAAJIPEAVElement@2@PEAK@Z.DUI70 ref: 00007FF701BD5116
TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF701BD5135
?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z.DUI70 ref: 00007FF701BD5169
LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BD51E1
StrToID.DUI70 ref: 00007FF701BD51FE
?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70 ref: 00007FF701BD520A
?SetAccName@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF701BD523F

Strings

TopologyTile, xrefs: 00007FF701BD5159
Title, xrefs: 00007FF701BD51F7

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: Direct$Element@$Button@CreateDescendent@Element@2@Element@2@1FindInitialize@LoadName@Parser@StringTouchV12@V32@@Value
String ID: Title$TopologyTile
API String ID: 4059053364-4166586812
Opcode ID: 822e367c11ce09000f92bc4ac9836cfe21a90bc4220741fd28033eb693a83d72
Instruction ID: dab24055c3b2955a19ff57271df0fdacde64d493e8b92f584a96086f1c497bb7
Opcode Fuzzy Hash: 822e367c11ce09000f92bc4ac9836cfe21a90bc4220741fd28033eb693a83d72
Instruction Fuzzy Hash: B1415335B08A8382F764AB25EC543B9A3A0AF84B48FC46135EA4D47694EFBCE505C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BCD2B0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF701BCD6C4: CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF701BCD708

TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF701BCD2E6
?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z.DUI70 ref: 00007FF701BCD31A
StrToID.DUI70 ref: 00007FF701BCD361
?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70 ref: 00007FF701BCD36F
?SetLayoutPos@Element@DirectUI@@QEAAJH@Z.DUI70 ref: 00007FF701BCD37D
?EndDefer@Element@DirectUI@@QEAAXK@Z.DUI70 ref: 00007FF701BCD39F
?Destroy@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF701BCD3E0

Strings

SelectorMain, xrefs: 00007FF701BCD306
ConnectToDifferentDisplayArea, xrefs: 00007FF701BCD35A

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: DirectElement@$Create$Defer@Descendent@Destroy@Element@2@1FindInstanceLayoutParser@Pos@V12@V32@@Value
String ID: ConnectToDifferentDisplayArea$SelectorMain
API String ID: 2426526486-3734161780
Opcode ID: 74261cc5a96a5f849514e85132099a9848277aa555ccab7c2eebaadd08d9303a
Instruction ID: 015e8d6fbb9db93393053e474bdcc76ee7419545620b3792f8bb93298aee2342
Opcode Fuzzy Hash: 74261cc5a96a5f849514e85132099a9848277aa555ccab7c2eebaadd08d9303a
Instruction Fuzzy Hash: F2413729B0CB4282E750AB95EC9013EA7A1EFC8BD4F846035EA4E47755DFBCE445C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BD381C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 87synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF701BD382E

Strings

wil, xrefs: 00007FF701BD3843

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: ObjectSingleWait
String ID: wil
API String ID: 24740636-1589926490
Opcode ID: cad575bcfc6689c05be775496afca29aaa90e2818bd52064729bb44313a20b5d
Instruction ID: 3787ffbb30b19c02800c96030c52b5256d1bf04feb6b6cc359ae299ebbf66378
Opcode Fuzzy Hash: cad575bcfc6689c05be775496afca29aaa90e2818bd52064729bb44313a20b5d
Instruction Fuzzy Hash: 843173A1A0C54382F7646711DC4177AA2E1FF80794FE0A131D55E82AF6EFADE8458722

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BCDAC8 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 42COMMON

Download Yara Rule

APIs

StrToID.DUI70(?,?,00000000,00007FF701BCDA48,?,?,?,?,?,?,?,?,?,00007FF701BCD696), ref: 00007FF701BCDAEB
StrToID.DUI70(?,?,00000000,00007FF701BCDA48,?,?,?,?,?,?,?,?,?,00007FF701BCD696), ref: 00007FF701BCDB1A
StrToID.DUI70(?,?,00000000,00007FF701BCDA48,?,?,?,?,?,?,?,?,?,00007FF701BCD696), ref: 00007FF701BCDB2C
?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70(?,?,00000000,00007FF701BCDA48,?,?,?,?,?,?,?,?,?,00007FF701BCD696), ref: 00007FF701BCDB38

Part of subcall function 00007FF701BE1C50: GetDisplayConfigBufferSizes.USER32(00000000,?,?,?,?,00007FF701BCDAFB,?,?,00000000,00007FF701BCDA48), ref: 00007FF701BE1C83
Part of subcall function 00007FF701BE1C50: new.LIBCMT ref: 00007FF701BE1CB3
Part of subcall function 00007FF701BE1C50: new.LIBCMT ref: 00007FF701BE1CDB
Part of subcall function 00007FF701BE1C50: QueryDisplayConfig.USER32(?,?,00007FF701BCDAFB,?,?,00000000,00007FF701BCDA48), ref: 00007FF701BE1D04

Part of subcall function 00007FF701BD594C: StrToID.DUI70(?,?,?,00007FF701BCDB11,?,?,00000000,00007FF701BCDA48), ref: 00007FF701BD5972
Part of subcall function 00007FF701BD594C: ?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70(?,?,?,00007FF701BCDB11,?,?,00000000,00007FF701BCDA48), ref: 00007FF701BD597F
Part of subcall function 00007FF701BD594C: ?GetChildren@Element@DirectUI@@QEAAPEAV?$DynamicArray@PEAVElement@DirectUI@@$0A@@2@PEAPEAVValue@2@@Z.DUI70 ref: 00007FF701BD599E
Part of subcall function 00007FF701BD594C: ?GetRoot@Element@DirectUI@@QEAAPEAV12@XZ.DUI70 ref: 00007FF701BD59B9
Part of subcall function 00007FF701BD594C: ?ShowUIState@HWNDElement@DirectUI@@QEAAX_N0@Z.DUI70 ref: 00007FF701BD59D4
Part of subcall function 00007FF701BD594C: ?SetClass@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF701BD5A5A
Part of subcall function 00007FF701BD594C: ?RemoveLocalValue@Element@DirectUI@@QEAAJP6APEBUPropertyInfo@2@XZ@Z.DUI70 ref: 00007FF701BD5A74
Part of subcall function 00007FF701BD594C: ?Release@Value@DirectUI@@QEAAXXZ.DUI70 ref: 00007FF701BD5A91

Strings

NoButton, xrefs: 00007FF701BCDB25
ProjectionUIConfirmation, xrefs: 00007FF701BCDB13
ProjectionUIError, xrefs: 00007FF701BCDB56
ProjectionUISelector, xrefs: 00007FF701BCDAE1

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: Direct$Element@$V12@$ConfigDescendent@DisplayFindValue@$A@@2@Array@BufferChildren@Class@DynamicI@@$0Info@2@LocalPropertyQueryRelease@RemoveRoot@ShowSizesState@Value@2@@
String ID: NoButton$ProjectionUIConfirmation$ProjectionUIError$ProjectionUISelector
API String ID: 3777028525-2164469186
Opcode ID: d3645450060fff02edde16e8acd2c05a522bcbf626434a24392322a16a54d101
Instruction ID: a6de208f543c7be99f8737ffe354ffa6e168808941002c846384a9764f2208b9
Opcode Fuzzy Hash: d3645450060fff02edde16e8acd2c05a522bcbf626434a24392322a16a54d101
Instruction Fuzzy Hash: DB113029A08A4281EB24AF51EC50178B7A1FF88B88FC4A131E90E87755DFBCE955C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BD4668 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 186memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BD46A7
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BD46B8
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF701BD4869
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF701BD487B
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BD488A
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BD4898

Strings

X, xrefs: 00007FF701BD4800
_p0, xrefs: 00007FF701BD473D

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: Heap$CloseHandleProcess$AllocFree
String ID: X$_p0
API String ID: 826427307-2400676777
Opcode ID: 04e60e47405189eafbd62b6245fa11c8c3b4256092a83f5541ca49850f8b17ea
Instruction ID: a7eeabd21cb341300dab81fae05d51a90ac8538611e56302e923956128d66a2c
Opcode Fuzzy Hash: 04e60e47405189eafbd62b6245fa11c8c3b4256092a83f5541ca49850f8b17ea
Instruction Fuzzy Hash: FB61E736B15A8182EB25EF21EC406BAA3A0FF84B88F959031DE4D47B94EF7DD546C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BD643C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF701BD6480
CoAddRefServerProcess.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF701BD64C5
new.LIBCMT ref: 00007FF701BD6536
DeleteHandle.DUSER ref: 00007FF701BD6586
memset.MSVCRT ref: 00007FF701BD65A6
CreateAction.DUSER ref: 00007FF701BD65DA

Strings

(, xrefs: 00007FF701BD6597

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: ActionCreateDeleteHandleProcessServermemset
String ID: (
API String ID: 375858482-3887548279
Opcode ID: de8287af74efa812d802b1bc2c8181e389cc5b44df0ff2a647d0cbd16ac3fc0b
Instruction ID: 7198a233216b2d722c3613dfdfdc23813e809c8ace0495f66ee1a88d91f2166c
Opcode Fuzzy Hash: de8287af74efa812d802b1bc2c8181e389cc5b44df0ff2a647d0cbd16ac3fc0b
Instruction Fuzzy Hash: 92519C36A05B4685EB15EF25E8802A8B3B4FF48B48F84A235DE0D13764EFBCE456C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BD661C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

?StartDefer@Element@DirectUI@@QEAAXPEAK@Z.DUI70 ref: 00007FF701BD6652
LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BD6679
LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BD66B0
StrToID.DUI70 ref: 00007FF701BD66E8
?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70 ref: 00007FF701BD66F4
?EndDefer@Element@DirectUI@@QEAAXK@Z.DUI70 ref: 00007FF701BD6723

Strings

RevertText, xrefs: 00007FF701BD66E1

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: DirectElement@$Defer@LoadString$Descendent@FindStartV12@
String ID: RevertText
API String ID: 1528607397-191577245
Opcode ID: 4caaae5708e8d98bc1c40111ef437b06a669602c0cbac407e61a1c484192e44b
Instruction ID: 54720a1b0e7c0adad78052979f622f076578ce55194f78fa7f6a75fc7151d30f
Opcode Fuzzy Hash: 4caaae5708e8d98bc1c40111ef437b06a669602c0cbac407e61a1c484192e44b
Instruction Fuzzy Hash: C9317335A0CA4282EB24BB11FC546B9A7A0FF98B48FC56032DA4D47664EFBCE545C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BCC098 Relevance: 12.1, APIs: 8, Instructions: 88COMMON

Download Yara Rule

APIs

AcquireSRWLockShared.KERNEL32 ref: 00007FF701BCC0DA
DecodePointer.KERNEL32 ref: 00007FF701BCC0EC
ReleaseSRWLockShared.KERNEL32 ref: 00007FF701BCC115
ReleaseSRWLockShared.KERNEL32 ref: 00007FF701BCC125
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF701BCC158
EncodePointer.KERNEL32 ref: 00007FF701BCC16F
DecodePointer.KERNEL32 ref: 00007FF701BCC17E
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF701BCC19A

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: Lock$PointerReleaseShared$AcquireDecodeExclusive$Encode
String ID:
API String ID: 3770696666-0
Opcode ID: b1ca60b7cd9cc32699cad503c6eaf77eb4342cc0a80174bd94c64b34ad8ffd6c
Instruction ID: 754223cc6d6e424aba3274f0c4d9aa7b64f7ce902709a7b9fc38f0bb9272d965
Opcode Fuzzy Hash: b1ca60b7cd9cc32699cad503c6eaf77eb4342cc0a80174bd94c64b34ad8ffd6c
Instruction Fuzzy Hash: D141EA6AA08B4686EB14AF56EC50268B7A0FF98F99F949431DE4E43760CFBCD454C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BE1E8C Relevance: 10.6, APIs: 7, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF701BE1EB4
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF701BE1EEB
_amsg_exit.MSVCRT ref: 00007FF701BE1F09
_initterm.MSVCRT ref: 00007FF701BE1F94
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF701BE1FC1
exit.MSVCRT ref: 00007FF701BE2066
_cexit.MSVCRT ref: 00007FF701BE2075

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_cexit_inittermexit
String ID:
API String ID: 642454821-0
Opcode ID: 1d13006ad87b1d6ddf5630a752dcfa55d7316426e689c6127f98677cd1b3ab62
Instruction ID: 9523ecc0f5461b63f60b4d86cf26196272ee4fc7c2e11124733aae2804cfaf6c
Opcode Fuzzy Hash: 1d13006ad87b1d6ddf5630a752dcfa55d7316426e689c6127f98677cd1b3ab62
Instruction Fuzzy Hash: 5C615D25A0960286F720BB14EC40279B6E5FF5874CFD4E139D94E93695DFBCE841C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BD5C5C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

StrToID.DUI70(?,?,?,?,?,?,?,?,?,00007FF701BCCC7E), ref: 00007FF701BD5C72
?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70(?,?,?,?,?,?,?,?,?,00007FF701BCCC7E), ref: 00007FF701BD5C7F
?GetSelection@Selector@DirectUI@@QEAAPEAVElement@2@XZ.DUI70(?,?,?,?,?,?,?,?,?,00007FF701BCCC7E), ref: 00007FF701BD5C90
?KeyboardNavigate@Element@DirectUI@@SA?AVUID@@XZ.DUI70 ref: 00007FF701BD5CB1
?FireEvent@Element@DirectUI@@QEAAXPEAUEvent@2@_N1@Z.DUI70 ref: 00007FF701BD5CDB

Strings

TopologyList, xrefs: 00007FF701BD5C6B

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: Direct$Element@$Descendent@Element@2@Event@Event@2@_FindFireKeyboardNavigate@Selection@Selector@V12@
String ID: TopologyList
API String ID: 4056733895-740340369
Opcode ID: 5b3b673cdc776800ec1612876fbc3a42dc335a3ed67debfb1f68eb51bbdb0dac
Instruction ID: e3e8f1afec58bbc674b1caf2b40310654fc42c8282998e8c3465484e66162d83
Opcode Fuzzy Hash: 5b3b673cdc776800ec1612876fbc3a42dc335a3ed67debfb1f68eb51bbdb0dac
Instruction Fuzzy Hash: 8B012936A08B4182DB24AB11F814279A3E0FF88B88F885135EA8D47755DFBCD5548760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BD1290 Relevance: 10.3, APIs: 8, Instructions: 276memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BD1490
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BD14A2
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BD14D3
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BD14E5
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BD14FB
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BD150A
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BD1533
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BD1545

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: Heap$Process$Free$Alloc
String ID:
API String ID: 3689955550-0
Opcode ID: 3c7b6cf9da34330ac8c7a140189bd8a06c9d131e6c9b57d129cbb6a0c7ae35e4
Instruction ID: 28fdfe8698afa7b7a6366da6e1f7cb330a64135bf2e5a5134084df612fa67b76
Opcode Fuzzy Hash: 3c7b6cf9da34330ac8c7a140189bd8a06c9d131e6c9b57d129cbb6a0c7ae35e4
Instruction Fuzzy Hash: 03C1C762E09B9681EB19DF6998042BCA3A0FF49FA8F855235DE1D07B95EF7CD1818310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BD5270 Relevance: 9.1, APIs: 6, Instructions: 106COMMON

Download Yara Rule

APIs

?PressedProp@TouchButton@DirectUI@@SAPEBUPropertyInfo@2@XZ.DUI70 ref: 00007FF701BD5293
DuiCreateObject.DUI70 ref: 00007FF701BD52DB
?BackgroundProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ.DUI70 ref: 00007FF701BD532F
?SizeInLayoutProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ.DUI70 ref: 00007FF701BD5348
?Release@Value@DirectUI@@QEAAXXZ.DUI70 ref: 00007FF701BD5386
?Release@Value@DirectUI@@QEAAXXZ.DUI70 ref: 00007FF701BD539F

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: Direct$Info@2@Prop@Property$Element@Release@Value@$BackgroundButton@CreateLayoutObjectPressedSizeTouch
String ID:
API String ID: 2552318849-0
Opcode ID: 45e215214f07957e2103373fa95c4bd09e2912721be96a79e754306355aa0c5c
Instruction ID: fd670b77a1172a387283d04b66ffa073d25f415434842462df91c11a23442152
Opcode Fuzzy Hash: 45e215214f07957e2103373fa95c4bd09e2912721be96a79e754306355aa0c5c
Instruction Fuzzy Hash: 8B41AF26A18A4682E728EB15EC84779F7B0FF44B98F905131DE1E43A54EFBCE456C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BCFADC Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjectsEx.USER32 ref: 00007FF701BCFB03
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF701BCFB12
PeekMessageW.USER32 ref: 00007FF701BCFB65

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: ErrorLastMessageMultipleObjectsPeekWait
String ID:
API String ID: 435350009-0
Opcode ID: 104a865945fa34dfe0f945eeef0a19a6985c0998ae2851d8f515d210f9b49f61
Instruction ID: ca6484dae37712ca16b6c5b93775407b8085068a0f24aa298da381b67697d031
Opcode Fuzzy Hash: 104a865945fa34dfe0f945eeef0a19a6985c0998ae2851d8f515d210f9b49f61
Instruction Fuzzy Hash: 0101A135B1864287F360AB39E99477AA2D1FF5474CFC09238EA4E83594DFACD449C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BD54C0 Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BD54E1
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF701BD54F5
??0ItemList@DirectUI@@QEAA@XZ.DUI70 ref: 00007FF701BD5506
?Initialize@Selector@DirectUI@@QEAAJPEAVElement@2@PEAK@Z.DUI70 ref: 00007FF701BD551F
?Destroy@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF701BD5535

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: Direct$Heap$AllocDestroy@Element@Element@2@Initialize@ItemList@ProcessSelector@
String ID:
API String ID: 977426433-0
Opcode ID: 0fd74ad37e5398cb7df5d8d9bdf757f9b2816f8939c5a511bf3f18aab3dc69b7
Instruction ID: 8bc7496ac88640d8cf519cf955b192ad22367289f3b0ab7123dbc2c7be2324b0
Opcode Fuzzy Hash: 0fd74ad37e5398cb7df5d8d9bdf757f9b2816f8939c5a511bf3f18aab3dc69b7
Instruction Fuzzy Hash: B7018035B19B4382EB24AB12BC54329A2A1AF89FD8FD89034DA4E47718EF7CE4418350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BD5AB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

StrToID.DUI70(?,?,?,00007FF701BCDEE7), ref: 00007FF701BD5AC0
?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70(?,?,?,00007FF701BCDEE7), ref: 00007FF701BD5ACD
?GetSelection@Selector@DirectUI@@QEAAPEAVElement@2@XZ.DUI70(?,?,?,00007FF701BCDEE7), ref: 00007FF701BD5ADE

Strings

TopologyList, xrefs: 00007FF701BD5AB9

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: Direct$Descendent@Element@Element@2@FindSelection@Selector@V12@
String ID: TopologyList
API String ID: 3863736683-740340369
Opcode ID: a2356af6499d7292855cbe10450e031e23c1e488df73b84d211ead6b3330a67d
Instruction ID: f09e3ef18741f4a1ba73cc41c4cac934b4a9af43550b47766ffe44c5d0a070a8
Opcode Fuzzy Hash: a2356af6499d7292855cbe10450e031e23c1e488df73b84d211ead6b3330a67d
Instruction Fuzzy Hash: 71F03024E0970281EF28FB62AC6407863F0EF88B49F846130DD0E47381EF7CE0558260

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BD1CB0 Relevance: 6.3, APIs: 4, Instructions: 258threadCOMMON

Download Yara Rule

APIs

ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF701BD1D24
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF701BD1F85
GetCurrentThreadId.KERNEL32 ref: 00007FF701BD1FD2
GetCurrentThreadId.KERNEL32 ref: 00007FF701BD2020

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: CurrentExclusiveLockReleaseThread
String ID:
API String ID: 2448954584-0
Opcode ID: 6396858b8378360af0ad52c25bb26fffc6a10425116f8d06febd3eef653ef26e
Instruction ID: 9a4c2ad909c7eaf86b0b5dfe3922bae86a176e76ec73fb9600e1a1d28f206240
Opcode Fuzzy Hash: 6396858b8378360af0ad52c25bb26fffc6a10425116f8d06febd3eef653ef26e
Instruction Fuzzy Hash: 6FC1AB72A05B418AEB58DF29E8803A8B7B4FF48B88F505131EE4E57B68EF78D451C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BCE6C8 Relevance: 6.1, APIs: 4, Instructions: 110threadCOMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF701BCE6EF
CoAddRefServerProcess.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF701BCE73E
GetCurrentThreadId.KERNEL32 ref: 00007FF701BCE780
CoGetApartmentType.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF701BCE7B2

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: ApartmentCurrentProcessServerThreadType
String ID:
API String ID: 961092307-0
Opcode ID: 7085e4b63204e6ddbfc990b2978572a147d652d1b6310142599bd61a65bd94ce
Instruction ID: c53a812c929a486b67989e776b222e407581474008dc71851518bd9a87d6d9a7
Opcode Fuzzy Hash: 7085e4b63204e6ddbfc990b2978572a147d652d1b6310142599bd61a65bd94ce
Instruction Fuzzy Hash: B9417136A09B06C1EB21AF15ED80279E7E4EF44B98F88A132DA4D477A5DFBCD445C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BCEAAC Relevance: 6.1, APIs: 4, Instructions: 100threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF701BD28E0: AcquireSRWLockExclusive.KERNEL32 ref: 00007FF701BD290D
Part of subcall function 00007FF701BD28E0: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF701BD294F
Part of subcall function 00007FF701BD28E0: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF701BD2964

Part of subcall function 00007FF701BD3114: InitOnceBeginInitialize.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF701BD3149
Part of subcall function 00007FF701BD3114: EventRegister.ADVAPI32 ref: 00007FF701BD31D6
Part of subcall function 00007FF701BD3114: EventSetInformation.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FF701BD31EF
Part of subcall function 00007FF701BD3114: InitOnceComplete.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF701BD3223

EventActivityIdControl.API-MS-WIN-EVENTING-PROVIDER-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF701BCE6B4), ref: 00007FF701BCEB0E
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF701BCE6B4), ref: 00007FF701BCEB2C
GetCurrentThreadId.KERNEL32 ref: 00007FF701BCEB5A
GetCurrentThreadId.KERNEL32 ref: 00007FF701BCEC0E

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: ExclusiveLock$EventRelease$CurrentInitOnceThread$AcquireActivityBeginCompleteControlInformationInitializeRegister
String ID:
API String ID: 1276531537-0
Opcode ID: a055d4707cf4248bd2525226a92b9d769802b5ce97a72a95fad344d33f969d2b
Instruction ID: 77a5741a6ff97a4ad5eb38424acaf8ac3040d68f91f5c7428d8f8c81ac943e9e
Opcode Fuzzy Hash: a055d4707cf4248bd2525226a92b9d769802b5ce97a72a95fad344d33f969d2b
Instruction Fuzzy Hash: DF416D36A09B46C6EB54AF10E850379BBE0FF54B48F906136EA4E43695CFBCE494C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BE1890 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF701BCE4CC: LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,00007FF701BCE42E,00000001,00000000,80004005,00007FF701BCE37C,?,00000000,00000000,00007FF701BCD7BF), ref: 00007FF701BCE567

_set_errno.MSVCRT ref: 00007FF701BE18E0
_vsnwprintf.MSVCRT ref: 00007FF701BE1916
_get_errno.MSVCRT ref: 00007FF701BE1953
LocalFree.KERNEL32(00000000,?,00000000,80004005,?,?,00007FF701BE14AC), ref: 00007FF701BE19A0

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: Local$AllocFree_get_errno_set_errno_vsnwprintf
String ID:
API String ID: 3694981354-0
Opcode ID: 79cf92ffae43a037d092948d01b1e232c9cb77953e7ca69fe7f54120bcb85a21
Instruction ID: 9aa12cee2f647161caf3bc978f9ce2689f549bd28c49a7dedd65dcf3deeb0681
Opcode Fuzzy Hash: 79cf92ffae43a037d092948d01b1e232c9cb77953e7ca69fe7f54120bcb85a21
Instruction Fuzzy Hash: 2431D82A70471292EB20AB15EC8013DA2D4BF44BACFA09230DE9D47790DFBDE4668364

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BCC438 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(00000001,00000000,00000000,00007FF701BCC3DC,?,?,?,00000000,?,00007FF701BCB699), ref: 00007FF701BCC4A8
ReleaseSRWLockExclusive.KERNEL32(?,?,?,00000000,?,00007FF701BCB699), ref: 00007FF701BCC4C4
ReleaseSRWLockExclusive.KERNEL32(?,?,?,00000000,?,00007FF701BCB699), ref: 00007FF701BCC4D7
DecodePointer.KERNEL32(?,?,?,00000000,?,00007FF701BCB699), ref: 00007FF701BCC4E0

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: ExclusiveLock$Release$AcquireDecodePointer
String ID:
API String ID: 1509096917-0
Opcode ID: c613941b09d5f1f7910bc3f9049fa3fa0d3124b037bc0f5b595a7f707050723b
Instruction ID: f6929b52736f0d7848051eaff44d321bb0bc0c94aaef270336b1d9e623b472da
Opcode Fuzzy Hash: c613941b09d5f1f7910bc3f9049fa3fa0d3124b037bc0f5b595a7f707050723b
Instruction Fuzzy Hash: 01312D35A08A0691EB10EB15EC50379B7A0EF64F98F94A035DA4E87764CFBCE585C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BD3114 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

InitOnceBeginInitialize.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF701BD3149
EventRegister.ADVAPI32 ref: 00007FF701BD31D6
EventSetInformation.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FF701BD31EF
InitOnceComplete.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF701BD3223

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: EventInitOnce$BeginCompleteInformationInitializeRegister
String ID:
API String ID: 3136474517-0
Opcode ID: f7c8114b5292b20443c7cbb9dad20e0b9f57fd03638cc3e3a270afb3ee4c6b36
Instruction ID: 40abb5faff67184f3088ff5043cb98eafb9aca6cc9294b972c16791d10685e22
Opcode Fuzzy Hash: f7c8114b5292b20443c7cbb9dad20e0b9f57fd03638cc3e3a270afb3ee4c6b36
Instruction Fuzzy Hash: 8C31FC35A08A4685EB10AF25EC542A9B3F4FF88B8CF85A136DA4C47225DFBCE544C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BD6A64 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF701BD6884: GetCurrentThemeName.UXTHEME ref: 00007FF701BD68C0
Part of subcall function 00007FF701BD6884: PathRemoveFileSpecW.SHLWAPI ref: 00007FF701BD68CF
Part of subcall function 00007FF701BD6884: PathAppendW.SHLWAPI ref: 00007FF701BD68E1
Part of subcall function 00007FF701BD6884: PathAppendW.SHLWAPI ref: 00007FF701BD68F4
Part of subcall function 00007FF701BD6884: PathAppendW.SHLWAPI ref: 00007FF701BD6906
Part of subcall function 00007FF701BD6884: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BD6917
Part of subcall function 00007FF701BD6884: ExpandEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF701BD6937
Part of subcall function 00007FF701BD6884: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BD694C

?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z.DUI70 ref: 00007FF701BD6ABC
?SetXMLFromResourceWithTheme@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@00@Z.DUI70 ref: 00007FF701BD6AE0
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF701BD6AEF
?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ.DUI70 ref: 00007FF701BD6B01

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: Path$AppendDirectLibraryParser@$Load$Create@CurrentDestroy@E__@@00@EnvironmentExpandFileFreeFromNameRemoveResourceSpecStringsThemeTheme@V12@Value@2@With
String ID:
API String ID: 2638139545-0
Opcode ID: d3aab1e07b11f37be8879924d47bfc412579f8b6bdea26e16fe56ba0cb97594e
Instruction ID: 7c90be96f89174c89ae7a281e320a7ac1c4cc31eb639766b5f4d16985339d244
Opcode Fuzzy Hash: d3aab1e07b11f37be8879924d47bfc412579f8b6bdea26e16fe56ba0cb97594e
Instruction Fuzzy Hash: 6F11BE26A08B4682E714AF12EC5032AE3A0BF88B94F889031DE4D47754EFBCE401C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BCDE70 Relevance: 6.1, APIs: 4, Instructions: 54timeCOMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF701BCDE98
DefWindowProcW.USER32 ref: 00007FF701BCDEB6
KillTimer.USER32 ref: 00007FF701BCDED3

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: Window$KillLongProcTimer
String ID:
API String ID: 2068465966-0
Opcode ID: 4bfeee91237d4d957543b9a5eae8b0279c3dfdea2579d5935946afb90ad4c0b7
Instruction ID: bab42af1e9b7a2ab28d248628184fafc40ca9682e384bcaabd86d442a0d7e948
Opcode Fuzzy Hash: 4bfeee91237d4d957543b9a5eae8b0279c3dfdea2579d5935946afb90ad4c0b7
Instruction Fuzzy Hash: A9119439A0964686EB64BF53AC1007AE3A1BF84FC4F989430DE8A07B54CFBDE4418360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF701BCC8A4 Relevance: 6.0, APIs: 4, Instructions: 43threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF701BCC8BF
GetThreadDesktop.USER32 ref: 00007FF701BCC8C7
GetUserObjectInformationW.USER32 ref: 00007FF701BCC8FE
CompareStringOrdinal.KERNEL32 ref: 00007FF701BCC924

Memory Dump Source

Source File: 00000014.00000002.391494651.00007FF701BC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF701BC0000, based on PE: true

Associated: 00000014.00000002.391480687.00007FF701BC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391535119.00007FF701BEF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391542384.00007FF701BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391551039.00007FF701BFD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391559245.00007FF701C06000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391565517.00007FF701C0E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391571547.00007FF701C14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391586033.00007FF701C1E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391593817.00007FF701C22000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391601246.00007FF701C27000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391607714.00007FF701C38000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391614767.00007FF701C42000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391621361.00007FF701C48000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391630705.00007FF701C4E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391644039.00007FF701C53000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391650247.00007FF701C5B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391662335.00007FF701C6C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391668624.00007FF701C76000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391688390.00007FF701C87000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391712389.00007FF701C8F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391719685.00007FF701C96000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391727757.00007FF701C9C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391737693.00007FF701CAA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391745884.00007FF701CAF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391752714.00007FF701CB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391760826.00007FF701CBB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391771803.00007FF701CBD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391787487.00007FF701CC3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391794587.00007FF701CCA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391804910.00007FF701CD6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391812436.00007FF701CDE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391830434.00007FF701CE3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391842206.00007FF701CEF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391853757.00007FF701CF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391867587.00007FF701CF7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391873841.00007FF701CFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391892095.00007FF701D13000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391898408.00007FF701D17000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391917781.00007FF701D23000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391924204.00007FF701D25000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391934099.00007FF701D2B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391943432.00007FF701D32000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391966639.00007FF701D3F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391982566.00007FF701D47000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.391990906.00007FF701D4B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392022018.00007FF701D57000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392038271.00007FF701D59000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392057349.00007FF701D5F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392072658.00007FF701D6A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392096020.00007FF701D73000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392105334.00007FF701D7B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392125400.00007FF701D81000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392137528.00007FF701D8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392164557.00007FF701D8E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000014.00000002.392187209.00007FF701D93000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff701bc0000_DisplaySwitch.jbxd

Similarity

API ID: Thread$CompareCurrentDesktopInformationObjectOrdinalStringUser
String ID:
API String ID: 167886884-0
Opcode ID: f0449517354d219b36cd709d74a409a8c594c393390d3614ef662fb17a291cc1
Instruction ID: df679c05d65cf237cdee15f363aae8d50cda45039496b158c19028d81435bdc6
Opcode Fuzzy Hash: f0449517354d219b36cd709d74a409a8c594c393390d3614ef662fb17a291cc1
Instruction Fuzzy Hash: DA11423690878582E7219F25EC500AAB7A0FF84748FD5A236EA8D07664DFBCE545CB50

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dpnhupnp.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\1XXGC21\DUI70.dll

C:\Users\user\AppData\Local\1XXGC21\msdt.exe

C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe

C:\Users\user\AppData\Local\4xeLXaDKW\WINSTA.dll

C:\Users\user\AppData\Local\96P3D\VERSION.dll

C:\Users\user\AppData\Local\96P3D\cmstp.exe

C:\Users\user\AppData\Local\M4eXJF\VERSION.dll

C:\Users\user\AppData\Local\M4eXJF\cmstp.exe

C:\Users\user\AppData\Local\RiK2PNsRy\HID.DLL

C:\Users\user\AppData\Local\RiK2PNsRy\tabcal.exe

C:\Users\user\AppData\Local\WPx7QKO3\CloudNotifications.exe

C:\Users\user\AppData\Local\WPx7QKO3\UxTheme.dll

C:\Users\user\AppData\Local\a6o\PresentationHost.exe

C:\Users\user\AppData\Local\a6o\VERSION.dll

C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe

C:\Users\user\AppData\Local\uRSIQRt4\dxgi.dll

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Windows Analysis Report
dpnhupnp.dll

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre