Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wlbsctrl.dll

Overview

General Information

Sample Name:wlbsctrl.dll
Analysis ID:651262
MD5:8b2356cc4b0a382e79dcd4a844839e91
SHA1:ffb6a64c9996aa9e14ab69791f610babf98784c5
SHA256:1e57baa7d7c987aebd09b43788e9388c89a1cb9e89b4cbad24a8662e606d62f2
Infos:

Detection

Score:26
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Contains functionality to detect sleep reduction / modifications
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to detect sandboxes (mouse cursor move detection)
May check if the current machine is a sandbox (GetTickCount - Sleep)
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)

Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample may be VM or Sandbox-aware, try analysis on a native machine
  • System is w10x64
  • loaddll64.exe (PID: 6288 cmdline: loaddll64.exe "C:\Users\user\Desktop\wlbsctrl.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 6296 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 6316 cmdline: rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results
Source: wlbsctrl.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\lemmy\Desktop\shellcodeless\syscall-xll-SecMods\x64\DLL\WhackAMole.pdb source: loaddll64.exe, 00000000.00000002.260656685.00007FFFE272A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000002.264137592.00007FFFE272A000.00000002.00000001.01000000.00000003.sdmp, wlbsctrl.dll
Source: C:\Windows\System32\loaddll64.exeCode function: 4x nop then dec eax0_2_000001F279C9B7BA
Source: C:\Windows\System32\rundll32.exeCode function: 4x nop then dec eax2_2_000001D07AA0B7BA
Source: wlbsctrl.dllBinary or memory string: OriginalFilenameOfficev1 vs wlbsctrl.dll
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE27211400_2_00007FFFE2721140
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE272102D0_2_00007FFFE272102D
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001F279CA398A0_2_000001F279CA398A
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001F279C9C0CA0_2_000001F279C9C0CA
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001F279CAB46A0_2_000001F279CAB46A
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001F279CA93DA0_2_000001F279CA93DA
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_000001D07AA1B46A2_2_000001D07AA1B46A
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_000001D07AA0C0CA2_2_000001D07AA0C0CA
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_000001D07AA193DA2_2_000001D07AA193DA
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_000001D07AA1398A2_2_000001D07AA1398A
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE2721140 GetModuleHandleA,memset,GetCurrentProcess,NtAddBootEntry,NtAddBootEntry,NtAddBootEntry,NtAddBootEntry,CloseHandle,0_2_00007FFFE2721140
Source: wlbsctrl.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\wlbsctrl.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1Jump to behavior
Source: classification engineClassification label: sus26.evad.winDLL@5/0@0/0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE2722B00 GetTickCount,Sleep,GetCursorPos,Sleep,GetCursorPos,GetDiskFreeSpaceExA,GetModuleHandleA,GetProcAddress,GlobalMemoryStatusEx,K32EnumProcesses,EnumProcesses,Sleep,0_2_00007FFFE2722B00
Source: wlbsctrl.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: wlbsctrl.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: wlbsctrl.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: wlbsctrl.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: wlbsctrl.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: wlbsctrl.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: wlbsctrl.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: wlbsctrl.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: wlbsctrl.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\lemmy\Desktop\shellcodeless\syscall-xll-SecMods\x64\DLL\WhackAMole.pdb source: loaddll64.exe, 00000000.00000002.260656685.00007FFFE272A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000002.264137592.00007FFFE272A000.00000002.00000001.01000000.00000003.sdmp, wlbsctrl.dll
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001F279CB2850 push ecx; retf 003Fh0_2_000001F279CB28B0
Source: C:\Windows\System32\rundll32.exeCode function: 2_2_000001D07AA22850 push ecx; retf 003Fh2_2_000001D07AA228B0
Source: wlbsctrl.dllStatic PE information: section name: .00cfg
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE27211F90_2_00007FFFE27211F9
Source: C:\Windows\System32\loaddll64.exe TID: 6292Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\loaddll64.exeCode function: GetTickCount,Sleep,GetCursorPos,Sleep,GetCursorPos,GetDiskFreeSpaceExA,GetModuleHandleA,GetProcAddress,GlobalMemoryStatusEx,K32EnumProcesses,EnumProcesses,Sleep,0_2_00007FFFE2722B00
Source: C:\Windows\System32\loaddll64.exeCode function: GetCursorPos,Sleep,GetCursorPos,IsProcessorFeaturePresent,capture_current_context,0_2_00007FFFE2721219
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE27211F90_2_00007FFFE27211F9
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE27211EA IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FFFE27211EA
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE27211EA IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FFFE27211EA
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFFE2721186 __security_init_cookie,GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FFFE2721186
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception11
Process Injection
1
Rundll32
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
Exfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts12
Virtualization/Sandbox Evasion
LSASS Memory13
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
Process Injection
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
Obfuscated Files or Information
NTDS12
Virtualization/Sandbox Evasion
Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
Application Window Discovery
SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials3
System Information Discovery
VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 651262 Sample: wlbsctrl.dll Startdate: 23/06/2022 Architecture: WINDOWS Score: 26 6 loaddll64.exe 1 2->6         started        signatures3 13 Contains functionality to detect sleep reduction / modifications 6->13 9 cmd.exe 1 6->9         started        process4 process5 11 rundll32.exe 9->11         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox Version:35.0.0 Citrine
Analysis ID:651262
Start date and time: 23/06/202218:13:122022-06-23 18:13:12 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 20s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:wlbsctrl.dll
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:Run with higher sleep bypass
Number of analysed new started processes analysed:30
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:SUS
Classification:sus26.evad.winDLL@5/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 19.6% (good quality ratio 3.5%)
  • Quality average: 13.8%
  • Quality standard deviation: 31.9%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 9
  • Number of non-executed functions: 15
Cookbook Comments:
  • Found application associated with file extension: .dll
  • Adjust boot time
  • Enable AMSI
  • Sleeps bigger than 300000ms are automatically reduced to 1000ms
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
  • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtWriteVirtualMemory calls found.
No simulations
No context
No context
No context
No context
No context
No created / dropped files found
File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):2.301165268606333
TrID:
  • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
  • Win64 Executable (generic) (12005/4) 10.17%
  • Generic Win/DOS Executable (2004/3) 1.70%
  • DOS Executable Generic (2002/1) 1.70%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:wlbsctrl.dll
File size:775168
MD5:8b2356cc4b0a382e79dcd4a844839e91
SHA1:ffb6a64c9996aa9e14ab69791f610babf98784c5
SHA256:1e57baa7d7c987aebd09b43788e9388c89a1cb9e89b4cbad24a8662e606d62f2
SHA512:273c11f50ce23d01108c7edf484f10fc7d318cd89fcc51baf7f2721f1655340b0167214498f5e08a9e7fdae9e656f6f516a7eff7a25e7151e1f0ea5fc5d71ba0
SSDEEP:12288:FjwnXutNmopfRYxaKHFiPTLJsaVHct37frld/ibWcccccccccI6gRThD:
TLSH:59F4B75A0823D211D8244C3196377AC66F1672E9776C27D3F6A92FA2C1390C1AD77F3A
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........{Fv.(Fv.(Fv.(O.k(Bv.(...)Dv.(R..)Cv.(Fv.(pv.(...)Jv.(...)Nv.(...)Bv.(...)Gv.(...(Gv.(Fvo(Gv.(...)Gv.(RichFv.(...............
Icon Hash:74f0e4ecccdce0e4
Entrypoint:0x18000100a
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x180000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x62ACC1D8 [Fri Jun 17 18:03:04 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:05dcd6eab6e64f86dc1e816425be7b14
Instruction
jmp 00007F7144AA6612h
jmp 00007F7144AA6AF9h
jmp 00007F7144AA568Ch
jmp 00007F7144AA6B67h
jmp 00007F7144AA5852h
jmp 00007F7144AA7385h
jmp 00007F7144AA75A4h
jmp 00007F7144AA44F3h
jmp 00007F7144AA6DA2h
jmp 00007F7144AA6B4Dh
jmp 00007F7144AAA9C4h
jmp 00007F7144AA7583h
jmp 00007F7144AA7592h
jmp 00007F7144AA5595h
jmp 00007F7144AAA990h
jmp 00007F7144AA87CBh
jmp 00007F7144AA5B82h
jmp 00007F7144AAAA01h
jmp 00007F7144AA60FCh
jmp 00007F7144AA731Bh
jmp 00007F7144AA7562h
jmp 00007F7144AA6C6Dh
jmp 00007F7144AA8788h
jmp 00007F7144AA6053h
jmp 00007F7144AA7546h
jmp 00007F7144AAAA39h
jmp 00007F7144AA597Ch
jmp 00007F7144AA5F37h
jmp 00007F7144AAA8EAh
jmp 00007F7144AA6E59h
jmp 00007F7144AA7534h
jmp 00007F7144AA6A67h
jmp 00007F7144AAA886h
jmp 00007F7144AA6A59h
jmp 00007F7144AA6CBCh
jmp 00007F7144AA4EC7h
jmp 00007F7144AAAA22h
jmp 00007F7144AA6AC9h
jmp 00007F7144AA56CCh
jmp 00007F7144AA4203h
Programming Language:
  • [IMP] VS2008 SP1 build 30729
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xbe3b00x78.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0xc10000x890.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0xbd0000x420.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000x40.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0xab640x38.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0xb0a00x28.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xaba00x138.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xbe0000x3b0.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x89b50x8a00False0.24363111413043478data3.5100227973693183IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0xa0000x1f620x2000False0.1304931640625data1.5044615193257005IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xc0000xb05390xafe00False0.1482459355010661data2.016608344146886IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0xbd0000x5ac0x600False0.3919270833333333data3.213440260810703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata0xbe0000xe3d0x1000False0.23828125data3.0459227597586005IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls0xbf0000x3090x400False0.021484375data0.011173818721219527IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.00cfg0xc00000x1510x200False0.0546875data0.330964730370671IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0xc10000x8900xa00False0.2640625data2.6030848233720585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xc20000x1f10x200False0.14453125data0.7368777605793444IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountry
RT_VERSION0xc11c00x354dataEnglishUnited States
RT_MANIFEST0xc15180x17dXML 1.0 document textEnglishUnited States
DLLImport
KERNEL32.dllCreateFileA, GetDiskFreeSpaceExA, CloseHandle, Sleep, GetCurrentProcess, GetTickCount, GetModuleHandleA, GetProcAddress, CreateFileMappingA, K32EnumProcesses, K32GetModuleInformation, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, GetModuleHandleW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead
USER32.dllGetCursorPos
VCRUNTIME140.dllmemset, __C_specific_handler, __current_exception, __current_exception_context, __std_type_info_destroy_list
api-ms-win-crt-stdio-l1-1-0.dll__acrt_iob_func, __stdio_common_vfprintf
api-ms-win-crt-runtime-l1-1-0.dllterminate, _initterm_e, _seh_filter_dll, _configure_narrow_argv, _initialize_narrow_environment, _initialize_onexit_table, _register_onexit_function, _execute_onexit_table, _crt_atexit, _crt_at_quick_exit, _cexit, _initterm
Language of compilation systemCountry where language is spokenMap
EnglishUnited States
No network behavior found

Click to jump to process

Click to jump to process

Click to dive into process behavior distribution

Click to jump to process

Target ID:0
Start time:18:14:12
Start date:23/06/2022
Path:C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):false
Commandline:loaddll64.exe "C:\Users\user\Desktop\wlbsctrl.dll"
Imagebase:0x7ff6d4fc0000
File size:140288 bytes
MD5 hash:4E8A40CAD6CCC047914E3A7830A2D8AA
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Target ID:1
Start time:18:14:13
Start date:23/06/2022
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1
Imagebase:0x7ff7bb450000
File size:273920 bytes
MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Target ID:2
Start time:18:14:13
Start date:23/06/2022
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1
Imagebase:0x7ff675c30000
File size:69632 bytes
MD5 hash:73C519F050C20580F8A62C849D49215A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Reset < >

    Execution Graph

    Execution Coverage:4.2%
    Dynamic/Decrypted Code Coverage:23.1%
    Signature Coverage:17.7%
    Total number of Nodes:186
    Total number of Limit Nodes:2
    execution_graph 7615 7fffe2723da4 EnterCriticalSection 7616 7fffe2723dba 7615->7616 7617 7fffe2723df8 LeaveCriticalSection 7616->7617 7511 1f279c9b17e 7512 1f279c9b186 7511->7512 7517 1f279c9bc3a 7512->7517 7514 1f279c9b1cb 7515 1f279c9b1a6 7515->7514 7521 1f279c9b1d6 7515->7521 7518 1f279c9bc58 7517->7518 7520 1f279c9bfd9 7517->7520 7519 1f279c9bf7e LoadLibraryA 7518->7519 7518->7520 7519->7520 7520->7515 7524 1f279c9b232 7521->7524 7530 1f279c9b3bf 7521->7530 7522 1f279c9b441 7522->7514 7523 1f279c9b445 TerminateProcess 7523->7522 7525 1f279c9b28c LoadLibraryA 7524->7525 7526 1f279c9b2ef 7525->7526 7527 1f279c9b318 GetComputerNameExW 7526->7527 7529 1f279c9b33a 7526->7529 7527->7529 7528 1f279c9b3ab NetWkstaGetInfo 7528->7530 7529->7528 7529->7530 7530->7522 7530->7523 7635 7fffe2721127 7636 7fffe2722e90 7635->7636 7637 7fffe2722f01 GetModuleHandleA 7636->7637 7639 7fffe2722f17 7637->7639 7638 7fffe2722f51 GetProcAddress 7640 7fffe2722f6b 7638->7640 7639->7638 7639->7639 7641 7fffe2723d2c EnterCriticalSection 7642 7fffe2723d82 _Init_thread_abort 7641->7642 7564 7fffe27210eb 7565 7fffe2723f1c 7564->7565 7568 7fffe272107d __GSHandlerCheckCommon 7565->7568 7567 7fffe2723f2f 7568->7567 7569 7fffe2723f40 7568->7569 7531 1f279ca0776 7532 1f279ca0798 __CxxFrameHandler3 7531->7532 7535 1f279ca1c3a 7532->7535 7534 1f279ca07e3 7537 1f279ca1c67 __FrameHandler3::FrameUnwindToState FindHandler __CxxFrameHandler3 __except_validate_context_record 7535->7537 7538 1f279ca1cca __GetCurrentState std::bad_alloc::bad_alloc __FrameHandler3::FrameUnwindToState __FrameHandler3::FrameUnwindToEmptyState 7537->7538 7539 1f279ca1462 7537->7539 7538->7534 7542 1f279ca14b0 FindHandler IsInExceptionSpec __CxxFrameHandler3 __FrameHandler3::GetHandlerSearchState 7539->7542 7540 1f279ca183b 7543 1f279ca157e 10 library calls 7540->7543 7550 1f279ca18c6 7540->7550 7542->7540 7542->7543 7544 1f279ca15c6 pair TypeMatchHelper FindHandler 7542->7544 7543->7538 7544->7543 7546 1f279ca1392 7544->7546 7547 1f279ca13cf _GetEstablisherFrame 7546->7547 7549 1f279ca13f5 __FrameHandler3::UnwindNestedFrames __FrameHandler3::FrameUnwindToState 7547->7549 7554 1f279ca12d2 7547->7554 7549->7544 7551 1f279ca1ad3 7550->7551 7552 1f279ca18ff pair __FrameHandler3::FrameUnwindToState __CxxFrameHandler3 _CallSETranslator 7550->7552 7551->7543 7552->7551 7553 1f279ca1392 FindHandler BuildCatchObjectHelperInternal 7552->7553 7553->7552 7555 1f279ca12f9 BuildCatchObjectHelperInternal 7554->7555 7581 7fffe2724c2f 7582 7fffe2724c44 IsProcessorFeaturePresent 7581->7582 7583 7fffe2724c5c 7582->7583 7586 7fffe2725004 RtlCaptureContext 7583->7586 7585 7fffe2724c6f 7587 7fffe272501e RtlLookupFunctionEntry 7586->7587 7588 7fffe2725034 RtlVirtualUnwind 7587->7588 7589 7fffe272506d 7587->7589 7588->7587 7588->7589 7589->7585 7570 1f279cac14a 7571 1f279cac161 __CxxFrameHandler3 7570->7571 7572 1f279ca1c3a __InternalCxxFrameHandler BuildCatchObjectHelperInternal 7571->7572 7573 1f279cac1bd __CxxFrameHandler3 7572->7573 7574 7fffe27252f2 CloseHandle 7590 7fffe2721032 7591 7fffe2724c44 IsProcessorFeaturePresent 7590->7591 7592 7fffe2724c5c 7591->7592 7593 7fffe2725004 capture_previous_context 3 API calls 7592->7593 7594 7fffe2724c6f 7593->7594 7618 7fffe27253b2 GetCursorPos 7643 7fffe2725333 LeaveCriticalSection 7598 7fffe2723878 7599 7fffe27238bb 7598->7599 7600 7fffe2723889 7598->7600 7601 7fffe27238f8 7600->7601 7603 7fffe272388e 7600->7603 7602 7fffe27211ea 9 API calls 7601->7602 7605 7fffe2723902 7602->7605 7603->7599 7604 7fffe27238ab _initialize_onexit_table 7603->7604 7604->7599 7556 7fffe27210b9 7557 7fffe2722df0 GetDiskFreeSpaceExA 7556->7557 7558 7fffe2722e0f 7557->7558 7621 7fffe27211f9 7622 7fffe2722e50 GetTickCount Sleep GetTickCount 7621->7622 7655 7fffe272117c __scrt_is_managed_app 7656 7fffe27248fc GetModuleHandleW 7655->7656 7657 7fffe272490d 7656->7657 7575 7fffe2723efe 7576 7fffe2723f1c 7575->7576 7577 7fffe272107d __GSHandlerCheckCommon __GSHandlerCheckCommon 7576->7577 7578 7fffe2723f2f 7577->7578 7452 7fffe2722b00 7453 7fffe2721064 7452->7453 7454 7fffe2722b15 GetTickCount Sleep 7453->7454 7468 7fffe27de028 7454->7468 7456 7fffe2722b43 GetCursorPos Sleep GetCursorPos 7457 7fffe2722b8a GetDiskFreeSpaceExA 7456->7457 7459 7fffe2722bb1 7457->7459 7460 7fffe2722c21 GetModuleHandleA 7459->7460 7462 7fffe2722c37 7460->7462 7461 7fffe2722c71 GetProcAddress GlobalMemoryStatusEx K32EnumProcesses 7463 7fffe2722cbd 7461->7463 7462->7461 7462->7462 7464 7fffe2722cdf 7463->7464 7465 7fffe2722cd2 Sleep 7463->7465 7467 7fffe2721140 16 API calls 7464->7467 7466 7fffe2722ce4 7465->7466 7467->7466 7469 7fffe27de02e 7468->7469 7470 7fffe2722140 7472 7fffe272215f 7470->7472 7471 7fffe27221a2 GetModuleHandleA GetCurrentProcess K32GetModuleInformation 7473 7fffe27221d4 7471->7473 7472->7471 7472->7472 7474 7fffe2722212 GetProcAddress 7473->7474 7477 7fffe272222f 7474->7477 7475 7fffe2722272 GetProcAddress VirtualAlloc 7479 7fffe2721109 printf 7475->7479 7477->7475 7477->7477 7478 7fffe27222bc VirtualProtect 7479->7478 7480 7fffe2723520 __acrt_iob_func 7479->7480 7483 7fffe2721014 7480->7483 7482 7fffe2723556 __stdio_common_vfprintf 7482->7478 7483->7482 7484 7fffe2723510 7483->7484 7484->7482 7619 7fffe27211c2 7620 7fffe2723e8c LeaveCriticalSection 7619->7620 7595 7fffe2721244 __scrt_get_show_window_mode 7596 7fffe27248a8 memset GetStartupInfoW 7595->7596 7579 7fffe2725303 GetCurrentProcess 7580 7fffe27de020 7579->7580 7597 1f279cac112 __scrt_dllmain_exception_filter 7606 7fffe272448c 7607 7fffe27244a8 7606->7607 7608 7fffe27244ad 7606->7608 7610 7fffe2721186 __security_init_cookie 7607->7610 7610->7608 7611 7fffe272511c 7610->7611 7612 7fffe272513f GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7611->7612 7613 7fffe27251b3 7611->7613 7612->7613 7613->7608 7644 7fffe2724d4c 7647 7fffe272109b 7644->7647 7646 7fffe2724d5a 7647->7646 7648 7fffe2724d64 IsProcessorFeaturePresent 7647->7648 7649 7fffe2724d7b 7648->7649 7650 7fffe2724f7c capture_current_context 3 API calls 7649->7650 7651 7fffe2724d8f 7650->7651 7651->7646 7652 7fffe272114f _Init_thread_abort 7653 7fffe2723cf0 EnterCriticalSection 7652->7653 7654 7fffe2723d16 _Init_thread_abort 7653->7654 7485 7fffe2723ad4 InitializeCriticalSectionAndSpinCount GetModuleHandleW 7486 7fffe2723b05 GetModuleHandleW 7485->7486 7487 7fffe2723b1a GetProcAddress GetProcAddress 7485->7487 7486->7487 7491 7fffe2723b47 7486->7491 7488 7fffe2723b42 7487->7488 7489 7fffe2723b57 CreateEventW 7487->7489 7488->7489 7488->7491 7489->7491 7498 7fffe2723b80 7491->7498 7504 7fffe27211ea 7491->7504 7492 7fffe2723ba3 InitializeCriticalSectionAndSpinCount GetModuleHandleW 7493 7fffe2723c09 GetModuleHandleW 7492->7493 7494 7fffe2723c1e GetProcAddress GetProcAddress 7492->7494 7493->7494 7495 7fffe2723c82 7493->7495 7496 7fffe2723c64 CreateEventW 7494->7496 7497 7fffe2723c46 7494->7497 7500 7fffe27211ea 9 API calls 7495->7500 7496->7495 7499 7fffe2723c4b 7496->7499 7497->7496 7497->7499 7501 7fffe2723c8c DeleteCriticalSection 7500->7501 7502 7fffe2723cdf 7501->7502 7503 7fffe2723cd9 CloseHandle 7501->7503 7503->7502 7504->7492 7505 7fffe2724708 IsProcessorFeaturePresent 7504->7505 7506 7fffe272472e 7505->7506 7507 7fffe272473c memset RtlCaptureContext RtlLookupFunctionEntry 7506->7507 7508 7fffe27247b2 memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7507->7508 7509 7fffe2724776 RtlVirtualUnwind 7507->7509 7510 7fffe2724836 7508->7510 7509->7508 7510->7492 7614 7fffe2725094 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7559 7fffe27276d8 7562 7fffe27211db __scrt_release_startup_lock 7559->7562 7561 7fffe27276e9 7562->7561 7563 7fffe27239e8 7562->7563 7563->7561 7623 7fffe2721219 7624 7fffe272121f GetCursorPos Sleep GetCursorPos 7623->7624 7625 7fffe272124b IsProcessorFeaturePresent 7623->7625 7628 7fffe2722dbf 7624->7628 7629 7fffe2724e48 7625->7629 7632 7fffe2724f7c RtlCaptureContext RtlLookupFunctionEntry 7629->7632 7631 7fffe2724e5c 7633 7fffe2724fac RtlVirtualUnwind 7632->7633 7634 7fffe2724fde 7632->7634 7633->7634 7634->7631

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.260342931.00007FFFE2721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE2720000, based on PE: true
    • Associated: 00000000.00000002.260329012.00007FFFE2720000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.260649306.00007FFFE2727000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.260656685.00007FFFE272A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.262944547.00007FFFE272C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263030356.00007FFFE27AC000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263219917.00007FFFE27DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263224431.00007FFFE27DD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263232941.00007FFFE27E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7fffe2720000_loaddll64.jbxd
    Similarity
    • API ID: Sleep$Cursor$AddressCountDiskEnumFreeGlobalHandleMemoryModuleProcProcessesSpaceStatusTick
    • String ID: @$C:\
    • API String ID: 1094001007-2217305858
    • Opcode ID: bf23feac25fa6789cfb7cb4e4c0ad847f7ba566056215651666ce38ee523ffbb
    • Instruction ID: e1be3351b58a84520b900a60e914725d9f4bf6d3e812bc8962bcb9ca4fcb5deb
    • Opcode Fuzzy Hash: bf23feac25fa6789cfb7cb4e4c0ad847f7ba566056215651666ce38ee523ffbb
    • Instruction Fuzzy Hash: F151E373E0968287FB109B21E8543A967E0FB86790F541231DA8EC3796EFBCD558C712
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 158 7fffe272102d-7fffe27223ce call 7fffe2722030 162 7fffe27223d0-7fffe27223e8 158->162 163 7fffe272242d-7fffe272248a CreateFileA CreateFileMappingA call 7fffe2721890 158->163 164 7fffe27223f0-7fffe2722426 162->164 168 7fffe27224c1-7fffe27224dd GetModuleHandleA call 7fffe2721a70 163->168 169 7fffe272248c-7fffe2722499 163->169 164->164 166 7fffe2722428 164->166 166->163 174 7fffe27224df-7fffe27224ec 168->174 175 7fffe2722511-7fffe272254b GetProcAddress MapViewOfFile call 7fffe27214c0 168->175 171 7fffe27224a0-7fffe27224bb 169->171 171->171 173 7fffe27224bd 171->173 173->168 176 7fffe27224f0-7fffe272250b 174->176 180 7fffe2722581-7fffe27225bb call 7fffe2721136 175->180 181 7fffe272254d-7fffe272255a 175->181 176->176 178 7fffe272250d 176->178 178->175 186 7fffe2722842-7fffe2722855 call 7fffe27211fe 180->186 187 7fffe27225c1-7fffe27225ce 180->187 182 7fffe2722560-7fffe272257b 181->182 182->182 184 7fffe272257d 182->184 184->180 186->187 195 7fffe272285b-7fffe2722883 call 7fffe27210e6 call 7fffe2721208 186->195 188 7fffe27225d0-7fffe27225dd 187->188 189 7fffe2722603-7fffe272261e call 7fffe2721136 call 7fffe2721b70 187->189 191 7fffe27225e0-7fffe27225fb 188->191 202 7fffe2722620-7fffe272262d 189->202 203 7fffe2722651-7fffe272266f call 7fffe2721136 call 7fffe2721d50 189->203 191->191 194 7fffe27225fd 191->194 194->189 195->187 205 7fffe2722630-7fffe272264b 202->205 211 7fffe27226a1-7fffe27226b8 call 7fffe2721136 203->211 212 7fffe2722671-7fffe272267e 203->212 205->205 207 7fffe272264d 205->207 207->203 217 7fffe27227e8-7fffe27227fb call 7fffe27211fe 211->217 218 7fffe27226be-7fffe27226c4 211->218 213 7fffe2722680-7fffe272269b 212->213 213->213 215 7fffe272269d 213->215 215->211 217->218 225 7fffe2722801-7fffe272283d call 7fffe27210e6 call 7fffe2721208 217->225 219 7fffe2722712-7fffe2722732 GetModuleHandleA call 7fffe27215a0 218->219 220 7fffe27226c6-7fffe272270c 218->220 226 7fffe2722761-7fffe27227e1 call 7fffe2721136 call 7fffe27210cd * 4 CloseHandle * 2 219->226 227 7fffe2722734-7fffe272273e 219->227 220->219 225->218 226->217 229 7fffe2722740-7fffe272275a 227->229 229->229 233 7fffe272275c 229->233 233->226
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.260342931.00007FFFE2721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE2720000, based on PE: true
    • Associated: 00000000.00000002.260329012.00007FFFE2720000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.260649306.00007FFFE2727000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.260656685.00007FFFE272A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.262944547.00007FFFE272C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263030356.00007FFFE27AC000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263219917.00007FFFE27DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263224431.00007FFFE27DD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263232941.00007FFFE27E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7fffe2720000_loaddll64.jbxd
    Similarity
    • API ID: FileHandle$CreateModule$AddressCloseMappingProcView
    • String ID: NtCreateThreadEx$ntdll.dll
    • API String ID: 2780192746-690569937
    • Opcode ID: a228660ac9baeddd43029b1d25431e5856f3e5db83f11851b2192878d5f6c5a7
    • Instruction ID: 501b05953db982e057585390e02facd319065101d2e6244b793862723d6fe4be
    • Opcode Fuzzy Hash: a228660ac9baeddd43029b1d25431e5856f3e5db83f11851b2192878d5f6c5a7
    • Instruction Fuzzy Hash: 60D1E763E0D68686F7008726E8647BA2BD0BB837D4F444235D94E87796EFBCE124C742
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.260342931.00007FFFE2721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE2720000, based on PE: true
    • Associated: 00000000.00000002.260329012.00007FFFE2720000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.260649306.00007FFFE2727000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.260656685.00007FFFE272A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.262944547.00007FFFE272C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263030356.00007FFFE27AC000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263219917.00007FFFE27DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263224431.00007FFFE27DD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263232941.00007FFFE27E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7fffe2720000_loaddll64.jbxd
    Similarity
    • API ID: BootEntry$Handle$CloseCurrentModuleProcessmemset
    • String ID: ntdll.dll
    • API String ID: 3873965561-2227199552
    • Opcode ID: 8ec1fb59fc83e3fbd599cd93e82e9b1dc2d926dcafa1658c45c0997bf7e50469
    • Instruction ID: fc2f03cdd8b01a51d94fbcf37e8380564867c572b67635490939024cc061dd85
    • Opcode Fuzzy Hash: 8ec1fb59fc83e3fbd599cd93e82e9b1dc2d926dcafa1658c45c0997bf7e50469
    • Instruction Fuzzy Hash: 57A17572E08B9185F7208B65E8403A97BE0FB86794F041235DE8D97B59EFBCD155C702
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.260342931.00007FFFE2721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE2720000, based on PE: true
    • Associated: 00000000.00000002.260329012.00007FFFE2720000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.260649306.00007FFFE2727000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.260656685.00007FFFE272A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.262944547.00007FFFE272C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263030356.00007FFFE27AC000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263219917.00007FFFE27DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263224431.00007FFFE27DD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263232941.00007FFFE27E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7fffe2720000_loaddll64.jbxd
    Similarity
    • API ID: Handle$AddressModuleProc$CriticalSection$CountCreateEventInitializeSpin$CloseDelete
    • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
    • API String ID: 251140187-3242537097
    • Opcode ID: 9849fdbbacffd081f93dd195d024c6097c9f37e40ccc457ff2f290fb4760c6ba
    • Instruction ID: 3fc1117f8159beea5ee04305139fcdb4e211bf23977b0f467aecc9fa01d51d2f
    • Opcode Fuzzy Hash: 9849fdbbacffd081f93dd195d024c6097c9f37e40ccc457ff2f290fb4760c6ba
    • Instruction Fuzzy Hash: E6415062E09A4382FA159F61F95477463E1AF8B780F985135CD4E827A5FFBCA468C302
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.259724908.000001F279C9B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001F279C9B000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1f279c9b000_loaddll64.jbxd
    Similarity
    • API ID: ComputerInfoLibraryLoadNameWksta
    • String ID: .$2$3$a$d$e$i$l$l$n$p$t
    • API String ID: 3393981993-1206877643
    • Opcode ID: 9f1df4b9c6e76e77351a2f1aa7da60c0e0fb4b368d1276d023936cfa14d4e98f
    • Instruction ID: 6cd0511b5fa5afbcb9c495ef798a47a6fd7e2fed647cc3f7d610d07e6b83cbc2
    • Opcode Fuzzy Hash: 9f1df4b9c6e76e77351a2f1aa7da60c0e0fb4b368d1276d023936cfa14d4e98f
    • Instruction Fuzzy Hash: 41812F3020D784DFE764EB18C0487AAB7F1FBA9318F544A6DE08AC7291CB75D945CB02
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 99 1f279c9bc3a-1f279c9bc52 100 1f279c9c06b-1f279c9c074 99->100 101 1f279c9bc58-1f279c9bc80 call 1f279c9b7ba 99->101 101->100 104 1f279c9bc86-1f279c9bcc4 call 1f279c9b9da call 1f279c9b7ba 101->104 109 1f279c9bcca-1f279c9bcd4 104->109 110 1f279c9bd86-1f279c9bd90 104->110 109->110 111 1f279c9bcda-1f279c9bd83 109->111 110->100 112 1f279c9bd96-1f279c9bed2 call 1f279c9b9da * 9 110->112 111->110 132 1f279c9bf73-1f279c9bf78 112->132 133 1f279c9bed8-1f279c9bee2 112->133 132->100 135 1f279c9bf7e-1f279c9bfd3 LoadLibraryA 132->135 133->132 134 1f279c9bee8-1f279c9bef2 133->134 134->132 137 1f279c9bef4-1f279c9befe 134->137 135->100 136 1f279c9bfd9-1f279c9c049 call 1f279c9b9da * 3 135->136 136->100 150 1f279c9c04b-1f279c9c055 136->150 137->132 139 1f279c9bf00-1f279c9bf0a 137->139 139->132 141 1f279c9bf0c-1f279c9bf16 139->141 141->132 143 1f279c9bf18-1f279c9bf22 141->143 143->132 145 1f279c9bf24-1f279c9bf2e 143->145 145->132 147 1f279c9bf30-1f279c9bf3a 145->147 147->132 149 1f279c9bf3c-1f279c9bf57 call 1f279c9b7ba 147->149 155 1f279c9bf63 149->155 156 1f279c9bf59-1f279c9bf61 149->156 150->100 152 1f279c9c057-1f279c9c061 150->152 152->100 154 1f279c9c063 152->154 154->100 157 1f279c9bf6b-1f279c9bf6f 155->157 156->157 157->132
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.259724908.000001F279C9B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001F279C9B000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1f279c9b000_loaddll64.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: 2$3$a$a$d$i$p$v
    • API String ID: 1029625771-1673513319
    • Opcode ID: 886938e3ccb0d6dbac8807b67c971d65b303b8bc3fbc6529e8d30fe2f3ad3af2
    • Instruction ID: a9e0986d264dd9139b1084636693806413191eaaaf1174586685ac4ebe02f53a
    • Opcode Fuzzy Hash: 886938e3ccb0d6dbac8807b67c971d65b303b8bc3fbc6529e8d30fe2f3ad3af2
    • Instruction Fuzzy Hash: C4E19834618E889FD794EB2CC085B6AB7E1FBA8705F50096DF19AC72A1C775D842CF42
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    C-Code - Quality: 17%
    			E00007FFF7FFFE2722140(void* __ecx, void* __edx, void* __eflags, void* __rax, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rsi, void* __r8, char _a8, intOrPtr _a16, long long _a24, long long _a32) {
    				char _v40;
    				void* __rdi;
    				signed char _t35;
    				signed char _t38;
    				signed char _t40;
    				void* _t42;
    				int _t45;
    				void* _t71;
    				unsigned long long _t73;
    				unsigned long long _t75;
    				unsigned long long _t77;
    				unsigned long long _t97;
    				unsigned long long _t98;
    				unsigned long long _t100;
    				char* _t109;
    				void* _t110;
    				void* _t112;
    				unsigned long long _t113;
    				unsigned long long _t114;
    
    				_t71 = __rax;
    				_a24 = __rbx;
    				_a32 = __rsi;
    				_t35 = E00007FFF7FFFE27217A0( &_a8, __rdx);
    				_t112 = _t71;
    				if ( *((char*)(_t71 + 0xd)) == 0) goto 0xe27221a2;
    				r8d = 0;
    				asm("o16 nop [eax+eax]");
    				_t73 = 0x1b4949a3 >> (r8b & 7) << 3;
    				 *(__r8 + _t112) =  *(__r8 + _t112) ^ _t35;
    				if (__r8 + 1 - 0xd < 0) goto 0xe2722180;
    				 *((char*)(_t112 + 0xd)) = 0;
    				GetModuleHandleA(??);
    				GetCurrentProcess();
    				r9d = 0x18;
    				_t109 =  &_v40;
    				0xe272532c(); // executed
    				_t38 = E00007FFF7FFFE2721E50( &_a8, _t73);
    				_t113 = _t73;
    				if ( *((char*)(_t73 + 0xf)) == 0) goto 0xe2722212;
    				r8d = 0;
    				asm("o16 nop [eax+eax]");
    				_t75 = 0x9f9f81c5 >> (r8b & 7) << 3;
    				 *(_t109 + _t113) =  *(_t109 + _t113) ^ _t38;
    				_t110 = _t109 + 1;
    				if (_t110 - 0xf < 0) goto 0xe27221f0;
    				 *((char*)(_t113 + 0xf)) = 0;
    				GetProcAddress(??, ??);
    				 *0xe27dbd10 = _t75;
    				_t40 = E00007FFF7FFFE2721C60( &_a8, _t113);
    				_t114 = _t75;
    				if ( *((char*)(_t75 + 0xd)) == 0) goto 0xe2722272;
    				r8d = 0;
    				asm("o16 nop [eax+eax]");
    				_t77 = 0x6f49fdeb >> (r8b & 7) << 3;
    				 *(_t110 + _t114) =  *(_t110 + _t114) ^ _t40;
    				if (_t110 + 1 - 0xd < 0) goto 0xe2722250;
    				 *((char*)(_t114 + 0xd)) = 0;
    				_t97 = _t114;
    				GetProcAddress(??, ??);
    				 *0xe27dbd18 = _t77;
    				r8d = 0x3000;
    				_a8 = 0xc3e3ff41;
    				_t20 = _t97 - 0x60; // 0x4, executed
    				r9d = _t20;
    				_t42 = VirtualAlloc(??, ??, ??, ??); // executed
    				_t98 = _t77;
    				_t100 = _t77;
    				E00007FFF7FFFE2721109(_t42, 0, _t77, 0xe272a9a4, _t98, _t100);
    				 *_t100 =  *__rcx;
    				 *((short*)(_t100 + 4)) =  *(__rcx + 4) & 0x0000ffff;
    				 *((char*)(_t100 + 6)) =  *(__rcx + 6) & 0x000000ff;
    				_t26 = _t98 - 0x44; // 0x20
    				r8d = _t26;
    				 *((short*)(_t100 + 7)) = 0x4900;
    				 *((char*)(_t100 + 9)) = 0xbb;
    				 *((intOrPtr*)(_t100 + 0x12)) = _a8;
    				 *((long long*)(_t100 + 0xa)) =  *0xe27dbd00 + __rdx;
    				_a16 = 0;
    				_t45 = VirtualProtect(??, ??, ??, ??); // executed
    				return _t45;
    			}






















    0x7fffe2722140
    0x7fffe2722140
    0x7fffe2722145
    0x7fffe272215a
    0x7fffe272215f
    0x7fffe2722166
    0x7fffe2722168
    0x7fffe2722175
    0x7fffe272218d
    0x7fffe2722190
    0x7fffe272219b
    0x7fffe272219d
    0x7fffe27221a5
    0x7fffe27221ae
    0x7fffe27221b4
    0x7fffe27221ba
    0x7fffe27221c5
    0x7fffe27221cf
    0x7fffe27221d4
    0x7fffe27221db
    0x7fffe27221dd
    0x7fffe27221ea
    0x7fffe27221fd
    0x7fffe2722200
    0x7fffe2722204
    0x7fffe272220b
    0x7fffe272220d
    0x7fffe2722218
    0x7fffe2722223
    0x7fffe272222a
    0x7fffe272222f
    0x7fffe2722236
    0x7fffe2722238
    0x7fffe2722245
    0x7fffe272225d
    0x7fffe2722260
    0x7fffe272226b
    0x7fffe272226d
    0x7fffe2722272
    0x7fffe2722278
    0x7fffe272228c
    0x7fffe2722293
    0x7fffe2722299
    0x7fffe27222a4
    0x7fffe27222a4
    0x7fffe27222a8
    0x7fffe27222aa
    0x7fffe27222b4
    0x7fffe27222b7
    0x7fffe27222c3
    0x7fffe27222ce
    0x7fffe27222d6
    0x7fffe27222d9
    0x7fffe27222d9
    0x7fffe27222dd
    0x7fffe27222e6
    0x7fffe27222ee
    0x7fffe27222f1
    0x7fffe27222f5
    0x7fffe27222fd
    0x7fffe2722315

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.260342931.00007FFFE2721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE2720000, based on PE: true
    • Associated: 00000000.00000002.260329012.00007FFFE2720000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.260649306.00007FFFE2727000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.260656685.00007FFFE272A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.262944547.00007FFFE272C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263030356.00007FFFE27AC000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263219917.00007FFFE27DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263224431.00007FFFE27DD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263232941.00007FFFE27E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7fffe2720000_loaddll64.jbxd
    Similarity
    • API ID: AddressModuleProcVirtual$AllocCurrentHandleInformationProcessProtect
    • String ID: %p
    • API String ID: 3934800070-3072491283
    • Opcode ID: e6e2722ae6fc6a8f1b979f5f3329be49983f528aa590691acc1b6b3cb0427b5b
    • Instruction ID: 8eebeb6f3913b7aeb17972cf8c5679c8b1e3827dd4bd99afafd50d4bee284ec4
    • Opcode Fuzzy Hash: e6e2722ae6fc6a8f1b979f5f3329be49983f528aa590691acc1b6b3cb0427b5b
    • Instruction Fuzzy Hash: 2841D462E0879587E7049B16E4147AA7BD0FB86BC0F488135DA4D83B96EFBCD124C741
    Uniqueness

    Uniqueness Score: -1.00%

    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.259724908.000001F279C9B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001F279C9B000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1f279c9b000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$onTa$p$rote$temI$tion$truc$ualA$ualP
    • API String ID: 0-924545899
    • Opcode ID: ba67eb782131c3f065ce6fb0f8a316021b757953efe746a7c66d5e51c776329b
    • Instruction ID: b1c40a84c478cc9fb5cee444fbf1b5d0febb0851d05433da84bdbb08f5094c80
    • Opcode Fuzzy Hash: ba67eb782131c3f065ce6fb0f8a316021b757953efe746a7c66d5e51c776329b
    • Instruction Fuzzy Hash: FF72B230655B0A8FEB18EF18C8857B9B7F1FB68315F14462DD88BC7251DB34E9428B85
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.260342931.00007FFFE2721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE2720000, based on PE: true
    • Associated: 00000000.00000002.260329012.00007FFFE2720000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.260649306.00007FFFE2727000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.260656685.00007FFFE272A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.262944547.00007FFFE272C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263030356.00007FFFE27AC000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263219917.00007FFFE27DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263224431.00007FFFE27DD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263232941.00007FFFE27E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7fffe2720000_loaddll64.jbxd
    Similarity
    • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
    • String ID:
    • API String ID: 313767242-0
    • Opcode ID: 2c738ed967bc5df8c1013ba23ad59abb648def6edd02a07e1447defbd1282bbc
    • Instruction ID: add3505066dd0074c827a373315a80aec2306e7d05cea7b79b0f46b1d7c41497
    • Opcode Fuzzy Hash: 2c738ed967bc5df8c1013ba23ad59abb648def6edd02a07e1447defbd1282bbc
    • Instruction Fuzzy Hash: 0B317072A19B818AEB608F60E8503ED33A0FB86748F444439DB8E87B95EF7CD558C711
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.260342931.00007FFFE2721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE2720000, based on PE: true
    • Associated: 00000000.00000002.260329012.00007FFFE2720000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.260649306.00007FFFE2727000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.260656685.00007FFFE272A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.262944547.00007FFFE272C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263030356.00007FFFE27AC000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263219917.00007FFFE27DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263224431.00007FFFE27DD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263232941.00007FFFE27E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7fffe2720000_loaddll64.jbxd
    Similarity
    • API ID: Cursor$FeaturePresentProcessorSleepcapture_current_context
    • String ID:
    • API String ID: 1686489235-0
    • Opcode ID: 615716072627917ba3ce45cd08dde62bfdf5f9842916c67441e716f792528eab
    • Instruction ID: bb28b7e5fb36c5c4dc0d9333900c925237e57cd2521ca0a7e3ec6d6c14f4242f
    • Opcode Fuzzy Hash: 615716072627917ba3ce45cd08dde62bfdf5f9842916c67441e716f792528eab
    • Instruction Fuzzy Hash: 0341E9B6E1C641CBE750CB14E49036A77E0FB86744F500136E68EC26A5EFBDE9A5CB01
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.260342931.00007FFFE2721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE2720000, based on PE: true
    • Associated: 00000000.00000002.260329012.00007FFFE2720000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.260649306.00007FFFE2727000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.260656685.00007FFFE272A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.262944547.00007FFFE272C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263030356.00007FFFE27AC000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263219917.00007FFFE27DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263224431.00007FFFE27DD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263232941.00007FFFE27E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7fffe2720000_loaddll64.jbxd
    Similarity
    • API ID: CountTick$Sleep
    • String ID:
    • API String ID: 4250438611-0
    • Opcode ID: ffafef7f60f6108d52e334d56fbdad7ae5ddcc298aed7986da1fda1fb18b02a0
    • Instruction ID: 99905778075cad50ec37c2b1dcd725405174bc5a0b114fe47c4c96541be8123a
    • Opcode Fuzzy Hash: ffafef7f60f6108d52e334d56fbdad7ae5ddcc298aed7986da1fda1fb18b02a0
    • Instruction Fuzzy Hash: DED05E65F1410243FB191BB0A88927C02D19F0E721F600134C90BC5291ED6CA5E9D622
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.259724908.000001F279C9B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001F279C9B000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1f279c9b000_loaddll64.jbxd
    Similarity
    • API ID: _clrfp
    • String ID:
    • API String ID: 3618594692-0
    • Opcode ID: 4f3d86407dd9789fcda393b78ce5ac7fd63888f80a1eb3623365494ce4a13953
    • Instruction ID: 924a1787494b7218af18a61af183fad3dce52c2ee49d1eb5a58533bd54cca456
    • Opcode Fuzzy Hash: 4f3d86407dd9789fcda393b78ce5ac7fd63888f80a1eb3623365494ce4a13953
    • Instruction Fuzzy Hash: FAC14C30610B4E8FEB99DF1CC88ABA577F0FB59314F1485A9E85ACB2A1C335D852CB15
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.259724908.000001F279C9B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001F279C9B000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1f279c9b000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ed34afde64f4defd51681823c72b705d98dd479eeb089942ec1be46fd4c04c2d
    • Instruction ID: d68b1b366a6c8a1355ad85578a674a3fd6d438c82414e17227597704335eeabe
    • Opcode Fuzzy Hash: ed34afde64f4defd51681823c72b705d98dd479eeb089942ec1be46fd4c04c2d
    • Instruction Fuzzy Hash: F0F1E330A19B4D4FDB19EF58C8856F9B7F1EBA9310F14427ED48BC7292DA309906CB85
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.259724908.000001F279C9B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001F279C9B000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1f279c9b000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 541710f845fd4202dd23b37e000bb6fe77ecd75944506428e97748b45ea3ae15
    • Instruction ID: 36c9370225d2c376f89a5b5cda71e629e0747c29e467108839c3c7f91b1996ba
    • Opcode Fuzzy Hash: 541710f845fd4202dd23b37e000bb6fe77ecd75944506428e97748b45ea3ae15
    • Instruction Fuzzy Hash: D4511332318E0D4FDB5CEEACD4996B573D2E7AC310B05832EE40AD72A5DA74D8468785
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.259724908.000001F279C9B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001F279C9B000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1f279c9b000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a045b2f751b5460fa633a29ece8ebdd46b3de0df5ba9f12dd207b5748212fe94
    • Instruction ID: 562fb5639ba43d89ff7d3ab074ce0299d2ea3433e306fd90393a11e5b6d6317e
    • Opcode Fuzzy Hash: a045b2f751b5460fa633a29ece8ebdd46b3de0df5ba9f12dd207b5748212fe94
    • Instruction Fuzzy Hash: 79314430619B499FDA94EF18C088B6AB7F0FBAD355F441A6DF489D72A0D774D880CB06
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 588 1f279c9f016-1f279c9f01c 589 1f279c9f01e-1f279c9f021 588->589 590 1f279c9f057-1f279c9f061 588->590 592 1f279c9f04b-1f279c9f08a call 1f279c9ed6a 589->592 593 1f279c9f023-1f279c9f026 589->593 591 1f279c9f182-1f279c9f19e 590->591 597 1f279c9f1a0 591->597 598 1f279c9f1b2-1f279c9f1cd call 1f279c9ebfe 591->598 611 1f279c9f08c 592->611 612 1f279c9f0a4-1f279c9f0b9 call 1f279c9ebfe 592->612 595 1f279c9f03e __scrt_dllmain_crt_thread_attach 593->595 596 1f279c9f028-1f279c9f02b 593->596 601 1f279c9f043-1f279c9f04a 595->601 603 1f279c9f02d-1f279c9f036 596->603 604 1f279c9f037-1f279c9f03c call 1f279c9ecae 596->604 599 1f279c9f1a2-1f279c9f1b1 597->599 609 1f279c9f1cf-1f279c9f202 call 1f279c9ed26 call 1f279c9f7d2 call 1f279c9f84e call 1f279c9ed56 call 1f279c9ef2a call 1f279c9ef4e 598->609 610 1f279c9f204-1f279c9f236 call 1f279c9f5be 598->610 604->601 609->599 620 1f279c9f238-1f279c9f23e 610->620 621 1f279c9f247-1f279c9f24d 610->621 615 1f279c9f08e-1f279c9f0a3 611->615 623 1f279c9f0bf-1f279c9f0d0 call 1f279c9ec6e 612->623 624 1f279c9f173-1f279c9f181 call 1f279c9f5be 612->624 620->621 626 1f279c9f240-1f279c9f242 620->626 627 1f279c9f24f-1f279c9f259 621->627 628 1f279c9f294-1f279c9f2aa call 1f279c9d696 621->628 639 1f279c9f121-1f279c9f12b call 1f279c9ef2a 623->639 640 1f279c9f0d2-1f279c9f0f6 call 1f279c9f812 call 1f279c9f7c2 call 1f279c9f7ee call 1f279ca3f22 623->640 624->591 633 1f279c9f337-1f279c9f344 626->633 634 1f279c9f25b-1f279c9f263 627->634 635 1f279c9f265-1f279c9f273 627->635 644 1f279c9f2ac-1f279c9f2ae 628->644 645 1f279c9f2e4-1f279c9f2e6 628->645 641 1f279c9f279-1f279c9f28e call 1f279c9f016 634->641 635->641 655 1f279c9f32d-1f279c9f335 635->655 639->611 658 1f279c9f131-1f279c9f13d call 1f279c9f80a 639->658 640->639 688 1f279c9f0f8-1f279c9f0ff __scrt_dllmain_after_initialize_c 640->688 641->628 641->655 644->645 651 1f279c9f2b0-1f279c9f2d4 call 1f279c9d696 call 1f279c9f016 644->651 653 1f279c9f2ed-1f279c9f302 call 1f279c9f016 645->653 654 1f279c9f2e8-1f279c9f2eb 645->654 651->645 682 1f279c9f2d6-1f279c9f2dc 651->682 653->655 672 1f279c9f304-1f279c9f30e 653->672 654->653 654->655 655->633 677 1f279c9f13f-1f279c9f149 call 1f279c9ee8e 658->677 678 1f279c9f163-1f279c9f16e 658->678 674 1f279c9f310-1f279c9f317 672->674 675 1f279c9f319-1f279c9f329 672->675 674->655 675->655 677->678 687 1f279c9f14b-1f279c9f160 677->687 678->615 682->645 687->678 688->639 689 1f279c9f101-1f279c9f11f call 1f279ca3ebe 688->689 689->639
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.259724908.000001F279C9B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001F279C9B000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1f279c9b000_loaddll64.jbxd
    Similarity
    • API ID: Initialize__scrt_acquire_startup_lock__scrt_fastfail__scrt_release_startup_lock$__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_default_local_stdio_options__scrt_is_nonwritable_in_current_image__scrt_uninitialize_crt
    • String ID:
    • API String ID: 1988982384-0
    • Opcode ID: 59a5b4de44f6355801b1f155b58871900563701d3536bb07b74828003180b5cb
    • Instruction ID: d9b00279b2282e209e35d3b0d5dda4e474413f958ac4fa73189379165dbb2085
    • Opcode Fuzzy Hash: 59a5b4de44f6355801b1f155b58871900563701d3536bb07b74828003180b5cb
    • Instruction Fuzzy Hash: CB91833071AB464FFF94BB6898463F932E9E76C360F54467EE446C3296DA74CC418782
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 704 1f279cac482-1f279cac491 705 1f279cac4c3-1f279cac4de 704->705 706 1f279cac493-1f279cac4a7 704->706 707 1f279cac4be call 1f279c9efe2 706->707 708 1f279cac4a9-1f279cac4bc 706->708 707->705 708->707 709 1f279cac4df-1f279cac4f5 call 1f279ca2d02 708->709 713 1f279cac527-1f279cac542 709->713 714 1f279cac4f7-1f279cac508 709->714 715 1f279cac50a-1f279cac51d 714->715 716 1f279cac522 call 1f279c9efe2 714->716 717 1f279cac51f-1f279cac520 715->717 718 1f279cac543-1f279cac559 call 1f279ca2d02 715->718 716->713 717->716 722 1f279cac58b-1f279cac5a6 718->722 723 1f279cac55b-1f279cac56c 718->723 724 1f279cac56e-1f279cac581 723->724 725 1f279cac586 call 1f279c9efe2 723->725 726 1f279cac583-1f279cac584 724->726 727 1f279cac5a7-1f279cac5bd call 1f279ca2d02 724->727 725->722 726->725 731 1f279cac5ef-1f279cac60a 727->731 732 1f279cac5bf-1f279cac5d0 727->732 733 1f279cac5ea call 1f279c9efe2 732->733 734 1f279cac5d2-1f279cac5e5 732->734 733->731 735 1f279cac60b-1f279cac621 call 1f279ca2d02 734->735 736 1f279cac5e7-1f279cac5e8 734->736 740 1f279cac653-1f279cac66e 735->740 741 1f279cac623-1f279cac634 735->741 736->733 742 1f279cac64e call 1f279c9efe2 741->742 743 1f279cac636-1f279cac649 741->743 742->740 744 1f279cac64b-1f279cac64c 743->744 745 1f279cac66f-1f279cac685 call 1f279ca2d02 743->745 744->742 749 1f279cac6b7-1f279cac6d2 745->749 750 1f279cac687-1f279cac698 745->750 751 1f279cac69a-1f279cac6ad 750->751 752 1f279cac6b2 call 1f279c9efe2 750->752 753 1f279cac6af-1f279cac6b0 751->753 754 1f279cac6d3-1f279cac6e9 call 1f279ca2d02 751->754 752->749 753->752
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.259724908.000001F279C9B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001F279C9B000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1f279c9b000_loaddll64.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn
    • String ID:
    • API String ID: 3668304517-0
    • Opcode ID: 7fbaef9c46b0c8ee2a82887f37f94b9b3dc8bc5b9c15c2ff3529230b087d5f66
    • Instruction ID: dc98d0dd5d888e0a22525d56ca5a7f925f36e7e5d5e0aabc2a735f45788ecafd
    • Opcode Fuzzy Hash: 7fbaef9c46b0c8ee2a82887f37f94b9b3dc8bc5b9c15c2ff3529230b087d5f66
    • Instruction Fuzzy Hash: EF61A430665E8E4AFF09F738984DBF873A1F3BC305F908629E446C22A6E93D55C48748
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.259724908.000001F279C9B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001F279C9B000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1f279c9b000_loaddll64.jbxd
    Similarity
    • API ID: DestructExceptionObject$__vcrt_getptd_noexit
    • String ID: csm
    • API String ID: 3780691363-1018135373
    • Opcode ID: 7c86f85e02e1cf17e2d905d46dea6ba077f0d3649df00ce6c101bcd2a45804e8
    • Instruction ID: 3a243331d2685bc37a472e469edb4255f8ac215f7a652cfbca45a6e7d92deb94
    • Opcode Fuzzy Hash: 7c86f85e02e1cf17e2d905d46dea6ba077f0d3649df00ce6c101bcd2a45804e8
    • Instruction Fuzzy Hash: 39314431219B058FEB64EF58C441BAA73F1FBAD350F51066DD48B93292D731E941CB8A
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.260342931.00007FFFE2721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE2720000, based on PE: true
    • Associated: 00000000.00000002.260329012.00007FFFE2720000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.260649306.00007FFFE2727000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.260656685.00007FFFE272A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.262944547.00007FFFE272C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263030356.00007FFFE27AC000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263219917.00007FFFE27DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263224431.00007FFFE27DD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.263232941.00007FFFE27E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7fffe2720000_loaddll64.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: @
    • API String ID: 1646373207-2766056989
    • Opcode ID: e0ca159923323c96d1c3349e815427a49f6cb7f5a8f3cd0aee64a08b7ea1ebf8
    • Instruction ID: d975a1463bae3fe2e0320c20488dea0be7252134faa9fdb011d84c1e31e79a96
    • Opcode Fuzzy Hash: e0ca159923323c96d1c3349e815427a49f6cb7f5a8f3cd0aee64a08b7ea1ebf8
    • Instruction Fuzzy Hash: B921C453E196C587FB408B66E0643BA67D0BB82BD0F844235DA9E87786EF6CD118C741
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:1.5%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:43
    Total number of Limit Nodes:0
    execution_graph 6326 1d07aa1c112 __scrt_dllmain_exception_filter 6297 1d07aa10776 6298 1d07aa10798 FindHandler 6297->6298 6301 1d07aa11c3a 6298->6301 6300 1d07aa107e3 6303 1d07aa11c67 FindHandler __except_validate_context_record 6301->6303 6304 1d07aa11cca __GetCurrentState std::exception::exception __FrameHandler3::FrameUnwindToState __FrameHandler3::FrameUnwindToEmptyState 6303->6304 6305 1d07aa11462 6303->6305 6304->6300 6308 1d07aa114b0 FindHandler IsInExceptionSpec __FrameHandler3::GetHandlerSearchState 6305->6308 6306 1d07aa1183b 6309 1d07aa1157e 9 library calls 6306->6309 6316 1d07aa118c6 6306->6316 6308->6306 6308->6309 6310 1d07aa115c6 pair TypeMatchHelper FindHandler 6308->6310 6309->6304 6310->6309 6312 1d07aa11392 6310->6312 6313 1d07aa113cf _GetEstablisherFrame 6312->6313 6315 1d07aa113f5 __FrameHandler3::UnwindNestedFrames FindHandler 6313->6315 6320 1d07aa112d2 6313->6320 6315->6310 6317 1d07aa11ad3 6316->6317 6318 1d07aa118ff pair FindHandler _CallSETranslator 6316->6318 6317->6309 6318->6317 6319 1d07aa11392 FindHandler BuildCatchObjectHelperInternal 6318->6319 6319->6318 6321 1d07aa112f9 BuildCatchObjectHelperInternal 6320->6321 6322 1d07aa1c14a 6323 1d07aa1c161 FindHandler 6322->6323 6324 1d07aa11c3a __InternalCxxFrameHandler BuildCatchObjectHelperInternal 6323->6324 6325 1d07aa1c1bd FindHandler 6324->6325 6277 1d07aa0b17e 6278 1d07aa0b186 6277->6278 6283 1d07aa0bc3a 6278->6283 6280 1d07aa0b1cb 6281 1d07aa0b1a6 6281->6280 6287 1d07aa0b1d6 6281->6287 6284 1d07aa0bc58 6283->6284 6286 1d07aa0bfd9 6283->6286 6285 1d07aa0bf7e LoadLibraryA 6284->6285 6284->6286 6285->6286 6286->6281 6290 1d07aa0b232 6287->6290 6295 1d07aa0b3bf 6287->6295 6288 1d07aa0b441 6288->6280 6289 1d07aa0b445 TerminateProcess 6289->6288 6291 1d07aa0b28c LoadLibraryA 6290->6291 6292 1d07aa0b2ef 6291->6292 6293 1d07aa0b318 GetComputerNameExW 6292->6293 6296 1d07aa0b33a 6292->6296 6293->6296 6294 1d07aa0b3ab NetWkstaGetInfo 6294->6295 6295->6288 6295->6289 6296->6294 6296->6295

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.264034630.000001D07AA0B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D07AA0B000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1d07aa0b000_rundll32.jbxd
    Similarity
    • API ID: ComputerInfoLibraryLoadNameWksta
    • String ID: .$2$3$a$d$e$i$l$l$n$p$t
    • API String ID: 3393981993-1206877643
    • Opcode ID: 9f1df4b9c6e76e77351a2f1aa7da60c0e0fb4b368d1276d023936cfa14d4e98f
    • Instruction ID: 3c3f922093211bcc724ff4eada0293ba6571882157bc3b1b67326c3120b012a4
    • Opcode Fuzzy Hash: 9f1df4b9c6e76e77351a2f1aa7da60c0e0fb4b368d1276d023936cfa14d4e98f
    • Instruction Fuzzy Hash: AE81283051C7849FE3A5DB18C08879BBBE1FB99308F50495EE0C9CB2A1DB75D985CB02
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.264034630.000001D07AA0B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D07AA0B000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1d07aa0b000_rundll32.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: 2$3$a$a$d$i$p$v
    • API String ID: 1029625771-1673513319
    • Opcode ID: 886938e3ccb0d6dbac8807b67c971d65b303b8bc3fbc6529e8d30fe2f3ad3af2
    • Instruction ID: 1660e30a1ecbcd9dfbaf1ddeca26ea70ff393de5acf6ae155f3c0eb9c47ae00b
    • Opcode Fuzzy Hash: 886938e3ccb0d6dbac8807b67c971d65b303b8bc3fbc6529e8d30fe2f3ad3af2
    • Instruction Fuzzy Hash: BDE1D934918B889FD795EF68C085B9BB7E1FB98304F50085DA199CB2A1D775E882CF06
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 269 1d07aa0f016-1d07aa0f01c 270 1d07aa0f057-1d07aa0f061 269->270 271 1d07aa0f01e-1d07aa0f021 269->271 272 1d07aa0f182-1d07aa0f19e 270->272 273 1d07aa0f023-1d07aa0f026 271->273 274 1d07aa0f04b-1d07aa0f08a call 1d07aa0ed6a 271->274 278 1d07aa0f1a0 272->278 279 1d07aa0f1b2-1d07aa0f1cd call 1d07aa0ebfe 272->279 276 1d07aa0f028-1d07aa0f02b 273->276 277 1d07aa0f03e __scrt_dllmain_crt_thread_attach 273->277 292 1d07aa0f0a4-1d07aa0f0b9 call 1d07aa0ebfe 274->292 293 1d07aa0f08c 274->293 283 1d07aa0f037-1d07aa0f03c call 1d07aa0ecae 276->283 284 1d07aa0f02d-1d07aa0f036 276->284 281 1d07aa0f043-1d07aa0f04a 277->281 285 1d07aa0f1a2-1d07aa0f1b1 278->285 290 1d07aa0f204-1d07aa0f236 call 1d07aa0f5be 279->290 291 1d07aa0f1cf-1d07aa0f202 call 1d07aa0ed26 call 1d07aa0f7d2 call 1d07aa0f84e call 1d07aa0ed56 call 1d07aa0ef2a call 1d07aa0ef4e 279->291 283->281 301 1d07aa0f247-1d07aa0f24d 290->301 302 1d07aa0f238-1d07aa0f23e 290->302 291->285 304 1d07aa0f173-1d07aa0f181 call 1d07aa0f5be 292->304 305 1d07aa0f0bf-1d07aa0f0d0 call 1d07aa0ec6e 292->305 296 1d07aa0f08e-1d07aa0f0a3 293->296 307 1d07aa0f294-1d07aa0f2aa call 1d07aa0d696 301->307 308 1d07aa0f24f-1d07aa0f259 301->308 302->301 306 1d07aa0f240-1d07aa0f242 302->306 304->272 319 1d07aa0f121-1d07aa0f12b call 1d07aa0ef2a 305->319 320 1d07aa0f0d2-1d07aa0f0f6 call 1d07aa0f812 call 1d07aa0f7c2 call 1d07aa0f7ee call 1d07aa13f22 305->320 312 1d07aa0f337-1d07aa0f344 306->312 324 1d07aa0f2e4-1d07aa0f2e6 307->324 325 1d07aa0f2ac-1d07aa0f2ae 307->325 313 1d07aa0f265-1d07aa0f273 308->313 314 1d07aa0f25b-1d07aa0f263 308->314 321 1d07aa0f279-1d07aa0f28e call 1d07aa0f016 313->321 335 1d07aa0f32d-1d07aa0f335 313->335 314->321 319->293 339 1d07aa0f131-1d07aa0f13d call 1d07aa0f80a 319->339 320->319 369 1d07aa0f0f8-1d07aa0f0ff __scrt_dllmain_after_initialize_c 320->369 321->307 321->335 333 1d07aa0f2e8-1d07aa0f2eb 324->333 334 1d07aa0f2ed-1d07aa0f302 call 1d07aa0f016 324->334 325->324 331 1d07aa0f2b0-1d07aa0f2d4 call 1d07aa0d696 call 1d07aa0f016 325->331 331->324 363 1d07aa0f2d6-1d07aa0f2dc 331->363 333->334 333->335 334->335 353 1d07aa0f304-1d07aa0f30e 334->353 335->312 355 1d07aa0f163-1d07aa0f16e 339->355 356 1d07aa0f13f-1d07aa0f149 call 1d07aa0ee8e 339->356 359 1d07aa0f310-1d07aa0f317 353->359 360 1d07aa0f319-1d07aa0f329 353->360 355->296 356->355 368 1d07aa0f14b-1d07aa0f160 356->368 359->335 360->335 363->324 368->355 369->319 370 1d07aa0f101-1d07aa0f11f call 1d07aa13ebe 369->370 370->319
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.264034630.000001D07AA0B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D07AA0B000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1d07aa0b000_rundll32.jbxd
    Similarity
    • API ID: Initialize__scrt_acquire_startup_lock__scrt_fastfail__scrt_release_startup_lock$__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_default_local_stdio_options__scrt_is_nonwritable_in_current_image__scrt_uninitialize_crt
    • String ID:
    • API String ID: 1988982384-0
    • Opcode ID: 59a5b4de44f6355801b1f155b58871900563701d3536bb07b74828003180b5cb
    • Instruction ID: 96b71aeccc1d6c7c0920ccef35c5886dda4f609b16516c7d3276f2645071efb5
    • Opcode Fuzzy Hash: 59a5b4de44f6355801b1f155b58871900563701d3536bb07b74828003180b5cb
    • Instruction Fuzzy Hash: 6591A731E14706AFF7A6ABA898853DF32D1E75C310F54451BA48DDB296FB34EC818782
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 373 1d07aa1c482-1d07aa1c491 374 1d07aa1c4c3-1d07aa1c4de 373->374 375 1d07aa1c493-1d07aa1c4a7 373->375 376 1d07aa1c4a9-1d07aa1c4bc 375->376 377 1d07aa1c4be call 1d07aa0efe2 375->377 376->377 378 1d07aa1c4df-1d07aa1c4f5 call 1d07aa12d02 376->378 377->374 382 1d07aa1c527-1d07aa1c542 378->382 383 1d07aa1c4f7-1d07aa1c508 378->383 384 1d07aa1c522 call 1d07aa0efe2 383->384 385 1d07aa1c50a-1d07aa1c51d 383->385 384->382 386 1d07aa1c543-1d07aa1c559 call 1d07aa12d02 385->386 387 1d07aa1c51f-1d07aa1c520 385->387 391 1d07aa1c58b-1d07aa1c5a6 386->391 392 1d07aa1c55b-1d07aa1c56c 386->392 387->384 393 1d07aa1c586 call 1d07aa0efe2 392->393 394 1d07aa1c56e-1d07aa1c581 392->394 393->391 395 1d07aa1c583-1d07aa1c584 394->395 396 1d07aa1c5a7-1d07aa1c5bd call 1d07aa12d02 394->396 395->393 400 1d07aa1c5ef-1d07aa1c60a 396->400 401 1d07aa1c5bf-1d07aa1c5d0 396->401 402 1d07aa1c5d2-1d07aa1c5e5 401->402 403 1d07aa1c5ea call 1d07aa0efe2 401->403 405 1d07aa1c5e7-1d07aa1c5e8 402->405 406 1d07aa1c60b-1d07aa1c621 call 1d07aa12d02 402->406 403->400 405->403 409 1d07aa1c653-1d07aa1c66e 406->409 410 1d07aa1c623-1d07aa1c634 406->410 411 1d07aa1c636-1d07aa1c649 410->411 412 1d07aa1c64e call 1d07aa0efe2 410->412 413 1d07aa1c64b-1d07aa1c64c 411->413 414 1d07aa1c66f-1d07aa1c685 call 1d07aa12d02 411->414 412->409 413->412 418 1d07aa1c6b7-1d07aa1c6d2 414->418 419 1d07aa1c687-1d07aa1c698 414->419 420 1d07aa1c6b2 call 1d07aa0efe2 419->420 421 1d07aa1c69a-1d07aa1c6ad 419->421 420->418 422 1d07aa1c6d3-1d07aa1c6e9 call 1d07aa12d02 421->422 423 1d07aa1c6af-1d07aa1c6b0 421->423 423->420
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.264034630.000001D07AA0B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D07AA0B000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1d07aa0b000_rundll32.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn
    • String ID:
    • API String ID: 3668304517-0
    • Opcode ID: 7fbaef9c46b0c8ee2a82887f37f94b9b3dc8bc5b9c15c2ff3529230b087d5f66
    • Instruction ID: 32216edc2e8c71dea8140ca410d8a2186129b52ca64b99eb4f44b0c17ac7feb1
    • Opcode Fuzzy Hash: 7fbaef9c46b0c8ee2a82887f37f94b9b3dc8bc5b9c15c2ff3529230b087d5f66
    • Instruction Fuzzy Hash: 9861D830924D4DAAFB0ABB7CD84DBEE73A1F39C315F908516D089C61E6EA3D65C48704
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.264034630.000001D07AA0B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D07AA0B000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1d07aa0b000_rundll32.jbxd
    Similarity
    • API ID: DestructExceptionObject$__vcrt_getptd_noexit
    • String ID: csm
    • API String ID: 3780691363-1018135373
    • Opcode ID: 7c86f85e02e1cf17e2d905d46dea6ba077f0d3649df00ce6c101bcd2a45804e8
    • Instruction ID: 39f6bbc85cf76d59aa9b0970f3b1b277479b38eb3ed7d655667ba5611d81a4b7
    • Opcode Fuzzy Hash: 7c86f85e02e1cf17e2d905d46dea6ba077f0d3649df00ce6c101bcd2a45804e8
    • Instruction Fuzzy Hash: 92310D31518A08AFD665EB58D441BDA73E1FB9C314F110569D4CE87292D721FD85CB82
    Uniqueness

    Uniqueness Score: -1.00%