Edit tour

Windows Analysis Report
dup2patcher.dll

Overview

General Information

Sample name:	dup2patcher.dll
Analysis ID:	1411078
MD5:	1e4c47cb43d537d50a60592b42345da9
SHA1:	0433554c251dc75b8ba4251663aa1a3bce641306
SHA256:	6f8650fa49a74fbbabb51f1cced99d11732c177ecb1049ec59ebc79b16daf1ed
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Generic Patcher

Found stalling execution ending in API Sleep call

Machine Learning detection for sample

PE file has a writeable .text section

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

One or more processes crash

PE file contains an invalid checksum

Sample execution stops while process was sleeping (likely an evasion)

Sleep loop found (likely to delay execution)

Tries to load missing DLLs

Uses 32bit PE files

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7460 cmdline: loaddll32.exe "C:\Users\user\Desktop\dup2patcher.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7512 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7536 cmdline: rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7644 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7536 -s 628 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7520 cmdline: rundll32.exe C:\Users\user\Desktop\dup2patcher.dll,AddMsg MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7652 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 616 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7816 cmdline: rundll32.exe C:\Users\user\Desktop\dup2patcher.dll,CloseFileMapping MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7908 cmdline: rundll32.exe C:\Users\user\Desktop\dup2patcher.dll,CloseFileMapping_readonly MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7936 cmdline: rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",AddMsg MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7244 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7936 -s 624 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7944 cmdline: rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",CloseFileMapping MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7952 cmdline: rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",CloseFileMapping_readonly MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7960 cmdline: rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",write_disk_file MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7256 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7960 -s 624 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7968 cmdline: rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",load_patcher MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7980 cmdline: rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",SetRegString MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7992 cmdline: rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",SetRegDword MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 8000 cmdline: rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",SearchAndReplace MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 8072 cmdline: rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",Reg_Delete_Value MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 8108 cmdline: rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",LoadFileMapping MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 8116 cmdline: rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",GetRegString MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 8124 cmdline: rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",GetRegDword MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 8140 cmdline: rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",GetPluginDataMemory MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 8156 cmdline: rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",GetPatcherWindowHandle MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
dup2patcher.dll	JoeSecurity_GenericPatcher	Yara detected Generic Patcher	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: rundll32.exe PID: 7520	JoeSecurity_GenericPatcher	Yara detected Generic Patcher	Joe Security
Process Memory Space: rundll32.exe PID: 7536	JoeSecurity_GenericPatcher	Yara detected Generic Patcher	Joe Security
Process Memory Space: rundll32.exe PID: 7936	JoeSecurity_GenericPatcher	Yara detected Generic Patcher	Joe Security
Process Memory Space: rundll32.exe PID: 7960	JoeSecurity_GenericPatcher	Yara detected Generic Patcher	Joe Security
Process Memory Space: rundll32.exe PID: 7968	JoeSecurity_GenericPatcher	Yara detected Generic Patcher	Joe Security
Process Memory Space: rundll32.exe PID: 8108	JoeSecurity_GenericPatcher	Yara detected Generic Patcher	Joe Security
Process Memory Space: rundll32.exe PID: 8140	JoeSecurity_GenericPatcher	Yara detected Generic Patcher	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
23.2.rundll32.exe.6cd70000.0.unpack	JoeSecurity_GenericPatcher	Yara detected Generic Patcher	Joe Security
16.2.rundll32.exe.6cd70000.1.unpack	JoeSecurity_GenericPatcher	Yara detected Generic Patcher	Joe Security
15.2.rundll32.exe.6cd70000.0.unpack	JoeSecurity_GenericPatcher	Yara detected Generic Patcher	Joe Security
12.2.rundll32.exe.6cd70000.0.unpack	JoeSecurity_GenericPatcher	Yara detected Generic Patcher	Joe Security
4.2.rundll32.exe.6cd70000.0.unpack	JoeSecurity_GenericPatcher	Yara detected Generic Patcher	Joe Security
26.2.rundll32.exe.6cd70000.0.unpack	JoeSecurity_GenericPatcher	Yara detected Generic Patcher	Joe Security
3.2.rundll32.exe.6cd70000.0.unpack	JoeSecurity_GenericPatcher	Yara detected Generic Patcher	Joe Security
Click to see the 2 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: dup2patcher.dll

ReversingLabs: Detection: 65%

Machine Learning detection for sample

Source: dup2patcher.dll

Joe Sandbox ML: detected

Source: dup2patcher.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: dup2patcher.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CD76CE0 FindFirstFileA,FindClose,

3_2_6CD76CE0

Source: rundll32.exe, 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2061818750.000000006CDC9000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2084019877.000000006CDC9000.00000080.00000001.01000000.00000003.sdmp	String found in binary or memory: "Arte"Adobe Acrobat Pro DC 2022.002.20191 Patch - MrSzzS https://www.youtube.com/channel/UCcf3dtQFVb5zfy0jGYNpA0w equals www.youtube.com (Youtube)
Source: rundll32.exe, 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2061818750.000000006CDC9000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2084019877.000000006CDC9000.00000080.00000001.01000000.00000003.sdmp	String found in binary or memory: Adobe Acrobat Pro DC 2022.002.20191 Patch - MrSzzS https://www.youtube.com/channel/UCcf3dtQFVb5zfy0jGYNpA0w equals www.youtube.com (Youtube)
Source: rundll32.exe, 00000010.00000002.3502791204.000000000604F000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: vXKL\|Adobe Acrobat Pro DC 2022.002.20191 Patch - MrSzzS https://www.youtube.com/channe equals www.youtube.com (Youtube)

Source: rundll32.exe, 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2061818750.000000006CDC9000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2084019877.000000006CDC9000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.2081833980.000000006CDC9000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.3502957078.000000006CDC9000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.1763564981.000000006CDC9000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1763068898.000000006CDC9000.00000080.00000001.01000000.00000003.sdmp, dup2patcher.dll	String found in binary or memory: http://diablo2oo2.cjb.netPe
Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 00000010.00000002.3502791204.000000000604F000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/channe
Source: dup2patcher.dll	String found in binary or memory: https://www.youtube.com/channel/UCcf3dtQFVb5zfy0jGYNpA0w

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CD771E0 lstrlenA,OpenClipboard,GlobalAlloc,GlobalLock,lstrcpyA,EmptyClipboard,GlobalUnlock,SetClipboardData,CloseClipboard,

3_2_6CD771E0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CD771E0 lstrlenA,OpenClipboard,GlobalAlloc,GlobalLock,lstrcpyA,EmptyClipboard,GlobalUnlock,SetClipboardData,CloseClipboard,

3_2_6CD771E0

System Summary

PE file has a writeable .text section

Source: dup2patcher.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CD79FA0	3_2_6CD79FA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CD777A9	3_2_6CD777A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CD79762	3_2_6CD79762
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CD7805E	3_2_6CD7805E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_10001B17	16_2_10001B17
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_10001AE4	16_2_10001AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_100015E5	16_2_100015E5

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7536 -s 628

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: dup2patcher.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: bassmod.dll.16.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal68.evad.winDLL@44/19@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CD7149B FindResourceA,SizeofResource,LoadResource,

3_2_6CD7149B

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7520
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7960
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7936
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7536

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\b10a86f5-b518-41d3-adee-bdbc9e27f919

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dup2patcher.dll,AddMsg

Source: dup2patcher.dll

ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\dup2patcher.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dup2patcher.dll,AddMsg
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7536 -s 628
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 616
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dup2patcher.dll,CloseFileMapping
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dup2patcher.dll,CloseFileMapping_readonly
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",AddMsg
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",CloseFileMapping
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",CloseFileMapping_readonly
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",write_disk_file
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",load_patcher
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",SetRegString
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",SetRegDword
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",SearchAndReplace
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",Reg_Delete_Value
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",LoadFileMapping
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",GetRegString
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",GetRegDword
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",GetPluginDataMemory
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",GetPatcherWindowHandle
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7936 -s 624
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7960 -s 624
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dup2patcher.dll,AddMsg	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dup2patcher.dll,CloseFileMapping	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dup2patcher.dll,CloseFileMapping_readonly	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",AddMsg	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",CloseFileMapping	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",CloseFileMapping_readonly	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",write_disk_file	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",load_patcher	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",SetRegString	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",SetRegDword	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",SearchAndReplace	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",Reg_Delete_Value	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",LoadFileMapping	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",GetRegString	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",GetRegDword	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",GetPluginDataMemory	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",GetPatcherWindowHandle	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: dup2patcher.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CD75AFE GetTempPathA,lstrcatA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6CD75AFE

Source: dup2patcher.dll	Static PE information: real checksum: 0x19917 should be: 0xdb0e1
Source: bassmod.dll.16.dr	Static PE information: real checksum: 0x0 should be: 0xd5d3

Source: bassmod.dll.16.dr

Static PE information: section name: .text entropy: 6.891621988635923

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Temp\bassmod.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Windows\SysWOW64\rundll32.exe

Stalling execution: Execution stalls by calling Sleep

graph_16-808

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CD768D3 rdtsc

3_2_6CD768D3

Source: C:\Windows\SysWOW64\rundll32.exe

Window / User API: threadDelayed 2533

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bassmod.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 0.5 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Thread sleep count: Count: 2533 delay: -5

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CD76CE0 FindFirstFileA,FindClose,

3_2_6CD76CE0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CD74616 GetSystemInfo,CreateFileA,GetFileSize,CreateFileMappingA,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,

3_2_6CD74616

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CD768D3 rdtsc

3_2_6CD768D3

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CD75AFE GetTempPathA,lstrcatA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6CD75AFE

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CD767DE push dword ptr fs:[00000030h]		3_2_6CD767DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CD767F8 push dword ptr fs:[00000030h]		3_2_6CD767F8

HIPS / PFW / Operating System Protection Evasion

Yara detected Generic Patcher

Source: Yara match	File source: dup2patcher.dll, type: SAMPLE
Source: Yara match	File source: 23.2.rundll32.exe.6cd70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.6cd70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.6cd70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.6cd70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6cd70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.6cd70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6cd70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 8108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 8140, type: MEMORYSTR

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CD76FA0 GetVersionExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,

3_2_6CD76FA0

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	OS Credential Dumping	31 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	3 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
dup2patcher.dll	65%	ReversingLabs	Win32.Trojan.Generic
dup2patcher.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\bassmod.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://diablo2oo2.cjb.netPe	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.8.dr	false		high
https://www.youtube.com/channe	rundll32.exe, 00000010.00000002.3502791204.000000000604F000.00000004.00000010.00020000.00000000.sdmp	false		high
http://diablo2oo2.cjb.netPe	rundll32.exe, 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2061818750.000000006CDC9000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2084019877.000000006CDC9000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.2081833980.000000006CDC9000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.3502957078.000000006CDC9000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.1763564981.000000006CDC9000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1763068898.000000006CDC9000.00000080.00000001.01000000.00000003.sdmp, dup2patcher.dll	false	Avira URL Cloud: safe	unknown
https://www.youtube.com/channel/UCcf3dtQFVb5zfy0jGYNpA0w	dup2patcher.dll	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1411078
Start date and time:	2024-03-18 15:39:26 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	dup2patcher.dll
Detection:	MAL
Classification:	mal68.evad.winDLL@44/19@0/0
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 6 Number of non-executed functions: 66
Cookbook Comments:	Found application associated with file extension: .dll Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target rundll32.exe, PID 7960 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
VT rate limit hit for: dup2patcher.dll

Simulations

Behavior and APIs

Time	Type	Description
15:41:13	API Interceptor	307645x Sleep call for process: rundll32.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\bassmod.dll	(x64bit.)_patch.exe	Get hash	malicious	Unknown	Browse
	(x64bit.)_patch.exe	Get hash	malicious	Unknown	Browse
	wb31oyhUxK.exe	Get hash	malicious	Unknown	Browse
	wb31oyhUxK.exe	Get hash	malicious	Unknown	Browse
	ABLETON PATCHER.exe	Get hash	malicious	Unknown	Browse
	Patch.exe	Get hash	malicious	Unknown	Browse
	y3EXL3p857.exe	Get hash	malicious	Unknown	Browse
	adobe.cs6.all.products.activator.exe	Get hash	malicious	Unknown	Browse
	(x64bit.)_patch.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_5aa1c5c01549fa45ad9a16e66b3c3c2aa3426eb_7522e4b5_23c4799e-a01f-4f8f-8700-ed783e5e0556\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8634090815005683
Encrypted:	false
SSDEEP:	192:4vPiieO6KK0BU/wjeTzDzuiFJZ24IO8dci2:QPiifvRBU/wjejzuiFJY4IO8dci
MD5:	4805E6C7F695BD02215C85857080E26F
SHA1:	5E324E3C7212287BE07E666959F85BBF654AFB7C
SHA-256:	3B37C27439867E4DB9B5DCC95F4CDB603A77FDC589C1F35F7DAA19A4ECA82715
SHA-512:	08B3223218CD93A3CF60E4443C73341D253D716C6880438FF1B92A5F04473928E2995FCACF403380F4698FB5A24702F4574E001BCAD670C7C9BCD0DB617CD841
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.5.2.4.6.4.2.6.1.9.9.9.0.5.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.5.2.4.6.4.2.7.0.9.2.8.1.3.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.3.c.4.7.9.9.e.-.a.0.1.f.-.4.f.8.f.-.8.7.0.0.-.e.d.7.8.3.e.5.e.0.5.5.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.e.7.6.2.6.b.5.-.3.2.0.c.-.4.b.c.9.-.b.3.a.c.-.0.2.1.4.c.c.0.5.e.e.b.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.1.8.-.0.0.0.1.-.0.0.1.4.-.e.f.3.4.-.6.0.3.6.4.2.7.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_717b893d71ade4662cb34ff8156d52b401b83c9_7522e4b5_43c3c8b8-f495-436e-b067-5961b7a877fa\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8633748343734353
Encrypted:	false
SSDEEP:	192:M9/2i5ObN0BU/wjeTzDzuiFJZ24IO8dci:S2iQbOBU/wjejzuiFJY4IO8dci
MD5:	C5BC27AF25418B43C10A04523AD371CC
SHA1:	F603098DEEE7DC48C78AAC501B913671139DA477
SHA-256:	350575B82AB66A6DEEA1BBC336B4F0B364474F2631869C17CF84B0226F5F42EB
SHA-512:	A5E911A8271C776C0A88DB77640BD9A02AEA06BD54F8A09FEB4971D704EEA485C348AE8CE0F27468EC61A7CF57B9504D45A214DE33C36B59445CE7B11342F529
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.5.2.4.6.4.1.6.4.0.5.8.9.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.5.2.4.6.4.1.7.4.6.8.4.2.7.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.3.c.3.c.8.b.8.-.f.4.9.5.-.4.3.6.e.-.b.0.6.7.-.5.9.6.1.b.7.a.8.7.7.f.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.3.0.7.c.4.5.b.-.f.8.d.e.-.4.0.1.f.-.a.2.4.6.-.f.4.0.3.1.f.3.8.c.5.6.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.6.0.-.0.0.0.1.-.0.0.1.4.-.7.a.9.c.-.e.7.3.0.4.2.7.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_717b893d71ade4662cb34ff8156d52b401b83c9_7522e4b5_4911ab3a-36da-4fff-bddc-3152bc9cdcd8\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8627133963712349
Encrypted:	false
SSDEEP:	96:EeFD6iEhVyCLsj94sh7efoQXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyNl4E5:DYiEOAN0BU/wjeTzDzuiFJZ24IO8dci
MD5:	D6708028BCD34EBA70FA25ECDB43F536
SHA1:	F3ED8BB7CCF88847CBAA3414E9B9EDA9189F04E9
SHA-256:	89D8836FE3C7F4F8B65F535D0B20073A7707BD65C60C4442E15383E27918FF7A
SHA-512:	F178E5CA3A1C2B9594A404C7069F7C3DCC9256124E7DF179510AC725773F8B0BC641A6CA9BE3F94F3D82261476B89B33F003CC21C373ED0062B9E82E5382F270
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.5.2.4.6.4.1.6.3.9.1.5.1.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.5.2.4.6.4.1.7.4.6.9.6.6.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.9.1.1.a.b.3.a.-.3.6.d.a.-.4.f.f.f.-.b.d.d.c.-.3.1.5.2.b.c.9.c.d.c.d.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.3.3.7.d.a.3.-.4.3.9.6.-.4.f.c.9.-.b.1.0.7.-.a.a.2.c.9.d.c.4.e.4.0.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.7.0.-.0.0.0.1.-.0.0.1.4.-.9.2.3.f.-.e.a.3.0.4.2.7.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_717b893d71ade4662cb34ff8156d52b401b83c9_7522e4b5_a92e9e53-3091-45c3-a6b1-e201de41f298\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8628110966767798
Encrypted:	false
SSDEEP:	192:pYitOAN0BU/wjeTzDzuiFJZ24IO8dciY:iikAOBU/wjejzuiFJY4IO8dciY
MD5:	23E8D0F7A8C2DEB922DAC2CB693F7138
SHA1:	FE739D1FB52133CA566E51AFDC1B8B3548FC31A7
SHA-256:	7BDC781AEF31D1304CB898A0C061418A5AC52A3BD1263CF893012088C7E24243
SHA-512:	F59B047A09981122BCF12A796027AD064C898332BB42421BF3BC3374A75E6EF0B8F8F14F1FA58751D2B43F669881A61258CCC3B0D65BF352C8494DBC6F4F5340
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.5.2.4.6.4.2.6.2.0.8.0.7.7.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.5.2.4.6.4.2.7.2.3.6.1.3.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.9.2.e.9.e.5.3.-.3.0.9.1.-.4.5.c.3.-.a.6.b.1.-.e.2.0.1.d.e.4.1.f.2.9.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.7.b.a.4.d.a.-.f.7.2.e.-.4.6.b.1.-.8.d.0.8.-.6.0.5.e.e.0.4.e.0.6.5.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.0.0.-.0.0.0.1.-.0.0.1.4.-.9.1.3.a.-.5.7.3.6.4.2.7.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B1E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Mar 18 14:40:16 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44482
Entropy (8bit):	1.9136058928091428
Encrypted:	false
SSDEEP:	192:fkpI0QBUYA6eO5H46HTJSh2gegTGK03AeI2x+Qn5:M7QBUwZ5HNHcegKTAeWQn
MD5:	F4FAAB0C7E77F91FE1F390FE90B6D76F
SHA1:	6B1B032010A7B80E4E80C042EA6B04E6712A06AE
SHA-256:	44EA82163F45229BE3B6C9845EF18681536687BD09D2374513D45DE34114200E
SHA-512:	73F13DF4BDE786DF24E4EF1828986C9EB66FA9F646AB3C2FCEFA64CA7094CA624FF37510369D6D651922122C5709A3E7E6165D366CF1BCDBCAADAAE38F3A4F9E
Malicious:	false
Preview:	MDMP..a..... .......PR.e........................4...............\|(..........T.......8...........T......................................................................................................................eJ......T.......GenuineIntel............T.......p...OR.e.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B2E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Mar 18 14:40:16 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	41606
Entropy (8bit):	2.003216266983777
Encrypted:	false
SSDEEP:	192:fkF2QBUPA6OO5H4+m3aVmycg57fXUPhL5zEZI:MF2QBUbJ5Hrmycq78PhkI
MD5:	79B6839E11D07F254C8A2487D7491FD3
SHA1:	E97255B78C6B7FD2E43D034FFE4C2A455187DC6E
SHA-256:	EA98C5FEFF74D49760E3100FB624488E63A1BE2A5A0DF4D4493101825574BB3F
SHA-512:	3413FC0281E6012A1889701EA1C8BB7209391797E1198ACAAAD1CA06C5C15551C31FEF76889B9B3693BF375B26853E2C3FEDFF65599A1BB6B9F0E3AC8536C285
Malicious:	false
Preview:	MDMP..a..... .......PR.e........................4...............\|(..........T.......8...........T......................................................................................................................eJ......T.......GenuineIntel............T.......`...OR.e.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C29.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8270
Entropy (8bit):	3.691434301913823
Encrypted:	false
SSDEEP:	192:R6l7wVeJljh6IQl6YHr6igmfT73Dprt89bq9sfSHOm:R6lXJZh6IQl6YL6igmfT73kq2fq
MD5:	63626F3A7E52DC6C511CF7CF5A4D7426
SHA1:	D9F3C0D4B61CCCE3180EED58CD0A6A1F6A21FCC6
SHA-256:	A8222E7D07F6F429EA135CE28D4885AB171FF2434AF0C00025D599D874EE6F5A
SHA-512:	D31D1372CCADCFC49F2FA361BB71714C0CD02DC32A9E3371FF0EF74D5603BE36503A5770F542AF6033DE9CF4B98E16DEECCC461D227894DC10127F5D474F135A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C2A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8262
Entropy (8bit):	3.6916520780216944
Encrypted:	false
SSDEEP:	192:R6l7wVeJCjk6IQo6YKQ6CgmfT73DprY89bqjsfxOm:R6lXJ0k6IQo6YN6CgmfT737qIfB
MD5:	EF1E3EFFCBC4F3638F60363363CBB5B8
SHA1:	312944955CDEE480ECB70D15CFED27DC3A0FB8B1
SHA-256:	E30A46FD02B0AB8E5B21E9278477D70D702F9C30B209793F03C0AFED9AB8C10A
SHA-512:	D4E3E8BE3D3D7648F9FDD876D2ABA91C6AFAD4AD13F4BF59B4884F912BB912A4CFEDBEEF88E5AF65F3D9A2D9EC11656E1CE2658FE5BD075E4396FAA45BC5CB7F
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C69.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4652
Entropy (8bit):	4.45524215086991
Encrypted:	false
SSDEEP:	48:cvIwWl8zsFiJg77aI9Z+WpW8VYVYm8M4JCdPsFl+q8/CSGScSrd:uIjfyI7j/7VhJRGJ3rd
MD5:	8D65CCE7A076BB1DAA1ADEB1AE64ADCB
SHA1:	99D7613860590CE04E4DD01E450FAC6C1D8291F7
SHA-256:	F834CC990339053F718773C4970E57F551ABCB2A589A072A4CC9E8CB74964502
SHA-512:	C429A1E1041C20CD83BCBDBA9CED3BE03BB9A19A75636AAEB7D5F27BEBBABBC912C89CA3244EACB1625C2833FA6B9DFFFC8071E7D68E78B287758893D3643BEE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="240822" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C78.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4652
Entropy (8bit):	4.4571387114883905
Encrypted:	false
SSDEEP:	48:cvIwWl8zsFiJg77aI9Z+WpW8VYFYm8M4JCdPsFi+q8/CzGScSgd:uIjfyI7j/7VZJWPJ3gd
MD5:	906BA3F1352C02A744D631B2A924B0F4
SHA1:	E9ACDEA73E91948ED6BB96B65B7DA9F52381AD44
SHA-256:	DBE916F396941DF344ABDD9576FA5900F46A939CDDA4CCDC197F18752353A278
SHA-512:	6A5612945C39BB117ED0A3493E740DE06844453801FE5B6BA8A12C1064D887273DEDD77343BE6A363600C515D3B4CD3C27418DCEE2A2E391B62BBE1C89E87E03
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="240822" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6183.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Mar 18 14:40:26 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	41446
Entropy (8bit):	2.0152169867690217
Encrypted:	false
SSDEEP:	192:VkJwQBU+A6lXO5H4WHDHt+3ZHSIQwrS9CMIeAAS9R:eJwQBUSg5HPBIHRQkS9+dAS
MD5:	EA563DF2337F511E12182C45ED58E2B8
SHA1:	2CA83AA6742ABDB879ECC48523318E21AEC621A2
SHA-256:	9EF59072F0048F84D37DBD907B5F7C868C743B36113408FEC18378A45D63CFF1
SHA-512:	96A41EB0E285421D1E40340BA7BE8E062E5459090981A9CF1675DC1715D57263489A58AD5D755067E2979BA4511A2EE935692AB153A72D9BAC27E8FBC6D03FE4
Malicious:	false
Preview:	MDMP..a..... .......ZR.e........................4...............\|(..........T.......8...........T...............N.......................................................................................................eJ......T.......GenuineIntel............T...........XR.e.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6201.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Mar 18 14:40:26 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44070
Entropy (8bit):	1.9084622428371156
Encrypted:	false
SSDEEP:	192:VkfdQBUeA6XEXO5H4LFsIyUKg0g+Vvxw/:efdQBUy55H4GUKp5w/
MD5:	C67885E656764EBDC4FE68F8E1CC7CE7
SHA1:	4D74C5193F81EE8304A5B0305DE65938E31627FF
SHA-256:	10C898E3F1D312E4956CFFBD66D4C3070471A69782BCAB39F105C1E84C259103
SHA-512:	D93027BBE31076D0300D196E9D71FB72C6AD1385CF8DAA902FF4DB2E16E4E898FD1A11F5F243DE29A8992907AB215EA760193596826CD2B38D47503F0739E4BE
Malicious:	false
Preview:	MDMP..a..... .......ZR.e........................4...............\|(..........T.......8...........T.......................................................................................................................eJ......T.......GenuineIntel............T...........XR.e.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER62DB.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8288
Entropy (8bit):	3.6915361991192523
Encrypted:	false
SSDEEP:	192:R6l7wVeJd06IQrS7t6YHa6f8gmfTRJTG3Dpra89bZFsf81Tm:R6lXJe6IQe7t6Y66EgmfTRJi3NZef8s
MD5:	33DEB296812A89AD79C72ECE1DAEF644
SHA1:	A47E029E3FD7DF7EC76D0896DD4F0A18F45DE973
SHA-256:	3003954DB92E9858B7A702BC7E14A2BE98A527AB9B3155D1E316772E58473ABB
SHA-512:	CA645FF6584559DDD73729D2B7695148E069D26562305F0755302A7CDA1CA6A307D1D61B1056D774B3ECC72A3D16048C9AE135B4B70F158E166F1FF9DA7746F2
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER631B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4656
Entropy (8bit):	4.459350849309811
Encrypted:	false
SSDEEP:	48:cvIwWl8zsjJg77aI9Z+WpW8VYdYm8M4JCdPPFo+q8/ahJGScSwd:uIjf9I7j/7VpJzJJJ3wd
MD5:	5C3B958AFFA2FDE0DF4A6F53A86520BD
SHA1:	C8B79791A09324F90DA502D2986D2358EEB8E3A2
SHA-256:	410A18C1D00122862B553A6D57241B498F173CFE1FEB1443CADFC307F84570C2
SHA-512:	1C713DAFB875CFDFF62884A9BE642E915D80327673C714BBD43A56033E34221FF3C391F5F1D0AE725423634A580407169243CFDAACB6E2B1ACFBAA4864E4E254
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="240823" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6369.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8284
Entropy (8bit):	3.689632985672657
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+V6IQw6YHj6f8gmfT73Dpr189bZcsf06Tm:R6lXJc6IQw6YD6EgmfT73MZvfK
MD5:	D0B4C5E0819F651EC1723EDD484E48AE
SHA1:	82A15AB0E5A736130C9D49E287B41C422E62E1ED
SHA-256:	4D1CDC06F57B6306B003390765E73AE3C9979FB6FED6FF35378C2221751B00A8
SHA-512:	372133F4979E8316D4E0329767A2A8AA7444AB38A639C31F682397BB12BE5CF291361A03F16358ED8E0617A17D04BE4241D54934377819F450CC17D944562ECF
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER63A8.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4652
Entropy (8bit):	4.455520517610147
Encrypted:	false
SSDEEP:	48:cvIwWl8zsjJg77aI9Z+WpW8VY9Ym8M4JCdPsFL+q8/CPGScS4d:uIjf9I7j/7VBJPDJ34d
MD5:	CEFD9F87E167400C8E55339EF205030B
SHA1:	4F21027128201F904DC96C5BD7C203C6800478FB
SHA-256:	E376499F8046B9DE87D7998E471F69C87C29BE7528DFF527E66540B94DB3356A
SHA-512:	5E1F5D3C86C7E116E77A3A3EA01CE45635EF839F95268D081066650F433B50445EB13C4D4A6AE0BB49DC3AF50179D0E205083391A4606802F8F6197CBC9FD2EF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="240823" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\bassmod.dll

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	9728
Entropy (8bit):	6.1880911690664036
Encrypted:	false
SSDEEP:	192:Yjtr1Et860Vu6tAo2j+feMnkqtDXuulsa7k0yRlm7/Pdl:AtU8Zu6K+feJCuwsL00la/Pd
MD5:	780D14604D49E3C634200C523DEF8351
SHA1:	E208EF6F421D2260070A9222F1F918F1DE0A8EEB
SHA-256:	844EB66A10B848D3A71A8C63C35F0A01550A46D2FF8503E2CA8947978B03B4D2
SHA-512:	A49C030F11DA8F0CDC4205C86BEC00653EC2F8899983CAD9D7195FD23255439291AAEC5A7E128E1A103EFD93B8566E86F15AF89EBA4EFEBF9DEBCE14A7A5564B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: (x64bit.)_patch.exe, Detection: malicious, Browse Filename: (x64bit.)_patch.exe, Detection: malicious, Browse Filename: wb31oyhUxK.exe, Detection: malicious, Browse Filename: wb31oyhUxK.exe, Detection: malicious, Browse Filename: ABLETON PATCHER.exe, Detection: malicious, Browse Filename: Patch.exe, Detection: malicious, Browse Filename: y3EXL3p857.exe, Detection: malicious, Browse Filename: adobe.cs6.all.products.activator.exe, Detection: malicious, Browse Filename: (x64bit.)_patch.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Qn....t...t...t...t...t../f...t...g...t.Rich..t.........................PE..L...<..G...........!.........,...............0......................................................................p2......`0..<............................p.......................................................0..\............................text...\|........................... ..`.rdata..+....0......................@..@.data...n"...@......................@....reloc.......p......."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466236487843889
Encrypted:	false
SSDEEP:	6144:yIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSbG:3XD94+WlLZMM6YFHT+G
MD5:	8B0263C086B522580FE9611E6E6DB8E2
SHA1:	608A72174F3FDF77E6522C20304523194273DD75
SHA-256:	EE43FAE69F704EC8FDD1EE50A35DFA818577BC7872D57E13257D858977BB82E3
SHA-512:	C45F6ACA51C49574CB7ADBA842D88ADB999E71F5609E1833C95C80842688317715922BB8B365644B0FA4EB11A0C88C1FC9AD935CAF3DB76CAD52D3AC4688F75D
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..Q1By..............................................................................................................................................................................................................................................................................................................................................b.G.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	43
Entropy (8bit):	2.873975431849053
Encrypted:	false
SSDEEP:	3:NNAb/Xs6Iu9v:fj6Iu9v
MD5:	0DFC49F33913C29D911693F804AA4B7B
SHA1:	4231F9731BA16E024959470640151B69AA58DF6E
SHA-256:	187FEF245C6F38EF8899AF96C28C1F6227AC0F86288B651B0CF938CB09A15A77
SHA-512:	82A090D26D81F44A5B2356BA1EFCA91A9623772F2CB8688A59AF4C4221C3D626B5E63B952377F9ECA49A04E81AB754BF369C42F23CA587DEF0646BAE5C967852
Malicious:	false
Preview:	.. /help : show help menu..

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.978636454243838
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	dup2patcher.dll
File size:	845'312 bytes
MD5:	1e4c47cb43d537d50a60592b42345da9
SHA1:	0433554c251dc75b8ba4251663aa1a3bce641306
SHA256:	6f8650fa49a74fbbabb51f1cced99d11732c177ecb1049ec59ebc79b16daf1ed
SHA512:	d6e316cf0a45f479d84ba74917407220ba9421f9edd656835487fb6ccb79f7bbf78a44e885d1f9c440cb5ac4387f3f9b943b505148efc34fd73db22f83b03288
SSDEEP:	12288:dc2ldltF9jWPSOF94sd0WLOpK2AAYuoUwwZS9ss:oXF94sdzLOA2quFZSe
TLSH:	F6050A1A2E45795FE25840310EFC8A385164BEA54E7A27B33408BD7DE7F3DE22E95B04
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........bd..............! .....n#.......u.......................u.......u.......u.......u......Rich............................PE..L..

File Icon


Icon Hash:	3a4d4e4b4d4dc524

Static PE Info

General

Entrypoint:	0x100020e0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x50D4CDC6 [Fri Dec 21 20:59:50 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	83020f15ee2bf91778ac579a3da17a47

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFC00h
cmp dword ptr [ebp+0Ch], 01h
jne 00007FB49C889D7Dh
push dword ptr [ebp+08h]
pop dword ptr [1000D8A2h]
jmp 00007FB49C889D78h
cmp dword ptr [ebp+0Ch], 00000000h
jne 00007FB49C889D72h
mov eax, 00000001h
leave
retn 000Ch
call 00007FB49C88BD8Dh
ret
mov eax, dword ptr [1000D8A6h]
ret
lea esp, dword ptr [esp+00000000h]
lea esp, dword ptr [esp+00h]
push ebp
mov ebp, esp
add esp, FFFFFFF0h
push esi
push edi
push ebx
lea edi, dword ptr [ebp-10h]
push edi
push dword ptr [ebp+08h]
call 00007FB49C889DC0h
xor ebx, ebx
jmp 00007FB49C889D95h
jmp 00007FB49C889DA2h
cmp byte ptr [esi], 00000018h
jne 00007FB49C889D8Eh
push 00000010h
lea eax, dword ptr [esi+01h]
push eax
push edi
call 00007FB49C889DF9h
or eax, eax
je 00007FB49C889D7Eh
mov eax, esi
add eax, 11h
pop ebx
pop edi
pop esi
leave
retn 0004h
inc ebx
push ebx
push dword ptr [1000D8A2h]
call 00007FB49C8890A7h
mov esi, eax
or esi, esi
jne 00007FB49C889D3Eh
xor eax, eax
pop ebx
pop edi
pop esi
leave
retn 0004h
lea esp, dword ptr [esp+00000000h]
nop
push ebp
mov ebp, esp
push esi
push edi
push ebx
push dword ptr [ebp+08h]
call 00007FB49C88E877h
mov ebx, eax
cmp ebx, 00000000h
jbe 00007FB49C889D9Eh
call 00007FB49C892153h
push ebx
push dword ptr [ebp+08h]
call 00007FB49C89218Ah
call 00007FB49C8921E5h

Rich Headers

Programming Language:

[IMP] VS2010 build 30319
[ASM] VS2010 build 30319
[EXP] VS2010 build 30319
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xbe70	0x1a2	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb250	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0xc2008	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe6000	0x848	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x244	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x984a	0x9a00	630036cb54e7f57d038ff4e758d19300	False	0.4360541801948052	data	6.469679413749833	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xb000	0x1012	0x1200	9d9e0caf081d12bd2054b1f9f8747760	False	0.4123263888888889	data	4.894290260501196	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xd000	0x157b8	0xa00	80e4d51bc569aa91cd637e3c92bafcc8	False	0.37890625	data	4.928521806064837	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x23000	0xc2008	0xc2200	e4d2f23758b25ecefe459da9623fc9f1	False	0.26892883733097234	data	5.88629001180517	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xe6000	0x95a	0xa00	229327a048e1470575c5f96c41498a2a	False	0.731640625	data	6.124819387518312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_CURSOR	0x23ac0	0x134	data	0.37012987012987014
RT_BITMAP	0x23bf4	0x3aa	Device independent bitmap graphic, 18 x 16 x 24, image size 898, resolution 11808 x 11808 px/m	0.6151385927505331
RT_BITMAP	0x23fa0	0x3aa	Device independent bitmap graphic, 18 x 16 x 24, image size 898, resolution 11808 x 11808 px/m	0.6876332622601279
RT_BITMAP	0x2434c	0x3aa	Device independent bitmap graphic, 18 x 16 x 24, image size 898, resolution 11808 x 11808 px/m	0.6780383795309168
RT_BITMAP	0x246f8	0x3aa	Device independent bitmap graphic, 18 x 16 x 24, image size 898, resolution 11808 x 11808 px/m	0.6631130063965884
RT_BITMAP	0x24aa4	0x3aa	Device independent bitmap graphic, 18 x 16 x 24, image size 898, resolution 11808 x 11808 px/m	0.6257995735607675
RT_BITMAP	0x24e50	0x3aa	Device independent bitmap graphic, 18 x 16 x 24, image size 898, resolution 11808 x 11808 px/m	0.5895522388059702
RT_BITMAP	0x251fc	0x2226	Device independent bitmap graphic, 99 x 29 x 24, image size 8702, resolution 11808 x 11808 px/m	0.44623655913978494
RT_BITMAP	0x27424	0x2226	Device independent bitmap graphic, 99 x 29 x 24, image size 8702, resolution 11808 x 11808 px/m	0.5518188057652711
RT_BITMAP	0x2964c	0x2226	Device independent bitmap graphic, 99 x 29 x 24, image size 8702, resolution 11808 x 11808 px/m	0.2981011210249371
RT_BITMAP	0x2b874	0x2576	Device independent bitmap graphic, 102 x 31 x 24, image size 9550, resolution 11808 x 11808 px/m	0.49290928050052135
RT_BITMAP	0x2ddec	0x2576	Device independent bitmap graphic, 102 x 31 x 24, image size 9550, resolution 11808 x 11808 px/m	0.4760166840458811
RT_BITMAP	0x30364	0x2576	Device independent bitmap graphic, 102 x 31 x 24, image size 9550, resolution 11808 x 11808 px/m	0.5982273201251304
RT_BITMAP	0x328dc	0x2576	Device independent bitmap graphic, 102 x 31 x 24, image size 9550, resolution 11808 x 11808 px/m	0.34254431699687177
RT_BITMAP	0x34e54	0x10aa	Device independent bitmap graphic, 64 x 22 x 24, image size 4226, resolution 3779 x 3779 px/m	0.28504453820909514
RT_BITMAP	0x35f00	0x10aa	Device independent bitmap graphic, 64 x 22 x 24, image size 4226, resolution 3779 x 3779 px/m	0.3295827473042663
RT_BITMAP	0x36fac	0x10aa	Device independent bitmap graphic, 64 x 22 x 24, image size 4226, resolution 3779 x 3779 px/m	0.2222222222222222
RT_BITMAP	0x38058	0x1fed6	Device independent bitmap graphic, 270 x 161 x 24, image size 130734, resolution 2834 x 2834 px/m	0.0772018902840014
RT_BITMAP	0x57f30	0x7ec1c	Device independent bitmap graphic, 395 x 437 x 24, image size 0, resolution 2835 x 2835 px/m	0.27483647793896715
RT_ICON	0xd6b4c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.21265560165975103
RT_DIALOG	0xd90f4	0x2ac	data	0.5014619883040936
RT_DIALOG	0xd93a0	0xd8	dBase III DBT, next free block index 4294901761	0.5879629629629629
RT_DIALOG	0xd9478	0xbc	data	0.7606382978723404
RT_STRING	0xd9534	0x204	data	0.4903100775193798
RT_STRING	0xd9738	0x290	data	0.44359756097560976
RT_STRING	0xd99c8	0x2fc	data	0.38089005235602097
RT_STRING	0xd9cc4	0xc4	data	0.4387755102040816
RT_RCDATA	0xd9d88	0x1d0	data	0.6745689655172413
RT_RCDATA	0xd9f58	0x490	data	0.10702054794520548
RT_RCDATA	0xda3e8	0x100	data	0.46484375
RT_RCDATA	0xda4e8	0x220	data	0.34191176470588236
RT_RCDATA	0xda708	0xa0	data	0.575
RT_RCDATA	0xda7a8	0xc0	data	0.84375
RT_RCDATA	0xda868	0x750	data	0.18856837606837606
RT_RCDATA	0xdafb8	0x7927	data	0.4366274383362889
RT_RCDATA	0xe28e0	0x2605	data	0.657864995376554
RT_RCDATA	0xe4ee8	0x30	data	0.3333333333333333
RT_RCDATA	0xe4f18	0x8	ISO-8859 text, with no line terminators	1.5
RT_RCDATA	0xe4f20	0x20	data	0.65625
RT_RCDATA	0xe4f40	0xa0	data	0.10625
RT_GROUP_CURSOR	0xe4fe0	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.3
RT_GROUP_ICON	0xe4ff4	0x14	data	1.15

Imports

DLL	Import
user32.dll	ShowWindow, SetWindowTextA, SetWindowRgn, SetWindowPos, TrackPopupMenu, SetTimer, SetFocus, SetDlgItemTextA, SetClassLongA, UpdateWindow, SetWindowLongA, SetCapture, SendMessageA, ReleaseCapture, RegisterClassExA, RedrawWindow, PtInRect, OffsetRect, MessageBoxA, LoadStringA, LoadIconA, LoadCursorA, LoadBitmapA, IsDlgButtonChecked, InvalidateRect, IntersectRect, GetWindowRect, GetWindowLongA, GetSystemMetrics, CloseClipboard, EmptyClipboard, OpenClipboard, SetClipboardData, GetClientRect, MoveWindow, GetSysColor, GetParent, GetKeyState, GetDlgItemTextA, GetDlgItem, GetDlgCtrlID, GetDC, GetCursorPos, GetCapture, GetActiveWindow, EndDialog, EnableWindow, DrawTextA, DialogBoxParamA, DefWindowProcA, CreateWindowExA, CreatePopupMenu, CheckDlgButton, CallWindowProcA, AppendMenuA
kernel32.dll	FindFirstFileA, GetStdHandle, WriteFile, FlushFileBuffers, CompareStringA, CreateDirectoryA, GlobalAlloc, GlobalLock, GlobalUnlock, FindClose, lstrlenW, lstrlenA, lstrcpyA, lstrcmpiA, lstrcmpA, lstrcatA, WideCharToMultiByte, WaitForSingleObject, VirtualFree, VirtualAlloc, UnmapViewOfFile, CloseHandle, CopyFileA, CreateFileA, CreateFileMappingA, CreateProcessA, CreateThread, DeleteFileA, ExpandEnvironmentStringsA, FindResourceA, FreeLibrary, GetCommandLineA, GetCurrentDirectoryA, GetFileAttributesA, GetFileSize, GetFileTime, GetModuleFileNameA, GetModuleHandleA, GetProcAddress, GetSystemInfo, GetTempPathA, GetVersionExA, LoadLibraryA, LoadResource, MapViewOfFile, MoveFileA, MultiByteToWideChar, RtlMoveMemory, RtlZeroMemory, SetCurrentDirectoryA, SetEndOfFile, SetEnvironmentVariableA, SetFileAttributesA, SetFilePointer, SetFileTime, SizeofResource, Sleep
shell32.dll	ShellExecuteA, ShellExecuteExA
gdi32.dll	BitBlt, CreateCompatibleBitmap, CreateCompatibleDC, CreateDIBSection, CreateFontIndirectA, CreateSolidBrush, ExtCreateRegion, GetStockObject, GetTextExtentPointA, AddFontResourceA, TextOutA, SetTextColor, SetBkMode, SetBkColor, SelectObject, RoundRect, RemoveFontResourceA
advapi32.dll	RegSetValueExA, RegDeleteValueA, RegCreateKeyExA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey
comdlg32.dll	GetOpenFileNameA, GetSaveFileNameA

Exports

Name	Ordinal	Address
AddMsg	1	0x100022c0
CloseFileMapping	2	0x100028d8
CloseFileMapping_readonly	3	0x100029c2
GetPatcherWindowHandle	4	0x1000210f
GetPluginDataMemory	5	0x10002120
GetRegDword	6	0x10006fa0
GetRegString	7	0x10006f00
LoadFileMapping	8	0x10002463
Reg_Delete_Value	9	0x1000a6f0
SearchAndReplace	10	0x10006740
SetRegDword	11	0x1000a740
SetRegString	12	0x1000a7a0
load_patcher	13	0x10002109
write_disk_file	14	0x10006d4c

Target ID:	0
Start time:	15:40:15
Start date:	18/03/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\dup2patcher.dll"
Imagebase:	0xae0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:40:15
Start date:	18/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	15:40:15
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:40:15
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\dup2patcher.dll,AddMsg
Imagebase:	0x150000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:40:15
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",#1
Imagebase:	0x150000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:40:16
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7536 -s 628
Imagebase:	0xf70000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:40:16
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 616
Imagebase:	0xf70000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:40:18
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\dup2patcher.dll,CloseFileMapping
Imagebase:	0x150000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:40:21
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\dup2patcher.dll,CloseFileMapping_readonly
Imagebase:	0x150000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:40:24
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",AddMsg
Imagebase:	0x150000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:40:24
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",CloseFileMapping
Imagebase:	0x150000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:40:24
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",CloseFileMapping_readonly
Imagebase:	0x150000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:40:24
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",write_disk_file
Imagebase:	0x150000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:40:24
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",load_patcher
Imagebase:	0x150000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	15:40:24
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",SetRegString
Imagebase:	0x150000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	15:40:24
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",SetRegDword
Imagebase:	0x150000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	15:40:24
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",SearchAndReplace
Imagebase:	0x150000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	15:40:25
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",Reg_Delete_Value
Imagebase:	0x150000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	15:40:25
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",LoadFileMapping
Imagebase:	0x150000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	15:40:25
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",GetRegString
Imagebase:	0x150000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	15:40:25
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",GetRegDword
Imagebase:	0x150000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	15:40:25
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",GetPluginDataMemory
Imagebase:	0x150000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	15:40:25
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\dup2patcher.dll",GetPatcherWindowHandle
Imagebase:	0x150000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	15:40:25
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7936 -s 624
Imagebase:	0xf70000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	15:40:25
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7960 -s 624
Imagebase:	0xf70000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.1%
Total number of Nodes:	1274
Total number of Limit Nodes:	1

Executed Functions

Function 6CD722C0 Relevance: 4.5, APIs: 3, Instructions: 29
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageA.USER32(00000000,00000180,00000000,?), ref: 6CD722D9
SendMessageA.USER32(00000000,0000018B,00000000,00000000), ref: 6CD722E8
SendMessageA.USER32(00000000,00000186,-00000001,00000000), ref: 6CD722F7

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 34e47b354545ae9a3fdeeae0527d3bf82e8d68242a8fd1481cc1b122840a3c29
Instruction ID: db469720e09ed688d6dc72ff879014ed0e5b5a37601849d4b3ab6700d5835c74
Opcode Fuzzy Hash: 34e47b354545ae9a3fdeeae0527d3bf82e8d68242a8fd1481cc1b122840a3c29
Instruction Fuzzy Hash: E4E04F3128162575F93367508C43FDE65995B02B48F208120FA01B9AF0EBF0660B96FD

Uniqueness

Uniqueness Score: -1.00%

Function 6CD76D14 Relevance: 3.0, APIs: 2, Instructions: 19
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F5), ref: 6CD76D1C
WriteFile.KERNEL32(?,?,?,?,00000000,?,000000F5), ref: 6CD76D3E

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: FileHandleWrite
String ID:
API String ID: 3320372497-0
Opcode ID: d844ca47285880180042dfa4e4d52d8a159a6f81d82256ef4095a53a5612f731
Instruction ID: b85f6b300411115457988cd7cab79f02376f76562ebcc90eee0fd9811a0fbe7a
Opcode Fuzzy Hash: d844ca47285880180042dfa4e4d52d8a159a6f81d82256ef4095a53a5612f731
Instruction Fuzzy Hash: A9E0B67181010DBBDF119FA4CC41DDDBBB9EB00228F108265AA24A66B0EB319B559BA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6CD75AFE Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 36libraryloaderstringCOMMON

Download Yara Rule

APIs

Part of subcall function 6CD7149B: FindResourceA.KERNEL32(?,6CD71479,0000000A), ref: 6CD714B1

GetTempPathA.KERNEL32(00000400,6CD8223D,PCRE_DLL,6CD72FD7,0000000B,6CD8463D,00000400,0000006F,?), ref: 6CD75B23
lstrcatA.KERNEL32(6CD8223D,\pcre.dll,00000400,6CD8223D,PCRE_DLL,6CD72FD7,0000000B,6CD8463D,00000400,0000006F,?), ref: 6CD75B32

Part of subcall function 6CD76D4C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 6CD76D67

LoadLibraryA.KERNEL32(6CD8223D,6CD8223D,00000000,6CD8223D,\pcre.dll,00000400,6CD8223D,PCRE_DLL,6CD72FD7,0000000B,6CD8463D,00000400,0000006F,?), ref: 6CD75B4D
GetProcAddress.KERNEL32(pcre_compile,6CD8223D), ref: 6CD75B66
GetProcAddress.KERNEL32(pcre_exec,pcre_compile), ref: 6CD75B7B
GetProcAddress.KERNEL32(pcre_copy_substring,pcre_exec), ref: 6CD75B90

Strings

pcre_compile, xrefs: 6CD75B5B
PCRE_DLL, xrefs: 6CD75AFF
pcre_copy_substring, xrefs: 6CD75B85
\pcre.dll, xrefs: 6CD75B28
pcre_exec, xrefs: 6CD75B70

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: AddressProc$CreateFileFindLibraryLoadPathResourceTemplstrcat
String ID: PCRE_DLL$\pcre.dll$pcre_compile$pcre_copy_substring$pcre_exec
API String ID: 4288541509-2867501554
Opcode ID: 455b9bf8748a29fcfd723ce58b357d0dc9b1eccb16a59e5e41bb5e917fde6ab7
Instruction ID: b02cd93f414d4caa3d203198e38ac6c3936634094426a2cc10f493da1ae4aa85
Opcode Fuzzy Hash: 455b9bf8748a29fcfd723ce58b357d0dc9b1eccb16a59e5e41bb5e917fde6ab7
Instruction Fuzzy Hash: 1CF0BD70712150A9FE316B618C5CF7E3E7AEB03B1C3500A25A601A9E70FB714A1EDA31

Uniqueness

Uniqueness Score: -1.00%

Function 6CD74616 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 124fileCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,00000001,?,?), ref: 6CD7462A
CreateFileA.KERNEL32(6CD7D911,C0000000,00000002,00000000,00000003,00000082,00000000,?,00000001,?,?), ref: 6CD7465A
GetFileSize.KERNEL32(?,?,6CD7D911,C0000000,00000002,00000000,00000003,00000082,00000000,?,00000001,?,?), ref: 6CD74672
CreateFileMappingA.KERNEL32(?,00000000,00000004,00000000,00000000,00000000), ref: 6CD74687
CloseHandle.KERNEL32(?,?,00000000,00000004,00000000,00000000,00000000,?,?,6CD7D911,C0000000,00000002,00000000,00000003,00000082,00000000), ref: 6CD74780

Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,00000180,00000000,?), ref: 6CD722D9
Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,0000018B,00000000,00000000), ref: 6CD722E8
Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,00000186,-00000001,00000000), ref: 6CD722F7

MapViewOfFile.KERNEL32(?,00000002,?,?,?,?,?,00000000,00000004,00000000,00000000,00000000,?,?,6CD7D911,C0000000), ref: 6CD746D0
UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000002,?,?,?,?,?), ref: 6CD74728
CloseHandle.KERNEL32(?,?,00000002,?,?,?,?,?,00000000,00000004,00000000,00000000,00000000,?,?,6CD7D911), ref: 6CD74778

Strings

trying large file patchmode, xrefs: 6CD74697

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: File$MessageSend$CloseCreateHandleView$InfoMappingSizeSystemUnmap
String ID: trying large file patchmode
API String ID: 3390188210-199533899
Opcode ID: 4ca2900b68604bcc9cd2eff4a05b567fb5a9f58ae55ece0a18f2e9382f4e3b7a
Instruction ID: 3cf48be314391ba75a3bbe730e357d52e78b65230f81b5ca673bffaf56c8e683
Opcode Fuzzy Hash: 4ca2900b68604bcc9cd2eff4a05b567fb5a9f58ae55ece0a18f2e9382f4e3b7a
Instruction Fuzzy Hash: F941F575D00208EFDF22DF94DC81BDEBBB5EF45318F20812AE111A6AA4E7746956CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6CD771E0 Relevance: 13.5, APIs: 9, Instructions: 45clipboardstringmemoryCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 6CD771F3
OpenClipboard.USER32(00000000), ref: 6CD77200
GlobalAlloc.KERNEL32(00002042,00000000,?), ref: 6CD77213
GlobalLock.KERNEL32(00000000,00002042,00000000,?), ref: 6CD7721F
lstrcpyA.KERNEL32(00000000,?,00000000,00002042,00000000,?), ref: 6CD7722C
EmptyClipboard.USER32 ref: 6CD77231
GlobalUnlock.KERNEL32(00000000,00000000,?,00000000,00002042,00000000,?), ref: 6CD7723C
SetClipboardData.USER32(00000001,00000000), ref: 6CD77244
CloseClipboard.USER32 ref: 6CD77249

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenUnlocklstrcpylstrlen
String ID:
API String ID: 3593921032-0
Opcode ID: f65672604a2f745d15c385fb6336e8c6269afb21dd57a671da69c886c963b2d9
Instruction ID: a4cf7d7743e9f1e590b877d89fa2f383462f7d04a30dc05f0a1870a15c707018
Opcode Fuzzy Hash: f65672604a2f745d15c385fb6336e8c6269afb21dd57a671da69c886c963b2d9
Instruction Fuzzy Hash: 2FF0F030B15625B5E63223B10C81EBF28588B0376CF312911F868EABB1EFB4CD0941B2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD76FA0 Relevance: 6.0, APIs: 4, Instructions: 45registryCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?), ref: 6CD76FC0
RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,?), ref: 6CD76FF7
RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000001,?), ref: 6CD77022
RegCloseKey.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,?,00000000,00000001,?), ref: 6CD7702B

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: CloseOpenQueryValueVersion
String ID:
API String ID: 2996790148-0
Opcode ID: 487ece90361f513cc7b554e11134285546270502a32006d15a53591e74668c87
Instruction ID: 3130e1b64ebccfb29ebe90b134d9b9cdfcbe3e362581b6cb25ea7bc2f26d0791
Opcode Fuzzy Hash: 487ece90361f513cc7b554e11134285546270502a32006d15a53591e74668c87
Instruction Fuzzy Hash: 2801E97191010CEADF208F50CC55BEEBBB9EB05348F1041A9E608A66B0E775DA99DB72

Uniqueness

Uniqueness Score: -1.00%

Function 6CD7149B Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,6CD71479,0000000A), ref: 6CD714B1
SizeofResource.KERNEL32(?,00000000,00000000), ref: 6CD714C1
LoadResource.KERNEL32(?,?,00000000,00000000), ref: 6CD714D0

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: Resource$FindLoadSizeof
String ID:
API String ID: 507330600-0
Opcode ID: d8e4b73a5bfb510792406dba8f2724ca2424b7e3c8f9277ee175758128bdd159
Instruction ID: b91d381acd28c19e95d8410a81d80f9fa3cb5bb0a0a2c6b04b48a61b8bae09ef
Opcode Fuzzy Hash: d8e4b73a5bfb510792406dba8f2724ca2424b7e3c8f9277ee175758128bdd159
Instruction Fuzzy Hash: EEF03070604208FADF219F61CD119AD7EB8EB0235CF208265B959E5970E7B0DA219771

Uniqueness

Uniqueness Score: -1.00%

Function 6CD76CE0 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?), ref: 6CD76CF3
FindClose.KERNEL32(00000000,?,?), ref: 6CD76D05

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 979f0add1b60af9980b8b1f71a2e6074693626d1f880305a576188f58626c3e1
Instruction ID: 94e131d4a43d18af69be7f2e3f24b0f423b99f12af985e5e7152074dea448ab7
Opcode Fuzzy Hash: 979f0add1b60af9980b8b1f71a2e6074693626d1f880305a576188f58626c3e1
Instruction Fuzzy Hash: C0D05E7041050996CA3097789C46CCD72AC5B01338F100351B638D66F0EB34DA958A75

Uniqueness

Uniqueness Score: -1.00%

Function 6CD777A9 Relevance: .7, Instructions: 699COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a388c1f502f5394a2f541948c2e2502fa1042dc7c5ef02c15fa016b34946817
Instruction ID: 8a6dafdffa3c077ff3c0cbde84db1831ee3d711357ca6056b575aaf447a71850
Opcode Fuzzy Hash: 1a388c1f502f5394a2f541948c2e2502fa1042dc7c5ef02c15fa016b34946817
Instruction Fuzzy Hash: C822FD8913BFB918FBC3E4258694E33D1C5AF9D04FA044D394A11EA594AF3FA68F2134

Uniqueness

Uniqueness Score: -1.00%

Function 6CD79762 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7921d1ff2892ff33cd6d0eff7bfd4627521c2d1a2fc7140d5f4624dbbc4ab670
Instruction ID: 1251d6f86ba852e53deb63b98707d606c20b496caad61297459ee3c8e66f7ecc
Opcode Fuzzy Hash: 7921d1ff2892ff33cd6d0eff7bfd4627521c2d1a2fc7140d5f4624dbbc4ab670
Instruction Fuzzy Hash: 1A22E7377A5A1F0AE7689D69CCC63B87297EBC1709F6EC3398404C6EC9E57E824E5110

Uniqueness

Uniqueness Score: -1.00%

Function 6CD79FA0 Relevance: .5, Instructions: 510COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca87fc29cf3c940f8b93fff332ec96a9ab3ca4d3fac94f6b1c79f34f08dc1db
Instruction ID: 7441a51b013e88ad67d1cf10f9ba563122ebb3a0b5cccaf550fddceb4574c2cb
Opcode Fuzzy Hash: eca87fc29cf3c940f8b93fff332ec96a9ab3ca4d3fac94f6b1c79f34f08dc1db
Instruction Fuzzy Hash: 2A02407398560B4BEB1CCD26CCC1AD57393B7D42A871BD27C9829C7644EE7CE64B8640

Uniqueness

Uniqueness Score: -1.00%

Function 6CD768D3 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15a1cd23abbcb8dc1570f1c80baec6ab94aad62574a5b7e492d7337cf3acec0
Instruction ID: 34ac5e3880105066b88f1e16d13756d00954caf3823d96d5fbf8ab9bdbf23c6a
Opcode Fuzzy Hash: f15a1cd23abbcb8dc1570f1c80baec6ab94aad62574a5b7e492d7337cf3acec0
Instruction Fuzzy Hash: 61117936504601CFD731DB25C950AEEB7F8AF41708F698969D4D6E3E20F334AA96C760

Uniqueness

Uniqueness Score: -1.00%

Function 6CD767DE Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761b5e175e292ec1bb657823413b4652a7c9bc98c229b0e9673dc1eddbf72874
Instruction ID: 86c1b4849cf05606dd644e77457a4400b7c02d76e8771ea65641cc22be9b581c
Opcode Fuzzy Hash: 761b5e175e292ec1bb657823413b4652a7c9bc98c229b0e9673dc1eddbf72874
Instruction Fuzzy Hash: BFC00277051440EEEE4F0B00E91A9A0BB26E708635734448EE005444A2ABB76823E900

Uniqueness

Uniqueness Score: -1.00%

Function 6CD767F8 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ad59243ed67fd5ebd3e5a5964d2427436f1d77b68934569e614c548b996b07
Instruction ID: d88deb7aae4bc3267eef166ebb9a50d9359ae9dcda92f38d610eaaa2bea61a9a
Opcode Fuzzy Hash: d5ad59243ed67fd5ebd3e5a5964d2427436f1d77b68934569e614c548b996b07
Instruction Fuzzy Hash: 3FA01273011440DDEA0B0700E915A907725E304531F34044EE0064085097571821E400

Uniqueness

Uniqueness Score: -1.00%

Function 6CD75B9C Relevance: 80.8, APIs: 42, Strings: 4, Instructions: 342
stringprocessfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsA.KERNEL32(?,?,00000400,00000001,?,00000000,?,6CD7636F,00000000,00000001,00000000,6CD90A45,00000400,00000184,00000000,00000000), ref: 6CD75BD3
ExpandEnvironmentStringsA.KERNEL32(?,6CD7D911,00000400,?,?,00000400,00000001,?,00000000,?,6CD7636F,00000000,00000001,00000000,6CD90A45,00000400), ref: 6CD75BE9
lstrcpyA.KERNEL32(6CD7D911,00000000,6CD7D911,?,?,6CD7D911,00000400,?,?,00000400,00000001,?,00000000,?,6CD7636F,00000000), ref: 6CD75C0D
GetModuleFileNameA.KERNEL32(00000000,?,00000400,00000000,6CD7D911,?,?,6CD7D911,00000400,?,?,00000400,00000001,?,00000000), ref: 6CD75C35
lstrcatA.KERNEL32(?,6CD7D7A9,00000000,?,00000400,00000000,6CD7D911,?,?,6CD7D911,00000400,?,?,00000400,00000001), ref: 6CD75C57
lstrcatA.KERNEL32(?,6CD7D911,00000000,?,00000400,00000000,6CD7D911,?,?,6CD7D911,00000400,?,?,00000400,00000001), ref: 6CD75C64
lstrcpyA.KERNEL32(6CD7D911,?,?,6CD7D911,00000000,?,00000400,00000000,6CD7D911,?,?,6CD7D911,00000400,?,?,00000400), ref: 6CD75C71
LoadStringA.USER32(00000005,6CD8E645,00000400,00000000), ref: 6CD75C88
lstrcpyA.KERNEL32(?,6CD7D911,00000005,6CD8E645,00000400,00000000,6CD7D911,?,?,6CD7D911,00000400,?,?,00000400,00000001), ref: 6CD75CBC
GetFileAttributesA.KERNEL32(6CD7D911,00000005,6CD8E645,00000400,00000000,6CD7D911,?,?,6CD7D911,00000400,?,?,00000400,00000001,?,00000000), ref: 6CD75CFD
LoadStringA.USER32(00000029,6CD8EA45,00000400,6CD7D911), ref: 6CD75D31
MessageBoxA.USER32(6CD8EA45,6CD7D911,00000024,00000029), ref: 6CD75D44
SetFileAttributesA.KERNEL32(6CD7D911,00000080,6CD7D911,00000005,6CD8E645,00000400,00000000,6CD7D911,?,?,6CD7D911,00000400,?,?,00000400,00000001), ref: 6CD75D75
LoadStringA.USER32(0000002A,6CD8EE45,00000400,6CD7D911), ref: 6CD75D8C

Part of subcall function 6CD740CF: GetModuleHandleA.KERNEL32(kernel32.dll,6CD74F4B), ref: 6CD740D4
Part of subcall function 6CD740CF: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 6CD740DF

LoadStringA.USER32(0000002B,6CD8F245,00000400,6CD7D911), ref: 6CD75DAF
lstrcpyA.KERNEL32(?,6CD7D911,6CD7D911,00000005,6CD8E645,00000400,00000000,6CD7D911,?,?,6CD7D911,00000400,?,?,00000400,00000001), ref: 6CD75DD7
GetFileAttributesA.KERNEL32(6CD7D911,6CD7D911,00000000,00000000,6CD7D911,00000005,6CD8E645,00000400,00000000,6CD7D911,?,?,6CD7D911,00000400,?,?), ref: 6CD75E09
LoadStringA.USER32(0000002B,6CD8F645,00000400,6CD7D911), ref: 6CD75E29
SetFileAttributesA.KERNEL32(6CD7D911,00000000,6CD7D911,00000000,00000000,6CD7D911,00000005,6CD8E645,00000400,00000000,6CD7D911,?,?,6CD7D911,00000400,?), ref: 6CD75E46
LoadStringA.USER32(0000002C,6CD8FA45,00000400,6CD7D911), ref: 6CD75E62

Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,00000180,00000000,?), ref: 6CD722D9
Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,0000018B,00000000,00000000), ref: 6CD722E8
Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,00000186,-00000001,00000000), ref: 6CD722F7

LoadStringA.USER32(0000002D,6CD8FE45,00000400,6CD7D911), ref: 6CD75E90
lstrcpyA.KERNEL32(?,6CD7D911,0000002D,6CD8FE45,00000400,6CD7D911,00000000,00000000,6CD7D911,00000005,6CD8E645,00000400,00000000,6CD7D911,?,?), ref: 6CD75EAD
SetCurrentDirectoryA.KERNEL32(?,?,6CD7D911,0000002D,6CD8FE45,00000400,6CD7D911,00000000,00000000,6CD7D911,00000005,6CD8E645,00000400,00000000,6CD7D911,?), ref: 6CD75EC5
ExpandEnvironmentStringsA.KERNEL32(6CD7D932,?,00000400,0000002D,6CD8FE45,00000400,6CD7D911,00000000,00000000,6CD7D911,00000005,6CD8E645,00000400,00000000,6CD7D911,?), ref: 6CD75EE3
RtlZeroMemory.KERNEL32(?,00000044,6CD7D932,?,00000400,0000002D,6CD8FE45,00000400,6CD7D911,00000000,00000000,6CD7D911,00000005,6CD8E645,00000400,00000000), ref: 6CD75F04
RtlZeroMemory.KERNEL32(?,00000010,?,00000044,6CD7D932,?,00000400,0000002D,6CD8FE45,00000400,6CD7D911,00000000,00000000,6CD7D911,00000005,6CD8E645), ref: 6CD75F12
lstrcpyA.KERNEL32(?,6CD7D7BC,?,00000010,?,00000044,6CD7D932,?,00000400,0000002D,6CD8FE45,00000400,6CD7D911,00000000,00000000,6CD7D911), ref: 6CD75F23
GetCurrentDirectoryA.KERNEL32(00000400,?,?,6CD7D7BC,?,00000010,?,00000044,6CD7D932,?,00000400,0000002D,6CD8FE45,00000400,6CD7D911,00000000), ref: 6CD75F3A
lstrcatA.KERNEL32(?,?,00000400,?,?,6CD7D7BC,?,00000010,?,00000044,6CD7D932,?,00000400,0000002D,6CD8FE45,00000400), ref: 6CD75F4D
lstrcatA.KERNEL32(?,6CD7D7C0,?,?,00000400,?,?,6CD7D7BC,?,00000010,?,00000044,6CD7D932,?,00000400,0000002D), ref: 6CD75F5E
lstrcatA.KERNEL32(?,6CD7D911,?,6CD7D7BC,?,00000010,?,00000044,6CD7D932,?,00000400,0000002D,6CD8FE45,00000400,6CD7D911,00000000), ref: 6CD75F6B
lstrcatA.KERNEL32(?,6CD7D7C2,?,6CD7D911,?,6CD7D7BC,?,00000010,?,00000044,6CD7D932,?,00000400,0000002D,6CD8FE45,00000400), ref: 6CD75F7C
lstrcatA.KERNEL32(?,?,?,6CD7D7C2,?,6CD7D911,?,6CD7D7BC,?,00000010,?,00000044,6CD7D932,?,00000400,0000002D), ref: 6CD75F89
CreateProcessA.KERNEL32(6CD7D911,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,6CD7D7C2,?,6CD7D911), ref: 6CD75FB0
WaitForSingleObject.KERNEL32(?,000000FF,6CD7D911,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,6CD7D7C2), ref: 6CD75FBD
ShellExecuteA.SHELL32(00000000,open,6CD7D911,?,00000000,0000000A), ref: 6CD75FD1
LoadStringA.USER32(0000002E,6CD90245,00000400,00000000), ref: 6CD75FF1
DeleteFileA.KERNEL32(6CD7D911,0000002E,6CD90245,00000400,00000000,open,6CD7D911,?,00000000,0000000A,6CD7D932,?,00000400,0000002D,6CD8FE45,00000400), ref: 6CD76001
LoadStringA.USER32(0000002F,6CD90645,00000400,6CD7D911), ref: 6CD76018
SetEnvironmentVariableA.KERNEL32(dup2_last_file,6CD7D911,00000005,6CD8E645,00000400,00000000,6CD7D911,?,?,6CD7D911,00000400,?,?,00000400,00000001), ref: 6CD76042
lstrcpyA.KERNEL32(?,6CD7D911,dup2_last_file,6CD7D911,00000005,6CD8E645,00000400,00000000,6CD7D911,?,?,6CD7D911,00000400,?,?,00000400), ref: 6CD7604F
SetEnvironmentVariableA.KERNEL32(dup2_last_path,?,?,6CD7D911,dup2_last_file,6CD7D911,00000005,6CD8E645,00000400,00000000,6CD7D911,?,?,6CD7D911,00000400,?), ref: 6CD7606C

Part of subcall function 6CD76EA0: lstrlenA.KERNEL32(?), ref: 6CD76EAA

Strings

dup2_last_file, xrefs: 6CD7603D
All Files, xrefs: 6CD75CE1
dup2_last_path, xrefs: 6CD76067
open, xrefs: 6CD75FCA

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: LoadString$lstrcatlstrcpy$File$Environment$AttributesMessage$ExpandSendStrings$CurrentDirectoryMemoryModuleVariableZero$AddressCreateDeleteExecuteHandleNameObjectProcProcessShellSingleWaitlstrlen
String ID: All Files$dup2_last_file$dup2_last_path$open
API String ID: 3369982232-2561620864
Opcode ID: 6a4b8e9c8e3354ecb7feb0ca973ada832ff11d8a171b60aae37ada4fe36d8921
Instruction ID: 50184f8dd6b2d587d00abe946814f60ea59b56729c01b59ab43448d0cbf4c451
Opcode Fuzzy Hash: 6a4b8e9c8e3354ecb7feb0ca973ada832ff11d8a171b60aae37ada4fe36d8921
Instruction Fuzzy Hash: 5DC19DB5944658B9EB319B608C89FEF73AC9B0630CF014996A314F1DF0F774964E8A36

Uniqueness

Uniqueness Score: -1.00%

Function 6CD72DC9 Relevance: 77.3, APIs: 34, Strings: 10, Instructions: 323
windowstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(0000006F,?), ref: 6CD72DFB
GetDlgItem.USER32(0000006A,0000006F), ref: 6CD72E0D

Part of subcall function 6CD72AD8: LoadCursorA.USER32(00000001), ref: 6CD72AE3
Part of subcall function 6CD72AD8: SetClassLongA.USER32(?,000000F4,00000000), ref: 6CD72AF2

LoadStringA.USER32(0000000B,6CD8463D,00000400,0000006F), ref: 6CD72E34
lstrcpyA.KERNEL32(6CD7D8E2,Courier New,0000000B,6CD8463D,00000400,0000006F,?), ref: 6CD72E78
CreateFontIndirectA.GDI32(6CD7D8C6), ref: 6CD72E96
SendMessageA.USER32(00000030,00000000,00000001,6CD7D8C6), ref: 6CD72EA6
LoadIconA.USER32(00000000,000001F4), ref: 6CD72EB2
SendMessageA.USER32(00000080,00000001,00000000,0000000B), ref: 6CD72EC5
SetWindowTextA.USER32(00000000,00000000), ref: 6CD72EF8
SetDlgItemTextA.USER32(00000000,00000065,00000000), ref: 6CD72F09
SetDlgItemTextA.USER32(00000000,00000066,00000000), ref: 6CD72F1A
SetDlgItemTextA.USER32(00000000,00000067,00000000), ref: 6CD72F30
SetDlgItemTextA.USER32(00000000,00000068,00000000), ref: 6CD72F41
SetDlgItemTextA.USER32(00000000,0000006A,00000000), ref: 6CD72F52
SetDlgItemTextA.USER32(00000000,00000069,00000000), ref: 6CD72F63
CheckDlgButton.USER32(0000006B,00000001,00000001), ref: 6CD72F86
ShowWindow.USER32(00000000,00000000,0000000B,6CD8463D,00000400,0000006F,?), ref: 6CD72FA8
GetDlgItem.USER32(00000067,6CD8463D), ref: 6CD73089
SetWindowLongA.USER32(000000FC,6CD72B40,00000067), ref: 6CD730A0
GetDlgItem.USER32(?,0000006A), ref: 6CD730B8
SetWindowLongA.USER32(00000000,000000FC,6CD72CF0), ref: 6CD730C5
GetDlgItem.USER32(?,0000006F), ref: 6CD730DD
SetWindowLongA.USER32(00000000,000000FC,6CD72CF0), ref: 6CD730EA
CreatePopupMenu.USER32 ref: 6CD7317A
LoadStringA.USER32(0000000E,6CD84A3D,00000400,0000006F), ref: 6CD73198
AppendMenuA.USER32(00000000,00000000,000000C9,6CD84A3D), ref: 6CD731AA
LoadStringA.USER32(0000000F,6CD84E3D,00000400,0000000E), ref: 6CD731C1
AppendMenuA.USER32(00000000,00000000,000000CA,6CD84E3D), ref: 6CD731D3
LoadCursorA.USER32(00000002,00000000), ref: 6CD731E0
SetClassLongA.USER32(000000F4,00000000,00000002), ref: 6CD731F4
GetDlgItem.USER32(0000006C,000000F4), ref: 6CD73201
SetClassLongA.USER32(00000000,000000F4,00000000), ref: 6CD7320A
SetTimer.USER32(?,00000000,?,00000000), ref: 6CD7323D
SetFocus.USER32(00000000,000000CA,6CD84E3D,0000000F,6CD84E3D,00000400,0000000E,6CD84A3D,00000400,0000006F,?), ref: 6CD73282

Strings

BTN_EXIT_DOWN, xrefs: 6CD7313E
BTN_ABOUT_UP, xrefs: 6CD73124
BTN_ABOUT_OVER, xrefs: 6CD7311A
BTN_EXIT_UP, xrefs: 6CD73143
BTN_PATCH_OVER, xrefs: 6CD730F6
BTN_PATCH_DOWN, xrefs: 6CD730FB
Courier New, xrefs: 6CD72E6E
BTN_PATCH_UP, xrefs: 6CD73100
BTN_EXIT_OVER, xrefs: 6CD73139
BTN_ABOUT_DOWN, xrefs: 6CD7311F

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: Item$Text$LoadLong$Window$ClassMenuString$AppendCreateCursorMessageSend$ButtonCheckFocusFontIconIndirectPopupShowTimerlstrcpy
String ID: BTN_ABOUT_DOWN$BTN_ABOUT_OVER$BTN_ABOUT_UP$BTN_EXIT_DOWN$BTN_EXIT_OVER$BTN_EXIT_UP$BTN_PATCH_DOWN$BTN_PATCH_OVER$BTN_PATCH_UP$Courier New
API String ID: 131015904-1397710211
Opcode ID: 66039db3726ec54f9417478ad8890243dbb15a37e1ef9ae93c29234bcf714975
Instruction ID: 02a0c1a20c8d9e154e4a9f3deea6ec0a965848f991d902eccbbc9751b1cfe7f3
Opcode Fuzzy Hash: 66039db3726ec54f9417478ad8890243dbb15a37e1ef9ae93c29234bcf714975
Instruction Fuzzy Hash: A7B18130781660FEFF336B24CC46F9A7ABAAB4271CF004515B354B9AF0E7B2441A9675

Uniqueness

Uniqueness Score: -1.00%

Function 6CD72463 Relevance: 66.8, APIs: 33, Strings: 5, Instructions: 301
stringfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsA.KERNEL32(?,?,00000400), ref: 6CD7248D
ExpandEnvironmentStringsA.KERNEL32(?,6CD7D911,00000400,?,?,00000400), ref: 6CD724A3
lstrcpyA.KERNEL32(6CD7D911,00000000,6CD7D911,?,6CD7D911,00000400,?,?,00000400), ref: 6CD724C4
GetModuleFileNameA.KERNEL32(00000000,?,00000400,6CD7D911,00000000,6CD7D911,?,6CD7D911,00000400,?,?,00000400), ref: 6CD724F2
lstrcpyA.KERNEL32(?,6CD7E95F,6CD7D911,00000000,6CD7D911,?,6CD7D911,00000400,?,?,00000400), ref: 6CD72511
lstrcatA.KERNEL32(?,6CD7D11A,?,6CD7E95F,6CD7D911,00000000,6CD7D911,?,6CD7D911,00000400,?,?,00000400), ref: 6CD72527
lstrcatA.KERNEL32(?,6CD7D911,?,6CD7E95F,6CD7D911,00000000,6CD7D911,?,6CD7D911,00000400,?,?,00000400), ref: 6CD72534
lstrcpyA.KERNEL32(6CD7D911,?,?,6CD7D911,?,6CD7E95F,6CD7D911,00000000,6CD7D911,?,6CD7D911,00000400,?,?,00000400), ref: 6CD72541
LoadStringA.USER32(00000013,6CD8323D,00000400,6CD7D911), ref: 6CD72558
GetFileAttributesA.KERNEL32(6CD7D911,00000013,6CD8323D,00000400,6CD7D911,00000000,6CD7D911,?,6CD7D911,00000400,?,?,00000400), ref: 6CD72576
SetFileAttributesA.KERNEL32(6CD7D911,00000000,6CD7D911,00000013,6CD8323D,00000400,6CD83E3D,00000400,6CD7D911,6CD7D911,C0000000,00000002,00000000,00000003,00000082,00000000), ref: 6CD725A0
CreateFileA.KERNEL32(6CD7D911,80000000,00000001,00000000,00000003,00000082,00000000,6CD7D911,00000013,6CD8323D,00000400,6CD83E3D,00000400,6CD7D911,6CD7D911,C0000000), ref: 6CD725D9
CreateFileA.KERNEL32(6CD7D911,C0000000,00000002,00000000,00000003,00000082,00000000,6CD7D911,00000013,6CD8323D,00000400,6CD7D911,00000000,6CD7D911,?,6CD7D911), ref: 6CD725F7
GetFileAttributesA.KERNEL32(6CD7D911,6CD7D911,C0000000,00000002,00000000,00000003,00000082,00000000,6CD7D911,00000013,6CD8323D,00000400,6CD7D911,00000000,6CD7D911,?), ref: 6CD7260A
LoadStringA.USER32(00000010,6CD8363D,00000400,6CD7D911), ref: 6CD7264E
MessageBoxA.USER32(6CD8363D,6CD7D911,00000034,00000010), ref: 6CD72665
lstrcpyA.KERNEL32(?,6CD7D911,6CD7D911,6CD7D911,6CD7D911,80000000,00000001,00000000,00000003,00000082,00000000,6CD7D911,00000013,6CD8323D,00000400,6CD83E3D), ref: 6CD7268A
lstrcpyA.KERNEL32(?,6CD7D911,00000000,?,?,?,6CD7D911,6CD7D911,6CD7D911,6CD7D911,80000000,00000001,00000000,00000003,00000082,00000000), ref: 6CD726A1
RtlMoveMemory.KERNEL32(?,Exe Files [*.exe],0000002E,6CD7D911,00000000,?,?,?,6CD7D911,6CD7D911,6CD7D911,6CD7D911,80000000,00000001,00000000,00000003), ref: 6CD726B1
lstrcpyA.KERNEL32(?,6CD7D911,Exe Files [*.exe],0000002E,6CD7D911,00000000,?,?,?,6CD7D911,6CD7D911,6CD7D911,6CD7D911,80000000,00000001,00000000), ref: 6CD726C3
LoadStringA.USER32(00000011,6CD83A3D,00000400,6CD7D911), ref: 6CD72729
LoadStringA.USER32(00000012,6CD83E3D,00000400,6CD7D911), ref: 6CD72751
MessageBoxA.USER32(6CD83E3D,6CD7D911,00000034,00000012), ref: 6CD72768
GetFileTime.KERNEL32(6CD7F181,6CD7F189,6CD7F191,6CD7D911,C0000000,00000002,00000000,00000003,00000082,00000000,6CD7D911,00000013,6CD8323D,00000400,6CD7D911,00000000), ref: 6CD72796
GetFileSize.KERNEL32(6CD7E51D,6CD7F181,6CD7F189,6CD7F191,6CD7D911,C0000000,00000002,00000000,00000003,00000082,00000000,6CD7D911,00000013,6CD8323D,00000400,6CD7D911), ref: 6CD727A6
CreateFileMappingA.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000000), ref: 6CD727FD
CreateFileMappingA.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 6CD72814
LoadStringA.USER32(00000014,6CD8423D,00000400,00000000), ref: 6CD7282F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,6CD7E51D,6CD7F181,6CD7F189,6CD7F191,6CD7D911,C0000000,00000002,00000000,00000003,00000082,00000000), ref: 6CD72857
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,6CD7E51D,6CD7F181,6CD7F189,6CD7F191,6CD7D911,C0000000,00000002,00000000,00000003,00000082,00000000), ref: 6CD72867
SetEnvironmentVariableA.KERNEL32(dup2_last_file,6CD7D911,00000000,00000002,00000000,00000000,00000000,6CD7E51D,6CD7F181,6CD7F189,6CD7F191,6CD7D911,C0000000,00000002,00000000,00000003), ref: 6CD72887
lstrcpyA.KERNEL32(?,6CD7D911,dup2_last_file,6CD7D911,00000000,00000002,00000000,00000000,00000000,6CD7E51D,6CD7F181,6CD7F189,6CD7F191,6CD7D911,C0000000,00000002), ref: 6CD72898
SetEnvironmentVariableA.KERNEL32(dup2_last_path,?,?,6CD7D911,dup2_last_file,6CD7D911,00000000,00000002,00000000,00000000,00000000,6CD7E51D,6CD7F181,6CD7F189,6CD7F191,6CD7D911), ref: 6CD728B5

Strings

dup2_last_path, xrefs: 6CD728B0
File not loaded, xrefs: 6CD728C3
Exe Files [*.exe], xrefs: 6CD726AB
Removing readonly file attribute, xrefs: 6CD725A5
dup2_last_file, xrefs: 6CD72882

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: File$lstrcpy$LoadString$CreateEnvironment$Attributes$ExpandMappingMessageStringsVariableViewlstrcat$MemoryModuleMoveNameSizeTime
String ID: Exe Files [*.exe]$File not loaded$Removing readonly file attribute$dup2_last_file$dup2_last_path
API String ID: 3117120910-276086001
Opcode ID: 010fd31c25041235b978d731935b5b453960ae787fa3cecaffc82d5ffa8109c0
Instruction ID: baa704ecea187231aae72a3a7d82ce32d4ce1c3c052fb8310783d59cfc4a7725
Opcode Fuzzy Hash: 010fd31c25041235b978d731935b5b453960ae787fa3cecaffc82d5ffa8109c0
Instruction Fuzzy Hash: 95A1D170984294F9FF319B20CC4AFDE3668AB0671CF104A16B700F9EF1EBB596498675

Uniqueness

Uniqueness Score: -1.00%

Function 6CD71BCC Relevance: 49.2, APIs: 26, Strings: 2, Instructions: 175
windowsleeplibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?), ref: 6CD71BEC
lstrlenA.KERNEL32(?,?), ref: 6CD71BF4
GetDC.USER32(?), ref: 6CD71BFE
GetDC.USER32(00000000), ref: 6CD71C08
CreateCompatibleDC.GDI32(00000000), ref: 6CD71C0E
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 6CD71C25
SelectObject.GDI32(?,?), ref: 6CD71C2E
GetTextExtentPointA.GDI32(?,?,?,?), ref: 6CD71C40
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 6CD71C63
SelectObject.GDI32(?,00000000), ref: 6CD71C6C
RtlZeroMemory.KERNEL32(?,0000002C,?,00000000,?,?,00000000,?,?), ref: 6CD71C77
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 6CD71CAF
SelectObject.GDI32(?,00000000), ref: 6CD71CB8
GetDC.USER32(00000000), ref: 6CD71CBF
CreateCompatibleDC.GDI32(00000000), ref: 6CD71CC5
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 6CD71CDE
SelectObject.GDI32(?,00000000), ref: 6CD71CE7
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00CC0020), ref: 6CD71D07
SetBkMode.GDI32(?,00000001), ref: 6CD71D11
SetTextColor.GDI32(?,00000000), ref: 6CD71D1C
GetModuleHandleA.KERNEL32(user32.dll,?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 6CD71D26
GetProcAddress.KERNEL32(00000000,SetLayeredWindowAttributes), ref: 6CD71D31
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00CC0020), ref: 6CD71D6C
TextOutA.GDI32(?,-00000004,00000000,?,?), ref: 6CD71D7D
BitBlt.GDI32(?,?,?,00000000,00000000,?,00000000,00000000,00CC0020), ref: 6CD71DAE
Sleep.KERNEL32(0000001E,user32.dll,?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 6CD71DD7

Strings

user32.dll, xrefs: 6CD71D21
SetLayeredWindowAttributes, xrefs: 6CD71D2B

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: Create$ObjectSelect$CompatibleText$SectionSleep$AddressBitmapColorExtentHandleMemoryMessageModeModulePointProcSendZerolstrlen
String ID: SetLayeredWindowAttributes$user32.dll
API String ID: 17561160-3673630139
Opcode ID: f5f920759abe0b31c288128c6cf39fa94c5cd013286d615469fd599b08da248e
Instruction ID: 14a45308b56393beb1b082edeb279d707c87b3793f98781b0e0510e596f08feb
Opcode Fuzzy Hash: f5f920759abe0b31c288128c6cf39fa94c5cd013286d615469fd599b08da248e
Instruction Fuzzy Hash: F551D671940609FAEF319FA0CD01FEEBF76FF04704F144614A255B59B0E772A52A9B24

Uniqueness

Uniqueness Score: -1.00%

Function 6CD7498E Relevance: 47.6, APIs: 25, Strings: 2, Instructions: 380
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringA.USER32(00000006,6CD89E3D,00000400,00000001), ref: 6CD749BA

Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,00000180,00000000,?), ref: 6CD722D9
Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,0000018B,00000000,00000000), ref: 6CD722E8
Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,00000186,-00000001,00000000), ref: 6CD722F7

LoadStringA.USER32(0000000A,6CD8A63D,00000400,?), ref: 6CD74E95

Part of subcall function 6CD740CF: GetModuleHandleA.KERNEL32(kernel32.dll,6CD74F4B), ref: 6CD740D4
Part of subcall function 6CD740CF: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 6CD740DF

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 6CD74A2A
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,?,00001000,00000004), ref: 6CD74A41
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00001000,00000004,00000000,?,00001000,00000004), ref: 6CD74A73
LoadStringA.USER32(00000018,6CD8A23D,00000400,00000000), ref: 6CD74A8A
RtlMoveMemory.KERNEL32(?,00000000,?,00001000,00000004,00000000,?,00001000,00000004), ref: 6CD74AB1
RtlZeroMemory.KERNEL32(?,?,?,?,00000000,?,?,00000000,?,00001000,00000004,00000000,?,00001000,00000004), ref: 6CD74B00
ExpandEnvironmentStringsA.KERNEL32(?,6CD7F199,00001000,?,?,?,?,?,00000000,?,?,00000000,?,00001000,00000004,00000000), ref: 6CD74B1E
ExpandEnvironmentStringsA.KERNEL32(?,6CD80199,00001000,?,?,?,?,?,00000000,?,?,00000000,?,00001000,00000004,00000000), ref: 6CD74B4E
DialogBoxParamA.USER32(00000003,6CD758B0,?,?,?), ref: 6CD74C54
RtlMoveMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CD74CA3
RtlMoveMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CD74CBE
RtlMoveMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD74CD0
RtlMoveMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CD74CEA
RtlMoveMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD74CF7
SetFileAttributesA.KERNEL32(6CD7D911,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD74D93
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,6CD7D911,?,?,?,?,?,?,?,?,?), ref: 6CD74DC3
lstrlenW.KERNEL32(?,00000000,00000000,?,000000FF,?,?,6CD7D911,?,?,?,?,?,?,?,?), ref: 6CD74DD1
CreateFileA.KERNEL32(6CD7D911,C0000000,00000000,00000000,00000003,00000082,00000000,6CD7D911,?,?,6CD7D911,?,?,?,?,?), ref: 6CD74E29
SetFileTime.KERNEL32(6CD7F181,6CD7F189,6CD7F191,6CD7D911,C0000000,00000000,00000000,00000003,00000082,00000000,6CD7D911,?,?,6CD7D911,?,?), ref: 6CD74E4D
CloseHandle.KERNEL32(6CD7F181,6CD7F189,6CD7F191,6CD7D911,C0000000,00000000,00000000,00000003,00000082,00000000,6CD7D911,?,?,6CD7D911,?,?), ref: 6CD74E58
VirtualFree.KERNEL32(?,?,00004000,6CD7D911,?,?,6CD7D911,?,?,?,?,?,?,?,?,?), ref: 6CD74E68
VirtualFree.KERNEL32(?,?,00004000,?,?,00004000,6CD7D911,?,?,6CD7D911,?,?,?,?,?,?), ref: 6CD74E78
LoadStringA.USER32(0000000B,6CD8AA3D,00000400,?), ref: 6CD74EB7

Strings

, xrefs: 6CD74CDA
<>[]|$^!%&/\(){}=?`*+-'#.:;,@~", xrefs: 6CD74BA8, 6CD74BC3

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: Memory$Move$LoadStringVirtual$FileMessageSend$AllocByteCharEnvironmentExpandFreeHandleMultiStringsWide$AddressAttributesCloseCreateDialogModuleParamProcTimeZerolstrlen
String ID: $ <>[]|$^!%&/\(){}=?`*+-'#.:;,@~"
API String ID: 1051299063-3390012715
Opcode ID: 0d59b0d849fad365c9a3111b0048b8675fec0f55796926c84c9ab2c9c26b6f60
Instruction ID: 61867794c084d466837e0c4732a368f528b0c95497f6d067376574323a51892c
Opcode Fuzzy Hash: 0d59b0d849fad365c9a3111b0048b8675fec0f55796926c84c9ab2c9c26b6f60
Instruction Fuzzy Hash: 62E15571D01218EEEF228FA4CD41BEEBBB5AB05308F104419F650B6AB0E7715A59DF74

Uniqueness

Uniqueness Score: -1.00%

Function 6CD74126 Relevance: 47.4, APIs: 8, Strings: 19, Instructions: 133
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(6CD82199,?,?,?,6CD7210E), ref: 6CD74138
GetModuleHandleA.KERNEL32(kernel32.dll,6CD82199,?,?,?,6CD7210E), ref: 6CD74142
GetProcAddress.KERNEL32(00000000,AttachConsole), ref: 6CD7414D
GetCommandLineA.KERNEL32(00000000,AttachConsole,kernel32.dll,6CD82199,?,?,?,6CD7210E), ref: 6CD7415A

Strings

backup, xrefs: 6CD74276
startupworkdir, xrefs: 6CD7429D
diablo2oo2's universal patcher - console help, xrefs: 6CD74194
/startupworkdir <dir> : set working directory for the patcher, xrefs: 6CD74216
/help : this help menu, xrefs: 6CD741B2
kernel32.dll, xrefs: 6CD7413D
/silent : no window gui, no input, xrefs: 6CD741C6
setvar, xrefs: 6CD742D2
/help : show help menu, xrefs: 6CD7424E
during file attachment export, xrefs: 6CD741EE
overwrite, xrefs: 6CD74288
AttachConsole, xrefs: 6CD74147
/backup : make backup of every file which is patched, xrefs: 6CD74202
/setvar <content> : set content of %dup2_cmd_var%, xrefs: 6CD7422A
dup2_cmd_var, xrefs: 6CD742FA
help, xrefs: 6CD7416D
--------------------------------------------------------------------, xrefs: 6CD74180
/overwrite : overwrite existing files, xrefs: 6CD741DA
silent, xrefs: 6CD74264

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: AddressCommandHandleLineModuleProcVersion
String ID: during file attachment export$ /backup : make backup of every file which is patched$ /help : show help menu$ /help : this help menu$ /overwrite : overwrite existing files$ /setvar <content> : set content of %dup2_cmd_var%$ /silent : no window gui, no input$ /startupworkdir <dir> : set working directory for the patcher$ diablo2oo2's universal patcher - console help$--------------------------------------------------------------------$AttachConsole$backup$dup2_cmd_var$help$kernel32.dll$overwrite$setvar$silent$startupworkdir
API String ID: 919412983-4279514999
Opcode ID: 0bd160717d9f9e9ae35b668f20045cb4b0507abaf13b4ae7a2d13df308c6d71f
Instruction ID: c6503db3983b0258dbc6c75967caad03b4ffcd4955b7b4e335aaf229cd44d8f2
Opcode Fuzzy Hash: 0bd160717d9f9e9ae35b668f20045cb4b0507abaf13b4ae7a2d13df308c6d71f
Instruction Fuzzy Hash: 3731236029616674F93637B49E0AFCD1A248B4322CF260C59B214B5EB2FBB1511F45FB

Uniqueness

Uniqueness Score: -1.00%

Function 6CD72B3E Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetTextColor.GDI32(?,?), ref: 6CD72B77
SetTextColor.GDI32(?,00FF0000), ref: 6CD72B97
SetBkMode.GDI32(?,00000001), ref: 6CD72BA1
CreateSolidBrush.GDI32(?), ref: 6CD72BBE
GetStockObject.GDI32(00000005), ref: 6CD72BC7
GetSysColor.USER32(00000004), ref: 6CD72BD0
CreateSolidBrush.GDI32(00000000), ref: 6CD72BD6
GetParent.USER32(?), ref: 6CD72C02
GetActiveWindow.USER32 ref: 6CD72C09
GetCursorPos.USER32(?), ref: 6CD72C16
GetWindowRect.USER32(?,?), ref: 6CD72C22
PtInRect.USER32(?,?,?), ref: 6CD72C31
GetCapture.USER32 ref: 6CD72C3A
SetCapture.USER32(?,?,?,?), ref: 6CD72C46
InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 6CD72C5C

Strings

open, xrefs: 6CD72CAE

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: ColorRect$BrushCaptureCreateSolidTextWindow$ActiveCursorInvalidateModeObjectParentStock
String ID: open
API String ID: 1204622265-2758837156
Opcode ID: 938c9ef402978610a6b69928ea091f2e59ef751a34c3701888662c7620548000
Instruction ID: 67ae38f3d2296b203829181db76b2d459e829d5a3c49f2867be181c97ea14c0e
Opcode Fuzzy Hash: 938c9ef402978610a6b69928ea091f2e59ef751a34c3701888662c7620548000
Instruction Fuzzy Hash: 60415031644299EAEF329FA4CC85FDE3BB9AB0131CF144911F200E5AB0E771C5999775

Uniqueness

Uniqueness Score: -1.00%

Function 6CD73690 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongA.USER32(000000EC), ref: 6CD736AC
SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,000000EC), ref: 6CD736C7
SetDlgItemTextA.USER32(?,00000065,00000000), ref: 6CD736DF
EndDialog.USER32(?,00000000), ref: 6CD738AD

Strings

BTN_ABOUT_OK_UP, xrefs: 6CD73715
BTN_ABOUT_OK_DOWN, xrefs: 6CD73710
BTN_ABOUT_OK_OVER, xrefs: 6CD7370B

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: Window$DialogItemLongText
String ID: BTN_ABOUT_OK_DOWN$BTN_ABOUT_OK_OVER$BTN_ABOUT_OK_UP
API String ID: 917433306-3517212525
Opcode ID: e46a14c195eeec35e670756cfff2da074cab07f7bef70a30894ce813a17caabe
Instruction ID: d0397dbc27583b2a8bc262a16b41165a83c51a5669bd9d7a87819782010e5ca7
Opcode Fuzzy Hash: e46a14c195eeec35e670756cfff2da074cab07f7bef70a30894ce813a17caabe
Instruction Fuzzy Hash: DF518131644614BAEF326F19DC41BCE7F25EB0236CF104A22F611A9DF0D776C4A696B1

Uniqueness

Uniqueness Score: -1.00%

Function 6CD716E0 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 147
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadBitmapA.USER32(?,?), ref: 6CD716F0
LoadBitmapA.USER32(?,?), ref: 6CD71704
LoadBitmapA.USER32(?,?), ref: 6CD71717
GetDlgItem.USER32(?,?), ref: 6CD7172C
GetWindowRect.USER32(00000000,?), ref: 6CD71741
GetWindowRect.USER32(?,?), ref: 6CD7174D
ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6CD71776
LoadCursorA.USER32(00000000,00007F00), ref: 6CD717D9
RegisterClassExA.USER32(?), ref: 6CD717E9
CreateWindowExA.USER32(00000020,Bmp_Button_Class,00000000,50000000,?,?,00000000,00000000,?,?,?,00000000), ref: 6CD7180F
SetWindowLongA.USER32(00000000,00000000,?), ref: 6CD7181C
SetWindowLongA.USER32(00000000,00000004,?), ref: 6CD71827
SetWindowLongA.USER32(00000000,00000008,?), ref: 6CD71832
CreateWindowExA.USER32(00000000,STATIC,00000000,5000000E,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 6CD71856

Strings

Bmp_Button_Class, xrefs: 6CD717C4, 6CD71808
STATIC, xrefs: 6CD7184F

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: Window$Load$BitmapLong$CreateRect$ClassCursorItemRegisterShow
String ID: Bmp_Button_Class$STATIC
API String ID: 3511724289-4004187156
Opcode ID: 385b7778d71c7f7bc8472673d7be0f0e732ef3175c9cb38b38d8509365683f7f
Instruction ID: 85d6578924f4eb89a631021e8ec37d35073379ffba18ad908da27a71c0a1faaa
Opcode Fuzzy Hash: 385b7778d71c7f7bc8472673d7be0f0e732ef3175c9cb38b38d8509365683f7f
Instruction Fuzzy Hash: 7A516F71580305BEEF219FA0CC81FDEBBB9EF04704F108614F605AA6A0E7B5A5198BB4

Uniqueness

Uniqueness Score: -1.00%

Function 6CD7197E Relevance: 33.2, APIs: 22, Instructions: 165
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongA.USER32(?,00000004), ref: 6CD71998
GetWindowLongA.USER32(?,0000000C), ref: 6CD719A4
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 6CD719B2
SetCapture.USER32(?,00000000,00000172,00000000,00000000,?,0000000C,?,00000004), ref: 6CD719BA
GetWindowRect.USER32(?,?), ref: 6CD719E7
GetWindowLongA.USER32(?,00000000), ref: 6CD71A31
GetWindowLongA.USER32(?,0000000C), ref: 6CD71A3D
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 6CD71A4B
ReleaseCapture.USER32 ref: 6CD71A50
DefWindowProcA.USER32(?,?,?,?), ref: 6CD71B7F

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: Window$Long$CaptureMessageSend$ProcRectRelease
String ID:
API String ID: 2818777917-0
Opcode ID: be892f974810993a21d78d126a6ff92b0e6fe4003661ae3c5893be75a3fc1067
Instruction ID: 3a01bd2b217405d2976746b658e97369e0ae53373595b2f01bae53cd3092146e
Opcode Fuzzy Hash: be892f974810993a21d78d126a6ff92b0e6fe4003661ae3c5893be75a3fc1067
Instruction Fuzzy Hash: 3551A531680215AFEF329F64CD81B9E7FA5DB41348F108221F648AAAB1E771D896C774

Uniqueness

Uniqueness Score: -1.00%

Function 6CD758B0 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongA.USER32(000000EC,?), ref: 6CD758DB
SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,000000EC,?), ref: 6CD758F6
RtlMoveMemory.KERNEL32(?,?,00000000,00000000,?), ref: 6CD75990
SetWindowTextA.USER32(?,?), ref: 6CD7599E
GetDlgItemTextA.USER32(?,00000065,?,00000400), ref: 6CD759CA
EndDialog.USER32(?), ref: 6CD75ADF

Strings

BTN_REGP_OK_UP, xrefs: 6CD7592C
BTN_REGP_OK_DOWN, xrefs: 6CD75927
BTN_REGP_OK_OVER, xrefs: 6CD75922

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: Window$Text$DialogItemLongMemoryMove
String ID: BTN_REGP_OK_DOWN$BTN_REGP_OK_OVER$BTN_REGP_OK_UP
API String ID: 1467606235-2190942234
Opcode ID: 4d2d404d39b8636f85556c68868679f6e33fee9c67719b59501c1c8f9fb35315
Instruction ID: 481967e97bb79367f31e9dc07c75cf957286b098ba8a755745bfd08d5b9e76cf
Opcode Fuzzy Hash: 4d2d404d39b8636f85556c68868679f6e33fee9c67719b59501c1c8f9fb35315
Instruction Fuzzy Hash: F851A231644255BAEF325B14CC82FCD3B65EB0236CF244635F251A89F0F7B298A69772

Uniqueness

Uniqueness Score: -1.00%

Function 6CD75516 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 113
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringA.USER32(00000004,6CD8E23D,00000400,00000001), ref: 6CD75538

Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,00000180,00000000,?), ref: 6CD722D9
Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,0000018B,00000000,00000000), ref: 6CD722E8
Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,00000186,-00000001,00000000), ref: 6CD722F7

GetTempPathA.KERNEL32(00000400,?,00000004,6CD8E23D,00000400,00000001,?,00000000,?,6CD7637F,00000000,00000001,00000000,6CD90A45,00000400,00000184), ref: 6CD75553
lstrcatA.KERNEL32(?,\regpatch.reg,00000400,?,00000004,6CD8E23D,00000400,00000001,?,00000000,?,6CD7637F,00000000,00000001,00000000,6CD90A45), ref: 6CD75564
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,\regpatch.reg,00000400,?,00000004,6CD8E23D,00000400,00000001,?,00000000,?,6CD7637F), ref: 6CD75592
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00000000,?,00001000,00000004,?,\regpatch.reg,00000400,?,00000004,6CD8E23D), ref: 6CD755D3
lstrcpyA.KERNEL32(6CD7D911,/s ",?,?,00000000,?,?,00000000,?,00001000,00000004,?,\regpatch.reg,00000400,?,00000004), ref: 6CD7561C
lstrcatA.KERNEL32(6CD7D911,?,6CD7D911,/s ",?,?,00000000,?,?,00000000,?,00001000,00000004,?,\regpatch.reg,00000400), ref: 6CD75629
lstrcatA.KERNEL32(6CD7D911,6CD7D701,6CD7D911,?,6CD7D911,/s ",?,?,00000000,?,?,00000000,?,00001000,00000004,?), ref: 6CD75634
RtlZeroMemory.KERNEL32(?,0000003C,6CD7D911,6CD7D701,6CD7D911,?,6CD7D911,/s ",?,?,00000000,?,?,00000000,?,00001000), ref: 6CD75642
ShellExecuteExA.SHELL32(0000003C,?,0000003C,6CD7D911,6CD7D701,6CD7D911,?,6CD7D911,/s ",?,?,00000000,?,?,00000000,?), ref: 6CD75686
WaitForSingleObject.KERNEL32(?,000000FF,0000003C,?,0000003C,6CD7D911,6CD7D701,6CD7D911,?,6CD7D911,/s ",?,?,00000000,?,?), ref: 6CD75693
VirtualFree.KERNEL32(?,?,00004000,?,?,00000000,?,?,00000000,?,00001000,00000004,?,\regpatch.reg,00000400,?), ref: 6CD756AD
VirtualFree.KERNEL32(?,?,00004000,?,?,00004000,?,?,00000000,?,?,00000000,?,00001000,00000004,?), ref: 6CD756CC
DeleteFileA.KERNEL32(?,?,?,00004000,?,?,00000000,?,?,00000000,?,00001000,00000004,?,\regpatch.reg,00000400), ref: 6CD756D8

Part of subcall function 6CD740CF: GetModuleHandleA.KERNEL32(kernel32.dll,6CD74F4B), ref: 6CD740D4
Part of subcall function 6CD740CF: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 6CD740DF

Strings

<, xrefs: 6CD75647
/s ", xrefs: 6CD75616
@, xrefs: 6CD75651
\regpatch.reg, xrefs: 6CD75558

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: Virtual$MessageSendlstrcat$AllocFree$AddressDeleteExecuteFileHandleLoadMemoryModuleObjectPathProcShellSingleStringTempWaitZerolstrcpy
String ID: /s "$<$@$\regpatch.reg
API String ID: 2640690069-2261817607
Opcode ID: 7f922c5e4828757634ddb76e2b5ba95398fceeaac9852b0875179230fa854cb0
Instruction ID: 98b75f1899e1292223a29fb1535b7b982d679b4c22c7851e2685877af0e5f50c
Opcode Fuzzy Hash: 7f922c5e4828757634ddb76e2b5ba95398fceeaac9852b0875179230fa854cb0
Instruction Fuzzy Hash: D34177F1804218AADF319B50CC41FEEB779AF45308F0044D9B748B6AB0E7755A8A8F39

Uniqueness

Uniqueness Score: -1.00%

Function 6CD728D8 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 59filetimeCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32 ref: 6CD72918
CloseHandle.KERNEL32 ref: 6CD72923
SetFilePointer.KERNEL32(?,6CD7E51D,00000000), ref: 6CD72936
SetEndOfFile.KERNEL32(?,?,6CD7E51D,00000000), ref: 6CD7293C
CloseHandle.KERNEL32(?,?,?,6CD7E51D,00000000), ref: 6CD72942
SetFileAttributesA.KERNEL32(6CD7D911,?,?,?,6CD7E51D,00000000), ref: 6CD7295A
CreateFileA.KERNEL32(6CD7D911,C0000000,00000000,00000000,00000003,00000082,00000000,6CD7D911,?,?,?,6CD7E51D,00000000), ref: 6CD7297F
SetFileTime.KERNEL32(6CD7F181,6CD7F189,6CD7F191,6CD7D911,C0000000,00000000,00000000,00000003,00000082,00000000,6CD7D911,?,?,?,6CD7E51D,00000000), ref: 6CD729A3
CloseHandle.KERNEL32(6CD7F181,6CD7F189,6CD7F191,6CD7D911,C0000000,00000000,00000000,00000003,00000082,00000000,6CD7D911,?,?,?,6CD7E51D,00000000), ref: 6CD729AE

Part of subcall function 6CD729EF: LoadLibraryA.KERNEL32(Imagehlp.dll), ref: 6CD72A02
Part of subcall function 6CD729EF: GetProcAddress.KERNEL32(00000000,CheckSumMappedFile), ref: 6CD72A13
Part of subcall function 6CD729EF: CloseHandle.KERNEL32(00000000,00000000,CheckSumMappedFile,Imagehlp.dll), ref: 6CD72A48

Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,00000180,00000000,?), ref: 6CD722D9
Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,0000018B,00000000,00000000), ref: 6CD722E8
Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,00000186,-00000001,00000000), ref: 6CD722F7

Strings

Restore original file time : OK, xrefs: 6CD729B3
PE CheckSum Fix : Failed, xrefs: 6CD72908
PE CheckSum Fix : OK, xrefs: 6CD728FC
, xrefs: 6CD728EA

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: File$CloseHandle$MessageSend$AddressAttributesCreateLibraryLoadPointerProcTimeUnmapView
String ID: $PE CheckSum Fix : Failed$PE CheckSum Fix : OK$Restore original file time : OK
API String ID: 2362126809-2918191134
Opcode ID: 7458e2306e01f6e85b73e730e32cc271e373306e74ff69dd8c977aafebe2610d
Instruction ID: 64312c2a4aff93e11dede8dc0997de922a2f489cfee363478b5b55ba912615ff
Opcode Fuzzy Hash: 7458e2306e01f6e85b73e730e32cc271e373306e74ff69dd8c977aafebe2610d
Instruction Fuzzy Hash: 3B11843128026CFEFE322B60CD05FCD3529AB0632CF144412BA10B5EF0E771561EA6B5

Uniqueness

Uniqueness Score: -1.00%

Function 6CD74EE6 Relevance: 21.2, APIs: 14, Instructions: 203fileCOMMON

Download Yara Rule

APIs

LoadStringA.USER32(0000001B,6CD8AE3D,00000400,00000001), ref: 6CD74F01

Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,00000180,00000000,?), ref: 6CD722D9
Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,0000018B,00000000,00000000), ref: 6CD722E8
Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,00000186,-00000001,00000000), ref: 6CD722F7

LoadStringA.USER32(00000015,6CD8B23D,00000400), ref: 6CD74F89
LoadStringA.USER32(00000021,6CD8B63D,00000400), ref: 6CD74FC4
LoadStringA.USER32(00000021,6CD8BA3D,00000400), ref: 6CD74FE7
LoadStringA.USER32(0000001E,6CD8BE3D,00000400), ref: 6CD75034
LoadStringA.USER32(00000023,6CD8C23D,00000400), ref: 6CD75057
LoadStringA.USER32(00000019,6CD8C63D,00000400), ref: 6CD750DD
LoadStringA.USER32(0000001A,6CD8CA3D,00000400), ref: 6CD75100
LoadStringA.USER32(00000031,6CD8CE3D,00000400,?), ref: 6CD75182
LoadStringA.USER32(00000030,6CD8D23D,00000400,?), ref: 6CD751AC
CreateFileA.KERNEL32(6CD7D911,C0000000,00000002,00000000,00000003,00000082,00000000), ref: 6CD751E3
LoadStringA.USER32(00000033,6CD8D63D,00000400,6CD7D911), ref: 6CD751FF
LoadStringA.USER32(00000032,6CD8DA3D,00000400,6CD7D911), ref: 6CD75229
CloseHandle.KERNEL32(00000000,00000032,6CD8DA3D,00000400,6CD7D911,C0000000,00000002,00000000,00000003,00000082,00000000), ref: 6CD75239

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: LoadString$MessageSend$CloseCreateFileHandle
String ID:
API String ID: 3199326509-0
Opcode ID: dd164551c11787de02646744b27411e6eb9b5fd9743e0f672b2f4be47100e7bc
Instruction ID: 93d8071657226de6cc38bc77a064c59d7cd1b553bd4cdc906ddd843d852602bf
Opcode Fuzzy Hash: dd164551c11787de02646744b27411e6eb9b5fd9743e0f672b2f4be47100e7bc
Instruction Fuzzy Hash: FF71CD70686204FEFB32AB60CC4AFCA76B5AB0174CF109819B35575EF0E7B05149CA79

Uniqueness

Uniqueness Score: -1.00%

Function 6CD762CD Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 192windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000005), ref: 6CD762E7
ShowWindow.USER32(00000000,00000005), ref: 6CD762F4
SendMessageA.USER32(00000184,00000000,00000000), ref: 6CD76308
LoadStringA.USER32(00000000,6CD90A45,00000400,00000184), ref: 6CD7631F
LoadStringA.USER32(00000001,6CD91A45,00000400,00000002), ref: 6CD76532
GetDlgItem.USER32(0000006C,00000001), ref: 6CD76554
EnableWindow.USER32(00000000,00000000), ref: 6CD7655C
RedrawWindow.USER32(00000000,00000000,00000001,0000006C,00000001,6CD91A45,00000400,00000002,0000001C,6CD91645,00000400,00000001,00000000,6CD90A45,00000400,00000184), ref: 6CD7656D

Strings

EXIT PATCHING, xrefs: 6CD76435

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: Window$LoadShowString$EnableItemMessageRedrawSend
String ID: EXIT PATCHING
API String ID: 3447863954-2450873957
Opcode ID: 3ca8668ec7d6903bf44dfa8c4805bf87f6c3331c9183ba8584dda499c3f8c704
Instruction ID: 37d1a5ef57c37cd820753b07533d92316c1ff9ece52f62b9abb28606b3ce3135
Opcode Fuzzy Hash: 3ca8668ec7d6903bf44dfa8c4805bf87f6c3331c9183ba8584dda499c3f8c704
Instruction Fuzzy Hash: 8051EE3058D254F9FB329B64CD02BCE7AB59B0231CF24451EE290A0DF1B37555AB963A

Uniqueness

Uniqueness Score: -1.00%

Function 6CD738CC Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 136stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000070,00000000), ref: 6CD738E0
ShowWindow.USER32(?,00000000,00000070,00000000,?,00000000,?,6CD7327C,00000000,000000CA,6CD84E3D,0000000F,6CD84E3D,00000400,0000000E,6CD84A3D), ref: 6CD738FB
GetWindowRect.USER32(?,?), ref: 6CD73938
GetWindowRect.USER32(?,?), ref: 6CD7394A

Part of subcall function 6CD718B0: GetWindowLongA.USER32(?,000000EC), ref: 6CD718BE
Part of subcall function 6CD718B0: GetWindowLongA.USER32(?,000000F0), ref: 6CD718CA
Part of subcall function 6CD718B0: GetSystemMetrics.USER32(00000033), ref: 6CD718EF
Part of subcall function 6CD718B0: GetSystemMetrics.USER32(00000021), ref: 6CD7190B
Part of subcall function 6CD718B0: GetSystemMetrics.USER32(00000020), ref: 6CD71914
Part of subcall function 6CD718B0: GetSystemMetrics.USER32(0000002D), ref: 6CD71947
Part of subcall function 6CD718B0: GetSystemMetrics.USER32(0000002E), ref: 6CD71950
Part of subcall function 6CD718B0: GetSystemMetrics.USER32(00000006), ref: 6CD71964
Part of subcall function 6CD718B0: GetSystemMetrics.USER32(00000005), ref: 6CD7196D

RtlZeroMemory.KERNEL32(?,0000003C,?,?,?,00000000,00000070,00000000,?,00000000,?,6CD7327C,00000000,000000CA,6CD84E3D,0000000F), ref: 6CD739C9
lstrcpyA.KERNEL32(?,MS SANS SERIF,?,0000003C,?,?,?,00000000,00000070,00000000,?,00000000,?,6CD7327C,00000000,000000CA), ref: 6CD739E5
GetTempPathA.KERNEL32(00000400,?,?,MS SANS SERIF,?,0000003C,?,?,?,00000000,00000070,00000000,?,00000000,?,6CD7327C), ref: 6CD73A26
lstrcatA.KERNEL32(?,00000015,00000400,?,?,MS SANS SERIF,?,0000003C,?,?,?,00000000,00000070,00000000,?,00000000), ref: 6CD73A36
lstrcatA.KERNEL32(?,00000095,?,00000015,00000400,?,?,MS SANS SERIF,?,0000003C,?,?,?,00000000,00000070,00000000), ref: 6CD73A49
lstrcpyA.KERNEL32(?,00000015,0000009B,?,?,?,00000095,?,00000015,00000400,?,?,MS SANS SERIF,?,0000003C,?), ref: 6CD73A76
CreateFontIndirectA.GDI32(?), ref: 6CD73A7C

Strings

MS SANS SERIF, xrefs: 6CD739DC

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: MetricsSystem$Window$LongRectlstrcatlstrcpy$CreateFontIndirectItemMemoryPathShowTempZero
String ID: MS SANS SERIF
API String ID: 1718168783-2292534163
Opcode ID: e5eae67b363606d895978b8c7150e1386e5c6b0be6d4bc28360a76bb25cdce44
Instruction ID: 4097fcd5d7df7731ed223ff0ad5c244562d27a31ba5e2cab23250913dd8f5142
Opcode Fuzzy Hash: e5eae67b363606d895978b8c7150e1386e5c6b0be6d4bc28360a76bb25cdce44
Instruction Fuzzy Hash: 8E5192B1500615EEEF31DF24CC85FDABBB9FB41348F008559A214ABAA1E770E959CB70

Uniqueness

Uniqueness Score: -1.00%

Function 6CD74338 Relevance: 18.2, APIs: 12, Instructions: 187COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000002,6CD8563D,00000400), ref: 6CD7436F
LoadStringA.USER32(0000000A,6CD87E3D,00000400,00000024), ref: 6CD745C0

Part of subcall function 6CD740CF: GetModuleHandleA.KERNEL32(kernel32.dll,6CD74F4B), ref: 6CD740D4
Part of subcall function 6CD740CF: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 6CD740DF

LoadStringA.USER32(00000020,6CD85A3D,00000400,00000008), ref: 6CD743C1

Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,00000180,00000000,?), ref: 6CD722D9
Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,0000018B,00000000,00000000), ref: 6CD722E8
Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,00000186,-00000001,00000000), ref: 6CD722F7

LoadStringA.USER32(00000021,6CD85E3D,00000400,00000008), ref: 6CD743ED
LoadStringA.USER32(00000022,6CD8623D,00000400,00000008), ref: 6CD74410
LoadStringA.USER32(00000023,6CD8663D,00000400,00000400), ref: 6CD7444D
LoadStringA.USER32(0000000B,6CD8823D,00000400,00000024), ref: 6CD745E2

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: LoadString$MessageSend$AddressHandleModuleProc
String ID:
API String ID: 1736458721-0
Opcode ID: 78270b5b607f2f52c43afb8b7ebfe5ea9fac9a3d16f0d78445f8833070b651e1
Instruction ID: 05a68a6a59965b87bc8e8578fddbac64b9cb926432a9a161fe0e4628b38524c6
Opcode Fuzzy Hash: 78270b5b607f2f52c43afb8b7ebfe5ea9fac9a3d16f0d78445f8833070b651e1
Instruction Fuzzy Hash: A061BF30686240FAFF339B94CC06F8A7AB5AB01B4CF109855B350B5EB1E7B19249DB75

Uniqueness

Uniqueness Score: -1.00%

Function 6CD718B0 Relevance: 18.1, APIs: 12, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EC), ref: 6CD718BE
GetWindowLongA.USER32(?,000000F0), ref: 6CD718CA
GetSystemMetrics.USER32(00000033), ref: 6CD718EF
GetSystemMetrics.USER32(00000004), ref: 6CD718FA
GetSystemMetrics.USER32(00000021), ref: 6CD7190B
GetSystemMetrics.USER32(00000020), ref: 6CD71914
GetSystemMetrics.USER32(00000008), ref: 6CD7192A
GetSystemMetrics.USER32(00000007), ref: 6CD71933
GetSystemMetrics.USER32(0000002D), ref: 6CD71947
GetSystemMetrics.USER32(0000002E), ref: 6CD71950
GetSystemMetrics.USER32(00000006), ref: 6CD71964
GetSystemMetrics.USER32(00000005), ref: 6CD7196D

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: MetricsSystem$LongWindow
String ID:
API String ID: 3112282201-0
Opcode ID: 9ac105f992e2a1bd0ec87dee627b8ac329d158e3715ae37d9bc932f2d1c56605
Instruction ID: b981e1268b9632df25cf417334fdeeafe0561bf3f2c19acb174a7e793ee84489
Opcode Fuzzy Hash: 9ac105f992e2a1bd0ec87dee627b8ac329d158e3715ae37d9bc932f2d1c56605
Instruction Fuzzy Hash: BD2190325C1302AFEB211F75C895BAD3754EF90358F248130A92A9AAF0EB70C846C771

Uniqueness

Uniqueness Score: -1.00%

Function 6CD76089 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 90stringlibraryCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000400,?,00000000,?,00000000,?,6CD73277,00000000,000000CA,6CD84E3D,0000000F,6CD84E3D,00000400,0000000E,6CD84A3D,00000400), ref: 6CD760A1
GetCurrentDirectoryA.KERNEL32(00000400,?,00000400,?,00000000,?,00000000,?,6CD73277,00000000,000000CA,6CD84E3D,0000000F,6CD84E3D,00000400,0000000E), ref: 6CD760B2
lstrcpyA.KERNEL32(?,?,00000001,?,00000010,00000001,?,00000400,?,00000400,?,00000000,?,00000000,?,6CD73277), ref: 6CD760FD
lstrcatA.KERNEL32(?,6CD7D7EB,?,?,00000001,?,00000010,00000001,?,00000400,?,00000400,?,00000000,?,00000000), ref: 6CD7610E
lstrcatA.KERNEL32(?,?,?,6CD7D7EB,?,?,00000001,?,00000010,00000001,?,00000400,?,00000400,?,00000000), ref: 6CD76121
lstrcatA.KERNEL32(?,.dll,?,?,?,6CD7D7EB,?,?,00000001,?,00000010,00000001,?,00000400,?,00000400), ref: 6CD76132
LoadLibraryA.KERNEL32(?,?,00000000,?,?,.dll,?,?,?,6CD7D7EB,?,?,00000001,?,00000010,00000001), ref: 6CD76169
SetCurrentDirectoryA.KERNEL32(?,00000400,?,00000400,?,00000000,?,00000000,?,6CD73277,00000000,000000CA,6CD84E3D,0000000F,6CD84E3D,00000400), ref: 6CD760BE

Part of subcall function 6CD7149B: FindResourceA.KERNEL32(?,6CD71479,0000000A), ref: 6CD714B1

SetCurrentDirectoryA.KERNEL32(?,00000002,?,?,?,?,?,00000000,?,?,.dll,?,?,?,6CD7D7EB,?), ref: 6CD761B2

Strings

.dll, xrefs: 6CD76126

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: CurrentDirectorylstrcat$FindLibraryLoadPathResourceTemplstrcpy
String ID: .dll
API String ID: 4090242041-2738580789
Opcode ID: 1d5f194489170e15fc1af54943643039bf6888254742537aa83d6579e307a498
Instruction ID: 855a81f153f449332b407793d24c0e9e512242f691df74ed599699a759a01e47
Opcode Fuzzy Hash: 1d5f194489170e15fc1af54943643039bf6888254742537aa83d6579e307a498
Instruction Fuzzy Hash: 21310F76800118AADB219B91CC44EEEB7BDBB49358F0445A6A205D7520F730DA5ECB70

Uniqueness

Uniqueness Score: -1.00%

Function 6CD7424C Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 6CD77040: lstrlenA.KERNEL32(?), ref: 6CD77052

Part of subcall function 6CD77040: CompareStringA.KERNEL32(00000000,00000001,?,00000000,?,00000000,?), ref: 6CD7706C

ExpandEnvironmentStringsA.KERNEL32(6CD7D911,6CD7E95F,00000400,6CD7D668, /help : show help menu,6CD7D413,00000000,AttachConsole,kernel32.dll,6CD82199,?,?,?,6CD7210E), ref: 6CD742BC
ExpandEnvironmentStringsA.KERNEL32(6CD7D911,6CD7ED5F,00000400,6CD7D668, /help : show help menu,6CD7D413,00000000,AttachConsole,kernel32.dll,6CD82199,?,?,?,6CD7210E), ref: 6CD742F0
SetEnvironmentVariableA.KERNEL32(dup2_cmd_var,6CD7ED5F,6CD7D911,6CD7ED5F,00000400,6CD7D668, /help : show help menu,6CD7D413,00000000,AttachConsole,kernel32.dll,6CD82199,?,?,?,6CD7210E), ref: 6CD742FF
DialogBoxParamA.USER32(00000001,00000000,Function_00002DD0,00000000,6CD7D668), ref: 6CD7431E

Strings

backup, xrefs: 6CD74276
startupworkdir, xrefs: 6CD7429D
dup2_cmd_var, xrefs: 6CD742FA
setvar, xrefs: 6CD742D2
overwrite, xrefs: 6CD74288
silent, xrefs: 6CD74264

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: Environment$ExpandStrings$CompareDialogParamStringVariablelstrlen
String ID: backup$dup2_cmd_var$overwrite$setvar$silent$startupworkdir
API String ID: 3077006360-2026149501
Opcode ID: 0de8d2d1d57c9b9103579d158f9da8392164f8d96a24938a7e72b1f04317c538
Instruction ID: f615182e1da8f749463df32f1dd49030f7f73aed723c668d1015966c4e26f9c6
Opcode Fuzzy Hash: 0de8d2d1d57c9b9103579d158f9da8392164f8d96a24938a7e72b1f04317c538
Instruction Fuzzy Hash: 3201A2203CA6A4B8F97323345D06FCE16285B53228F050D42B34438EF2C7B6521E06FE

Uniqueness

Uniqueness Score: -1.00%

Function 6CD73B6F Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75sleeplibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,00000000), ref: 6CD73B7D
GetProcAddress.KERNEL32(00000000,SetLayeredWindowAttributes), ref: 6CD73B88
GetWindowLongA.USER32(?,000000EC), ref: 6CD73B9C
SetWindowLongA.USER32(?,000000EC,00000000), ref: 6CD73BAC
Sleep.KERNEL32(?), ref: 6CD73C00
UpdateWindow.USER32(?), ref: 6CD73C08

Strings

user32.dll, xrefs: 6CD73B78
SetLayeredWindowAttributes, xrefs: 6CD73B82

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: Window$Long$AddressHandleModuleProcSleepUpdate
String ID: SetLayeredWindowAttributes$user32.dll
API String ID: 3069254162-3673630139
Opcode ID: b6481f7038951313c9ad1c4275fdb14a39e96a2b6cdef11a527d351f5849ea7a
Instruction ID: e0c1ceb3a3be19bbe966ebe6cd6a9ee2f9fe33b956c73bcfbf35fb750ea6acd4
Opcode Fuzzy Hash: b6481f7038951313c9ad1c4275fdb14a39e96a2b6cdef11a527d351f5849ea7a
Instruction Fuzzy Hash: FA21D270685208EFEF209F29CC40FAE3A65EB81328F148524F810E75F0D7719D55DA70

Uniqueness

Uniqueness Score: -1.00%

Function 6CD761BC Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49stringfileCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000400,?,?,?,?,?,6CD7365C,6CD8223D,6CD7E111), ref: 6CD761D4
FreeLibrary.KERNEL32(?,00000400,?,?,?,?,?,6CD7365C,6CD8223D,6CD7E111), ref: 6CD761E3
lstrcpyA.KERNEL32(?,?,6CD82645,?,00000010,?,00000400,?,?,?,?,?,6CD7365C,6CD8223D,6CD7E111), ref: 6CD76208
lstrcatA.KERNEL32(?,6CD7D7F2,?,?,6CD82645,?,00000010,?,00000400,?,?,?,?,?,6CD7365C,6CD8223D), ref: 6CD76219
lstrcatA.KERNEL32(?,?,?,6CD7D7F2,?,?,6CD82645,?,00000010,?,00000400,?), ref: 6CD7622C
lstrcatA.KERNEL32(?,.dll,?,?,?,6CD7D7F2,?,?,6CD82645,?,00000010,?,00000400,?), ref: 6CD7623D
DeleteFileA.KERNEL32(?,?,.dll,?,?,?,6CD7D7F2,?,?,6CD82645,?,00000010,?,00000400,?), ref: 6CD76249

Strings

.dll, xrefs: 6CD76231

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: lstrcat$DeleteFileFreeLibraryPathTemplstrcpy
String ID: .dll
API String ID: 1649043200-2738580789
Opcode ID: c60f789de85b76b02597453b5d0514a21edd441762371c30a6e4efb88581bec6
Instruction ID: 25f739b961420dbbe997de50a49973c164494a7ba6d7c8598e2a43fcb2ec0a3b
Opcode Fuzzy Hash: c60f789de85b76b02597453b5d0514a21edd441762371c30a6e4efb88581bec6
Instruction Fuzzy Hash: ED0112B6800158A6CB31D790CC85FEEB36CBB45349F4405A6B245E2954FB74D78E8BB0

Uniqueness

Uniqueness Score: -1.00%

Function 6CD73C60 Relevance: 13.6, APIs: 9, Instructions: 55COMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32 ref: 6CD73C79
SelectObject.GDI32(?,00000000), ref: 6CD73C82
RoundRect.GDI32(?,?,?,?,?,00000000,00000000), ref: 6CD73C9A
OffsetRect.USER32(?,00000001,00000001), ref: 6CD73CB0
GetDlgItemTextA.USER32(?,?,6CD7E538,00000400), ref: 6CD73CC5
SetBkMode.GDI32(?,00000001), ref: 6CD73CCF
SetTextColor.GDI32(?,?), ref: 6CD73CDD
DrawTextA.USER32(?,6CD7E538,000000FF,?,00000025), ref: 6CD73CF2
OffsetRect.USER32(?,000000FF,000000FF), ref: 6CD73D08

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: RectText$Offset$BrushColorCreateDrawItemModeObjectRoundSelectSolid
String ID:
API String ID: 3683931702-0
Opcode ID: 59bb90bcf1e6044abe9ab94a1d9ede9ad792f627170dfaa7cf1093885a597e80
Instruction ID: 849aa0dedb69175fdc0f66c9148f3c70b075f05a9a241fde73f6d6115a63a8f7
Opcode Fuzzy Hash: 59bb90bcf1e6044abe9ab94a1d9ede9ad792f627170dfaa7cf1093885a597e80
Instruction Fuzzy Hash: A6113031144704BEEB325F51CD01F8A7AB5EB14718F104B14B651A5DF1E7B2E49E97B0

Uniqueness

Uniqueness Score: -1.00%

Function 6CD758A1 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(000000EC,?), ref: 6CD758DB
SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,000000EC,?), ref: 6CD758F6
RtlMoveMemory.KERNEL32(?,?,00000000,00000000,?), ref: 6CD75990
SetWindowTextA.USER32(?,?), ref: 6CD7599E
GetDlgItemTextA.USER32(?,00000065,?,00000400), ref: 6CD759CA
EndDialog.USER32(?), ref: 6CD75ADF

Strings

BTN_REGP_OK_UP, xrefs: 6CD7592C
BTN_REGP_OK_DOWN, xrefs: 6CD75927
BTN_REGP_OK_OVER, xrefs: 6CD75922

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: Window$Text$DialogItemLongMemoryMove
String ID: BTN_REGP_OK_DOWN$BTN_REGP_OK_OVER$BTN_REGP_OK_UP
API String ID: 1467606235-2190942234
Opcode ID: c6df1087d649035fe10cf86ec4ea408fd1e0a07f0e59f94975ef480c6bcdebd6
Instruction ID: ccbdf2bafd62de97f37bae8ca1c26712f56c353d8954f2e0e3d42a3364dd9c81
Opcode Fuzzy Hash: c6df1087d649035fe10cf86ec4ea408fd1e0a07f0e59f94975ef480c6bcdebd6
Instruction Fuzzy Hash: 9E21F430644255BEFF321B14CC42FCA3B79AB4277CF200625F655699F0E7B2989687B2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD71FE3 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73librarystringloaderCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000400,?), ref: 6CD71FFD
lstrcatA.KERNEL32(?,\bassmod.dll,00000400,?), ref: 6CD7200E
LoadLibraryA.KERNEL32(?,?,\bassmod.dll,00000400,?), ref: 6CD7201C
GetProcAddress.KERNEL32(BASSMOD_Init,?), ref: 6CD72041

Strings

\bassmod.dll, xrefs: 6CD72002
BASSMOD_Init, xrefs: 6CD7202E, 6CD7203A

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: AddressLibraryLoadPathProcTemplstrcat
String ID: BASSMOD_Init$\bassmod.dll
API String ID: 316107575-384773266
Opcode ID: 1cb7343dea238d19911d39ad6094e8809aaa066f23858ef5ce7b0314325838d7
Instruction ID: 3875de2f717f31d93092622e90429d754b691db0e88755071f07dd11b67ecde4
Opcode Fuzzy Hash: 1cb7343dea238d19911d39ad6094e8809aaa066f23858ef5ce7b0314325838d7
Instruction Fuzzy Hash: 8B1106716481A0EFFB315B258C4DF69BFFCEB0231CF140025E645D5AE0E6719986C635

Uniqueness

Uniqueness Score: -1.00%

Function 6CD765AE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000016,6CD91E45,00000400), ref: 6CD765D8
LoadStringA.USER32(00000017,6CD92245,00000400), ref: 6CD76621

Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,00000180,00000000,?), ref: 6CD722D9
Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,0000018B,00000000,00000000), ref: 6CD722E8
Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,00000186,-00000001,00000000), ref: 6CD722F7

RtlMoveMemory.KERNEL32(?,6CD76730,00000278,?,?,?,?,?,00000001,?,6CD74846,00000004,-6CD7D608,?,00000004,00000008), ref: 6CD766BB
RtlMoveMemory.KERNEL32(?,?,00000000,6CD76730,00000278,?,?,?,?,?,00000001,?,6CD74846,00000004,-6CD7D608,?), ref: 6CD766D5

Strings

dUP2, xrefs: 6CD76606
@, xrefs: 6CD76667

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: MessageSend$LoadMemoryMoveString
String ID: @$dUP2
API String ID: 1206653450-646226640
Opcode ID: 656e30f66e03bffeeec541ed6b673b8edaacf44b464f0161a85e83225688eb2f
Instruction ID: b42d1d8e04d0e58f9b6051f1c13b14289441496a4d918a7022aad91e8edd45d5
Opcode Fuzzy Hash: 656e30f66e03bffeeec541ed6b673b8edaacf44b464f0161a85e83225688eb2f
Instruction Fuzzy Hash: A841ABB1204715EFEB14CF29C885A6AB7F8FB05318F10852DE605D7AA1E371E856CB74

Uniqueness

Uniqueness Score: -1.00%

Function 6CD73683 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(000000EC), ref: 6CD736AC
SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,000000EC), ref: 6CD736C7
SetDlgItemTextA.USER32(?,00000065,00000000), ref: 6CD736DF
EndDialog.USER32(?,00000000), ref: 6CD738AD

Strings

BTN_ABOUT_OK_UP, xrefs: 6CD73715
BTN_ABOUT_OK_DOWN, xrefs: 6CD73710
BTN_ABOUT_OK_OVER, xrefs: 6CD7370B

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: Window$DialogItemLongText
String ID: BTN_ABOUT_OK_DOWN$BTN_ABOUT_OK_OVER$BTN_ABOUT_OK_UP
API String ID: 917433306-3517212525
Opcode ID: c657ce715866ef5a2f219603d94a3056f5795adea9ec491da2267a02ade35227
Instruction ID: 3264fe71cab503c5f63e2c3e6148e8e1f1aadd77cb895a0916b29a952ab62cc6
Opcode Fuzzy Hash: c657ce715866ef5a2f219603d94a3056f5795adea9ec491da2267a02ade35227
Instruction Fuzzy Hash: B111B230284218BEFF326B14CC42FCA7F69AB427ACF104621B614699F0D7B2955A97B0

Uniqueness

Uniqueness Score: -1.00%

Function 6CD72313 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30stringfileCOMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32(0000006B), ref: 6CD7231F
lstrcpyA.KERNEL32(6CD7DD11,?), ref: 6CD72332
lstrcatA.KERNEL32(6CD7DD11,.BAK,6CD7DD11,?), ref: 6CD7233D
GetFileAttributesA.KERNEL32(6CD7DD11,6CD7DD11,.BAK,6CD7DD11,?), ref: 6CD72343
CopyFileA.KERNEL32(?,6CD7DD11,00000000), ref: 6CD72353

Strings

.BAK, xrefs: 6CD72337

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: File$AttributesButtonCheckedCopylstrcatlstrcpy
String ID: .BAK
API String ID: 1049863671-450607331
Opcode ID: 900bb73d2e334b16d1351a9b3e80d11f63ae5d26877cca835edabf4829f9d7e9
Instruction ID: d866a5cff59fb0762ab31d016613ed1adf543d9ecfff6b5afa47ed0d08b3d9c3
Opcode Fuzzy Hash: 900bb73d2e334b16d1351a9b3e80d11f63ae5d26877cca835edabf4829f9d7e9
Instruction Fuzzy Hash: 01E02231045460B5CD321B618C02ECE3A1DAB0332CF100502F214B8FB1E372511BA3B9

Uniqueness

Uniqueness Score: -1.00%

Function 6CD72411 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 28filestringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,?), ref: 6CD72425
lstrcatA.KERNEL32(?,.tmp,?,?), ref: 6CD72430
DeleteFileA.KERNEL32(?,?,.tmp,?,?), ref: 6CD72436
MoveFileA.KERNEL32(?,?), ref: 6CD7243F
CopyFileA.KERNEL32(?,?,00000001), ref: 6CD7244F

Strings

.tmp, xrefs: 6CD7242A

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: File$CopyDeleteMovelstrcatlstrcpy
String ID: .tmp
API String ID: 2634143726-2986845003
Opcode ID: 6b11c466ef90b95cd89355b119912ea2770bb5c6170bce1cf27758ab2052a298
Instruction ID: 4c9f79cd99473f89600adbc79121ff76a272b8ac6d86ee8f73ec4530bcd37d81
Opcode Fuzzy Hash: 6b11c466ef90b95cd89355b119912ea2770bb5c6170bce1cf27758ab2052a298
Instruction Fuzzy Hash: 42E0E572501434B2CE311B558D46ECE3A29AF1235CF008011FA04F5A74FB7697AB86FA

Uniqueness

Uniqueness Score: -1.00%

Function 6CD73AF9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,?,6CD73AF5,?,00000002,?,6CD73272,?,00000000,00000000,000000CA,6CD84E3D,0000000F,6CD84E3D,00000400,0000000E), ref: 6CD73B02
GetProcAddress.KERNEL32(00000000,SetLayeredWindowAttributes), ref: 6CD73B0D
GetWindowLongA.USER32(?,000000EC), ref: 6CD73B1D
SetWindowLongA.USER32(?,000000EC,00000000), ref: 6CD73B2D

Strings

SetLayeredWindowAttributes, xrefs: 6CD73B07
user32.dll, xrefs: 6CD73AFD

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: LongWindow$AddressHandleModuleProc
String ID: SetLayeredWindowAttributes$user32.dll
API String ID: 1792074081-3673630139
Opcode ID: 1c40cebf85788fb68f43c6e30c2fe4d71505c20afbde16cea8a8b3423e5a7f9c
Instruction ID: 386e116f21e9f609014c63c51058fe5cf0f455527add98f3b8976b16031b9736
Opcode Fuzzy Hash: 1c40cebf85788fb68f43c6e30c2fe4d71505c20afbde16cea8a8b3423e5a7f9c
Instruction Fuzzy Hash: CDE04F311441087ADF213BA2CC01FAE3D5EDB823A8F208610B525E9AF1EBB1C81F9670

Uniqueness

Uniqueness Score: -1.00%

Function 6CD74791 Relevance: 9.1, APIs: 6, Instructions: 138COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000003,6CD8863D,00000400), ref: 6CD747C8
LoadStringA.USER32(0000000A,6CD8963D,00000400,?), ref: 6CD74943

Part of subcall function 6CD740CF: GetModuleHandleA.KERNEL32(kernel32.dll,6CD74F4B), ref: 6CD740D4
Part of subcall function 6CD740CF: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 6CD740DF

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: LoadString$AddressHandleModuleProc
String ID:
API String ID: 2917493658-0
Opcode ID: 830834d16267ad5b151f7dc1236be670219e5efb9ddbf73b71b648d05e4c10b9
Instruction ID: 8395febd1ec5320a4c08daad5be2324ed87ad3e792175f7d65897802fdc8d843
Opcode Fuzzy Hash: 830834d16267ad5b151f7dc1236be670219e5efb9ddbf73b71b648d05e4c10b9
Instruction Fuzzy Hash: 82519171601204FEEB339B94CC45FCABBB9AB0574CF108519A380B6EB0E7B19659DB74

Uniqueness

Uniqueness Score: -1.00%

Function 6CD72CEE Relevance: 9.1, APIs: 6, Instructions: 70COMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32(?), ref: 6CD72D52
CallWindowProcA.USER32(00000000,?,?,?,?), ref: 6CD72D7A
GetParent.USER32(?), ref: 6CD72D82
InvalidateRect.USER32(00000000,00000000,00000000,?,00000000,?,?,?,?,?), ref: 6CD72D8C
GetDlgCtrlID.USER32(?), ref: 6CD72D98
CallWindowProcA.USER32(00000000,?,?,?,?), ref: 6CD72DC0

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: CallCtrlProcWindow$InvalidateParentRect
String ID:
API String ID: 1256023302-0
Opcode ID: efb330797a9983074ebbfc209f441a2ec49933d25ed521d93da90ce867d0b6cc
Instruction ID: 78dc26580f58281a58817cd5962eca6251067545f8cda02de43b7009b7989def
Opcode Fuzzy Hash: efb330797a9983074ebbfc209f441a2ec49933d25ed521d93da90ce867d0b6cc
Instruction Fuzzy Hash: C8210D311011C8EEDF324B64DA89FDD3666970570CF208822FA60D9975DB7AD4A196B2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD757A2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75stringCOMMON

Download Yara Rule

APIs

DialogBoxParamA.USER32(00000003,6CD758B0,?,00000001), ref: 6CD75822
RtlMoveMemory.KERNEL32(?,?,?,00000003,6CD758B0,?,00000001,?,?), ref: 6CD7583F
lstrcatA.KERNEL32(?,?,?,?,?,00000003,6CD758B0,?,00000001,?,?), ref: 6CD7584E
RtlMoveMemory.KERNEL32(?,?,?,00000001,?,?), ref: 6CD7588D

Strings

Can not use placeholders in console mode., xrefs: 6CD75869

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: MemoryMove$DialogParamlstrcat
String ID: Can not use placeholders in console mode.
API String ID: 608252020-475865414
Opcode ID: b9fe0be2780256e61d01704548ff4b0950cc4f5c56d5619dfd17f40bc39aa76d
Instruction ID: d1d28022c5f1e8712239c81b8b5a3ed4686e1594a7b98dce99c64761a6714e1f
Opcode Fuzzy Hash: b9fe0be2780256e61d01704548ff4b0950cc4f5c56d5619dfd17f40bc39aa76d
Instruction Fuzzy Hash: 8621F8B5805269EBEB329B50CC40B9DFBBCEB46318F140999E78061971F7344986CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 6CD729EF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Imagehlp.dll), ref: 6CD72A02
GetProcAddress.KERNEL32(00000000,CheckSumMappedFile), ref: 6CD72A13
CloseHandle.KERNEL32(00000000,00000000,CheckSumMappedFile,Imagehlp.dll), ref: 6CD72A48

Strings

Imagehlp.dll, xrefs: 6CD729FD
CheckSumMappedFile, xrefs: 6CD72A0D

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: AddressCloseHandleLibraryLoadProc
String ID: CheckSumMappedFile$Imagehlp.dll
API String ID: 4093397079-2254704603
Opcode ID: ddb6981d1028ca7f846b3db94b626ca6c2d8a9eec36b810a00ea3bb7d64ef7fb
Instruction ID: bb9f21e3064dec9d45f46646fde28e588745f03ae3f88585c5216599ccf936b7
Opcode Fuzzy Hash: ddb6981d1028ca7f846b3db94b626ca6c2d8a9eec36b810a00ea3bb7d64ef7fb
Instruction Fuzzy Hash: A3F05471A00148EBEF218BA9CCC4ADE77FCA704308F1044616511D2B61FB74D6098B70

Uniqueness

Uniqueness Score: -1.00%

Function 6CD740CF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,6CD74F4B), ref: 6CD740D4
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 6CD740DF

Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,00000180,00000000,?), ref: 6CD722D9
Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,0000018B,00000000,00000000), ref: 6CD722E8
Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,00000186,-00000001,00000000), ref: 6CD722F7

Strings

Wow64DisableWow64FsRedirection, xrefs: 6CD740D9
WOW64 File System Redirection : disabled, xrefs: 6CD740EF
kernel32.dll, xrefs: 6CD740CF

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: MessageSend$AddressHandleModuleProc
String ID: WOW64 File System Redirection : disabled$Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 1180987372-1162415981
Opcode ID: 3a8d609a235e1234edad06d12e889f6ea9bad761279875e8f113c7f1083a9111
Instruction ID: dd25c50f11e619a4984a418e0cad2009ad4cb098346172fec71a0f1f145793d0
Opcode Fuzzy Hash: 3a8d609a235e1234edad06d12e889f6ea9bad761279875e8f113c7f1083a9111
Instruction Fuzzy Hash: 2EC09248501046B43A3023F22D09CBD2444CF4629C3880C106026E0E34EF34D11E8432

Uniqueness

Uniqueness Score: -1.00%

Function 6CD740FA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,6CD7524F), ref: 6CD740FF
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 6CD7410A

Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,00000180,00000000,?), ref: 6CD722D9
Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,0000018B,00000000,00000000), ref: 6CD722E8
Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,00000186,-00000001,00000000), ref: 6CD722F7

Strings

kernel32.dll, xrefs: 6CD740FA
WOW64 File System Redirection : enabled, xrefs: 6CD7411B
Wow64RevertWow64FsRedirection, xrefs: 6CD74104

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: MessageSend$AddressHandleModuleProc
String ID: WOW64 File System Redirection : enabled$Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 1180987372-293881157
Opcode ID: cd04c4c129e0d2063795312e7a5ec07993882f5a778e2d3f81684bce6c8ad8d5
Instruction ID: 5e7a68fae298a7e5f270950244c89622f27d42211a875d8199ba1be0d3f23433
Opcode Fuzzy Hash: cd04c4c129e0d2063795312e7a5ec07993882f5a778e2d3f81684bce6c8ad8d5
Instruction Fuzzy Hash: B7C04828612085A9BA3237B24C08CAD2859DB8674839008166920F0E30EB7A899E9831

Uniqueness

Uniqueness Score: -1.00%

Function 6CD75266 Relevance: 7.6, APIs: 5, Instructions: 138stringCOMMON

Download Yara Rule

APIs

LoadStringA.USER32(0000001F,6CD8DE3D,00000400,00000001), ref: 6CD75284

Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,00000180,00000000,?), ref: 6CD722D9
Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,0000018B,00000000,00000000), ref: 6CD722E8
Part of subcall function 6CD722C0: SendMessageA.USER32(00000000,00000186,-00000001,00000000), ref: 6CD722F7

lstrcpyA.KERNEL32(?,?,0000001F,6CD8DE3D,00000400,00000001,?,00000000,?,6CD763AF,00000000,00000001,00000000,6CD90A45,00000400,00000184), ref: 6CD752AB
lstrcatA.KERNEL32(?,6CD7D6E7,?,?,0000001F,6CD8DE3D,00000400,00000001,?,00000000,?,6CD763AF,00000000,00000001,00000000,6CD90A45), ref: 6CD752B6
lstrcatA.KERNEL32(?,?,?,6CD7D6E7,?,?,0000001F,6CD8DE3D,00000400,00000001,?,00000000,?,6CD763AF,00000000,00000001), ref: 6CD752C3
lstrcpyA.KERNEL32(?,?,?,?,?,6CD7D6E7,?,?,0000001F,6CD8DE3D,00000400,00000001,?,00000000,?,6CD763AF), ref: 6CD752D0

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: MessageSend$lstrcatlstrcpy$LoadString
String ID:
API String ID: 1610432388-0
Opcode ID: 6d60acfd1ce90dbc60a116bd308cb54ae168e92d124c836632833a7934c5ba09
Instruction ID: c748986c43e002d9b13c8c82317a48e9368a0b8b3a21fd459a51b914ae555a65
Opcode Fuzzy Hash: 6d60acfd1ce90dbc60a116bd308cb54ae168e92d124c836632833a7934c5ba09
Instruction Fuzzy Hash: 9D5125B0505718DAE7318B20CC80FEB73A8EB4030CF14899DE79566970E7B56A899B75

Uniqueness

Uniqueness Score: -1.00%

Function 6CD756F6 Relevance: 7.6, APIs: 5, Instructions: 66stringmemoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000001,?,?), ref: 6CD75714
ExpandEnvironmentStringsA.KERNEL32(?,?,?,00000000,?,00001000,00000004,00000001,?,?), ref: 6CD75729
lstrcmpA.KERNEL32(?,?,?,?,?,00000000,?,00001000,00000004,00000001,?,?), ref: 6CD75739
lstrcpyA.KERNEL32(?,?,?,?,?,?,?,00000000,?,00001000,00000004,00000001,?,?), ref: 6CD7577E
VirtualFree.KERNEL32(?,?,00004000,?,?,?,00000000,?,00001000,00000004,00000001,?,?), ref: 6CD7578E

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: Virtual$AllocEnvironmentExpandFreeStringslstrcmplstrcpy
String ID:
API String ID: 1433300790-0
Opcode ID: 98a67a8e72961e8acd9c4207334b6e3eaf31fe18363ddb456b7e33c4f54bb585
Instruction ID: 9e2473cae032cfd83cea5cbfe8f09d9ca18ca763a8edcdefbe08fb0f2b3367a5
Opcode Fuzzy Hash: 98a67a8e72961e8acd9c4207334b6e3eaf31fe18363ddb456b7e33c4f54bb585
Instruction Fuzzy Hash: DE110031944244FEEF31AF58DC41BCE7FB5AF06358F284054E590AA6B0F37546808B72

Uniqueness

Uniqueness Score: -1.00%

Function 6CD76444 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

LoadStringA.USER32(0000001D,6CD91245,00000400,00000001), ref: 6CD764BD
LoadStringA.USER32(0000001C,6CD91645,00000400,00000001), ref: 6CD764F0
LoadStringA.USER32(00000001,6CD91A45,00000400,00000002), ref: 6CD76532
GetDlgItem.USER32(0000006C,00000001), ref: 6CD76554
EnableWindow.USER32(00000000,00000000), ref: 6CD7655C
RedrawWindow.USER32(00000000,00000000,00000001,0000006C,00000001,6CD91A45,00000400,00000002,0000001C,6CD91645,00000400,00000001,00000000,6CD90A45,00000400,00000184), ref: 6CD7656D

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: LoadString$Window$EnableItemRedraw
String ID:
API String ID: 3679095025-0
Opcode ID: 61da26eddce4ff9474903512d92662c08716d941d854df9bc8307f64f10fdfd9
Instruction ID: 1fb2268d3c0997b9ca558d02dd8332f01a746a44d42ecc439d46674def6c4f43
Opcode Fuzzy Hash: 61da26eddce4ff9474903512d92662c08716d941d854df9bc8307f64f10fdfd9
Instruction Fuzzy Hash: B3119134689518FAFF326B108D53FDE66B65B0132CF60541AB360F0DF1727149AAA135

Uniqueness

Uniqueness Score: -1.00%

Function 6CD77260 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6CD77273
GetClientRect.USER32(?,?), ref: 6CD7727C
GetWindowRect.USER32(?,?), ref: 6CD772BD
GetWindowRect.USER32(?,?), ref: 6CD772C6
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?,?,?,?), ref: 6CD772EA

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: Rect$Window$Client$Move
String ID:
API String ID: 2306913390-0
Opcode ID: 5466a5f53e6a19e471acef218df414685dcc448f62439d56c97629f5dafe5c3d
Instruction ID: 655a65950909486ec83e959ed65304e03df03a578bf320b16cbd46ad360f4aea
Opcode Fuzzy Hash: 5466a5f53e6a19e471acef218df414685dcc448f62439d56c97629f5dafe5c3d
Instruction Fuzzy Hash: 44116631181509AFCB25CF28CC80CDFBF79EF853187149618E559E7A60D731E955CAB4

Uniqueness

Uniqueness Score: -1.00%

Function 6CD71657 Relevance: 7.6, Strings: 6, Instructions: 55COMMON

Download Yara Rule

Strings

HKEY_USERS, xrefs: 6CD716B1
HKEY_LOCAL_MACHINE, xrefs: 6CD7169E
HKEY_DYN_DATA, xrefs: 6CD716C4
HKEY_CLASSES_ROOT, xrefs: 6CD71665
HKEY_CURRENT_CONFIG, xrefs: 6CD71678
HKEY_CURRENT_USER, xrefs: 6CD7168B

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID:
String ID: HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_DYN_DATA$HKEY_LOCAL_MACHINE$HKEY_USERS
API String ID: 0-225008743
Opcode ID: ba5dd5511e6639a9e25d797ad0175d06d6681f619daf7969ee664e0def08da16
Instruction ID: 10e084dbea22f763af4390c90c4c279c71fbe388731091af1a084af433152ab5
Opcode Fuzzy Hash: ba5dd5511e6639a9e25d797ad0175d06d6681f619daf7969ee664e0def08da16
Instruction Fuzzy Hash: 27F01D94398106B3E630633B5C65F4E219C47923ACF1D2F16BACEE6E32F438D44545B5

Uniqueness

Uniqueness Score: -1.00%

Function 6CD7A7A0 Relevance: 7.5, APIs: 5, Instructions: 48registrystringCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(00000094), ref: 6CD7A7C0
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 6CD7A801
lstrlenA.KERNEL32(?,?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 6CD7A80D
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?,?,?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 6CD7A825
RegCloseKey.ADVAPI32(?,00000000,?,?,00000000,00000001,?,?,?,?,?,00000000,00000000,00000000,000F003F,00000000), ref: 6CD7A82E

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: CloseCreateValueVersionlstrlen
String ID:
API String ID: 721734588-0
Opcode ID: 12882734470a7c121fd3b3d9354b65d5a640b25b0c2dc242800cee9784776ab0
Instruction ID: 6bcb8ad2933d47486f2aa2e236d25248d8e87507a8a095a0b73ac29bb72cd5a8
Opcode Fuzzy Hash: 12882734470a7c121fd3b3d9354b65d5a640b25b0c2dc242800cee9784776ab0
Instruction Fuzzy Hash: 9A012D71A4420CFADF219F50CC01FED7B7AEB05304F104065B608656B0E775DA99DB71

Uniqueness

Uniqueness Score: -1.00%

Function 6CD72368 Relevance: 7.5, APIs: 5, Instructions: 47fileCOMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32(0000006B), ref: 6CD72374
CopyFileA.KERNEL32(6CD7DD11,6CD7D911,00000000), ref: 6CD7239E
DeleteFileA.KERNEL32(6CD7DD11,0000006B), ref: 6CD723AD
LoadStringA.USER32(0000000D,6CD82E3D,00000400,0000006B), ref: 6CD723E7
SetFileAttributesA.KERNEL32(6CD7DD11), ref: 6CD72403

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: File$AttributesButtonCheckedCopyDeleteLoadString
String ID:
API String ID: 1907639918-0
Opcode ID: bb954aedcc7190eb69f03c83207b628726167480792a29aec85ff1050bc091b3
Instruction ID: 8ad9a00951ac3d5399b586882aa46a75d01aa06c87815dce4c552593833dd984
Opcode Fuzzy Hash: bb954aedcc7190eb69f03c83207b628726167480792a29aec85ff1050bc091b3
Instruction Fuzzy Hash: 9301A2A15491F4F9FF321315CC09B8E3A69971372CF04805AE240A4EB1D7B981DA83BA

Uniqueness

Uniqueness Score: -1.00%

Function 6CD73D1A Relevance: 7.5, APIs: 5, Instructions: 46windowmemorystringCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(0000018B,00000000,00000000,6CD7333B), ref: 6CD73D33
VirtualAlloc.KERNEL32(00000000,00050000,00001000,00000004,0000018B,00000000,00000000,6CD7333B), ref: 6CD73D4D
SendMessageA.USER32(00000189,00000000,00000000,00000000), ref: 6CD73D67
lstrcatA.KERNEL32(00000000,6CD7D338,00000189,00000000,00000000,00000000,00000000,00000000,00050000,00001000,00000004,0000018B,00000000,00000000,6CD7333B), ref: 6CD73D72
VirtualFree.KERNEL32(6CD7D338,00050000,00004000,6CD7D338,00000189,00000000,00000000,00000000,00000000,00000000,00050000,00001000,00000004,0000018B,00000000,00000000), ref: 6CD73D97

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: MessageSendVirtual$AllocFreelstrcat
String ID:
API String ID: 3447240021-0
Opcode ID: 82a068c881e7521a63f001da627799015f9ac5b1183c2aa663006d37b770d574
Instruction ID: 9396d997eddace298c9fa7463fb6dd183d339100eee6ef511a6cdf8f882f4751
Opcode Fuzzy Hash: 82a068c881e7521a63f001da627799015f9ac5b1183c2aa663006d37b770d574
Instruction Fuzzy Hash: 4EF030743942507DFB3717218D96FBE25698782F19F200129F741A9AF0A7F0258B9539

Uniqueness

Uniqueness Score: -1.00%

Function 6CD72AFB Relevance: 7.5, APIs: 5, Instructions: 28COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6CD72B0F
GetWindowRect.USER32(00000000,?), ref: 6CD72B16
GetDlgItem.USER32(?,?), ref: 6CD72B21
GetWindowRect.USER32(00000000,?), ref: 6CD72B28
IntersectRect.USER32(?,?,?), ref: 6CD72B33

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: Rect$ItemWindow$Intersect
String ID:
API String ID: 3468032208-0
Opcode ID: 1583048bf30bbd94fd84b6852f8b8492155a7e860697753d1d4a9878ad06f0cf
Instruction ID: d70447f8f3f158c67cd7f550618432444b2f6ff471b0d161ed7975d68cf2f268
Opcode Fuzzy Hash: 1583048bf30bbd94fd84b6852f8b8492155a7e860697753d1d4a9878ad06f0cf
Instruction Fuzzy Hash: 3FE06D724802187ACF20AFA5DC44CCF3F2DEF85314B008414B905F2920F731961ACAB0

Uniqueness

Uniqueness Score: -1.00%

Function 6CD76577 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20windowCOMMON

Download Yara Rule

APIs

LoadBitmapA.USER32(BTN_PATCH_DISABLED), ref: 6CD76586
GetWindowLongA.USER32(?,0000000C), ref: 6CD76596
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 6CD765A4

Strings

BTN_PATCH_DISABLED, xrefs: 6CD7657B

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: BitmapLoadLongMessageSendWindow
String ID: BTN_PATCH_DISABLED
API String ID: 1801189489-85872909
Opcode ID: e70bd43234a786eb8b7abff53ca9c0b0f2775cf14c9996ab750ea9d9261bf097
Instruction ID: 8269a624267fdb333384030239bc3e591ac4a060943d8eeb8dbc901bf3b8674e
Opcode Fuzzy Hash: e70bd43234a786eb8b7abff53ca9c0b0f2775cf14c9996ab750ea9d9261bf097
Instruction Fuzzy Hash: A3D05E602D0204BAFD3227658C41F9E7D9EC7417A8F0085207200E8AF2F6F18C0A9134

Uniqueness

Uniqueness Score: -1.00%

Function 6CD74735 Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32(?,00000002,?,?,?,?,?,00000000,00000004,00000000,00000000,00000000,?,?,6CD7D911,C0000000), ref: 6CD746D0
UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000002,?,?,?,?,?), ref: 6CD74728
CloseHandle.KERNEL32(?,?,00000002,?,?,?,?,?,00000000,00000004,00000000,00000000,00000000,?,?,6CD7D911), ref: 6CD74778
CloseHandle.KERNEL32(?,?,00000000,00000004,00000000,00000000,00000000,?,?,6CD7D911,C0000000,00000002,00000000,00000003,00000082,00000000), ref: 6CD74780

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: CloseFileHandleView$Unmap
String ID:
API String ID: 1018311036-0
Opcode ID: bebd379d78e274509ed2ddcb114f777929fc978b1644fa0436d2f855a2926af5
Instruction ID: a6101d47d1df8de3ead428c6dd5d53c00df598a03db652b74346baf16fe87828
Opcode Fuzzy Hash: bebd379d78e274509ed2ddcb114f777929fc978b1644fa0436d2f855a2926af5
Instruction Fuzzy Hash: 8A212A75D00108EFCF22DF94D980AEDBBB6FF41318F20812AE151A2974E7346996CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6CD72CE7 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32(?), ref: 6CD72D52
CallWindowProcA.USER32(00000000,?,?,?,?), ref: 6CD72D7A
GetParent.USER32(?), ref: 6CD72D82
InvalidateRect.USER32(00000000,00000000,00000000,?,00000000,?,?,?,?,?), ref: 6CD72D8C
GetDlgCtrlID.USER32(?), ref: 6CD72D98
CallWindowProcA.USER32(00000000,?,?,?,?), ref: 6CD72DC0

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: CallCtrlProcWindow$InvalidateParentRect
String ID:
API String ID: 1256023302-0
Opcode ID: 654079da38aa842e94f9b5460a9526d4c0aa41deea818012fc5e3e6ff99bc775
Instruction ID: 143d15ba28711e922582140a3d3ed21d00bc95149d5cbcec1acfb98b48b9eb3f
Opcode Fuzzy Hash: 654079da38aa842e94f9b5460a9526d4c0aa41deea818012fc5e3e6ff99bc775
Instruction Fuzzy Hash: 3001CC301412C8EEEF324B24CA8DFDD3657974470CF304822EDA4E99B9DA79D49195B2

Uniqueness

Uniqueness Score: -1.00%

Function 6CD76F00 Relevance: 6.0, APIs: 4, Instructions: 45registryCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?), ref: 6CD76F20
RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,?), ref: 6CD76F57
RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000001,?), ref: 6CD76F82
RegCloseKey.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,?,00000000,00000001,?), ref: 6CD76F8B

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: CloseOpenQueryValueVersion
String ID:
API String ID: 2996790148-0
Opcode ID: e1892d3d9792545cd93157d0401ee52856a44f0dfdadaad5d0370727a44a8380
Instruction ID: 94143380e568ae2c1b4292bcab1775704350faba540e9d3c126ffab0fabdebc6
Opcode Fuzzy Hash: e1892d3d9792545cd93157d0401ee52856a44f0dfdadaad5d0370727a44a8380
Instruction Fuzzy Hash: 0E010C7192020CEFDF208F50CC41BEEBBB9EB05308F1041A5F604E5AB0E7759A999B71

Uniqueness

Uniqueness Score: -1.00%

Function 6CD76D4C Relevance: 6.0, APIs: 4, Instructions: 31fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 6CD76D67
WriteFile.KERNEL32(00000400,6CD7E111,?,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 6CD76D89
FlushFileBuffers.KERNEL32(00000400,00000400,6CD7E111,?,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 6CD76D91
CloseHandle.KERNEL32(00000400,00000400,00000400,6CD7E111,?,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 6CD76D99

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: File$BuffersCloseCreateFlushHandleWrite
String ID:
API String ID: 4137531733-0
Opcode ID: dcaf5e4410800bcd8cafecdb1ba5ccb07b804effd0555680af52f84d583d2cd7
Instruction ID: cfddf8f48a32d3003be818a889129d95eb2ff021526c48f46cfb61ae0995d78e
Opcode Fuzzy Hash: dcaf5e4410800bcd8cafecdb1ba5ccb07b804effd0555680af52f84d583d2cd7
Instruction Fuzzy Hash: 36F03731540108FADF319F60CC43FCD7775AB10718F208251B620F55F0E7719A25A769

Uniqueness

Uniqueness Score: -1.00%

Function 6CD770B0 Relevance: 6.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 6CD770C2
GetModuleFileNameA.KERNEL32(00000000,?,00000200,00000000), ref: 6CD770D4
lstrlenA.KERNEL32(?,00000000,?,00000200,00000000), ref: 6CD770DA
SetCurrentDirectoryA.KERNEL32(00000000), ref: 6CD770F4

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: Module$CurrentDirectoryFileHandleNamelstrlen
String ID:
API String ID: 2912049553-0
Opcode ID: 6d1e60377f57e4e8f8d8ec634b370f6db650299c7fccfbd2552bb4bd7925805e
Instruction ID: 24e419995c8857fda93045159a97e491c8a7544af3c437383d4f575b889ca605
Opcode Fuzzy Hash: 6d1e60377f57e4e8f8d8ec634b370f6db650299c7fccfbd2552bb4bd7925805e
Instruction Fuzzy Hash: 77E02B21848220B9D7325B644C08FCF7AE89F07358F154854E684BABA1F7F4114683F4

Uniqueness

Uniqueness Score: -1.00%

Function 6CD7633F Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

LoadStringA.USER32(0000001D,6CD91245,00000400,00000001), ref: 6CD764BD
LoadStringA.USER32(00000001,6CD91A45,00000400,00000002), ref: 6CD76532
GetDlgItem.USER32(0000006C,00000001), ref: 6CD76554
EnableWindow.USER32(00000000,00000000), ref: 6CD7655C
RedrawWindow.USER32(00000000,00000000,00000001,0000006C,00000001,6CD91A45,00000400,00000002,0000001C,6CD91645,00000400,00000001,00000000,6CD90A45,00000400,00000184), ref: 6CD7656D

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: LoadStringWindow$EnableItemRedraw
String ID:
API String ID: 3001624229-0
Opcode ID: ad44e173752718e8fe3031ee70f4ce2794685dbc448da2d4fb49cbba73b35a24
Instruction ID: 0fa90008762936d95b3182a72ec38fbded92ef5b993f41a96717a5068168edf0
Opcode Fuzzy Hash: ad44e173752718e8fe3031ee70f4ce2794685dbc448da2d4fb49cbba73b35a24
Instruction Fuzzy Hash: 3CE04F317C522079FE32A7249C83F8CAA699741B1CF504021B340F8DF4B7B2581E9174

Uniqueness

Uniqueness Score: -1.00%

Function 6CD72A7D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29stringCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000400,6CD7E111), ref: 6CD72AA7
lstrcatA.KERNEL32(6CD7E111,\bassmod.dll,00000400,6CD7E111), ref: 6CD72AB6

Part of subcall function 6CD76D4C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 6CD76D67

Strings

\bassmod.dll, xrefs: 6CD72AAC

Memory Dump Source

Source File: 00000003.00000002.2063752060.000000006CD71000.00000080.00000001.01000000.00000003.sdmp, Offset: 6CD70000, based on PE: true

Associated: 00000003.00000002.2063740343.000000006CD70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063764357.000000006CD7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063775261.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CD93000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063788682.000000006CDC9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2063853540.000000006CE56000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cd70000_rundll32.jbxd

Similarity

API ID: CreateFilePathTemplstrcat
String ID: \bassmod.dll
API String ID: 3703170275-1657146168
Opcode ID: 6a69dd0cc4d1a91708bae066ddfdde8594bb12f72426e97fbc9d0b49ea6458be
Instruction ID: a4feb6a2a882a1b295147ccabcace170951432a388863e19d749ca143c1c5b84
Opcode Fuzzy Hash: 6a69dd0cc4d1a91708bae066ddfdde8594bb12f72426e97fbc9d0b49ea6458be
Instruction Fuzzy Hash: D8F0E53024824979FF3193608C43FEEBA998B0131CF1145A4B950F6EE1EAF1AA0E8271

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 7968, Parent PID: 7460COMMON

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	90
Total number of Limit Nodes:	6

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 10001288 Relevance: 16.6, APIs: 11, Instructions: 137
threadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001380: WaitForSingleObject.KERNEL32(?,10004160,?,?,?,?,?,1000128D,10001040,?,?,00000001), ref: 10001396
Part of subcall function 10001380: CloseHandle.KERNEL32(?,10004160,?,?,?,?,?,1000128D,10001040,?,?,00000001), ref: 1000139C
Part of subcall function 10001380: waveOutReset.WINMM(02F3B000,02F3B000,10016198,00000020,02F3B000,?,?,?,?,1000128D,10001040,?,?,00000001), ref: 100013BE
Part of subcall function 10001380: waveOutUnprepareHeader.WINMM(?,?,?,?,1000128D,10001040,?,?,00000001), ref: 100013C4
Part of subcall function 10001380: waveOutClose.WINMM(?,?,?,?,1000128D,10001040,?,?,00000001), ref: 100013CA
Part of subcall function 10001380: HeapDestroy.KERNEL32(05F00000,?,?,?,?,1000128D,10001040,?,?,00000001), ref: 100013DB

HeapCreate.KERNEL32(10004164,000000FF,10001074,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,10001040,00000001), ref: 100012F0
waveOutPrepareHeader.WINMM(10004164,10016198,00000020,0000000C,?,?,?,?,10001040,00000001), ref: 10001336
waveOutWrite.WINMM(10004164,10016198,00000020,?,?,?,?,10001040,00000001), ref: 10001350
CreateThread.KERNELBASE(00000000,00000000,100013F3,00000000,00000000,10006188), ref: 10001364
SetThreadPriority.KERNELBASE(00000000,0000000F,?,?,?,?,10001040,00000001), ref: 10001374

Memory Dump Source

Source File: 00000010.00000002.3502842136.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.3502829670.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000010.00000002.3502854782.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000010.00000002.3502867246.0000000010004000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000010.00000002.3502881574.0000000010017000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: wave$CloseCreateHeaderHeapThread$DestroyHandleObjectPreparePriorityResetSingleUnprepareWaitWrite
String ID:
API String ID: 2713968407-0
Opcode ID: 2009b84035df47f8c19b9643b934a29b422089fded2b8bd7dafb2442abd2461e
Instruction ID: ac5d36506aa8d357ea39ce6044d3386a5bac6df8a4522790fc0c896b20e12fd4
Opcode Fuzzy Hash: 2009b84035df47f8c19b9643b934a29b422089fded2b8bd7dafb2442abd2461e
Instruction Fuzzy Hash: 02415971A01255ABFB11CF25CC98BEF7BA8EF857D1F518528FA449B159CB349A00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 100013F3 Relevance: 3.0, APIs: 2, Instructions: 29
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

waveOutGetPosition.WINMM(?,00000004,0000000C), ref: 10001405
Sleep.KERNELBASE(00000005), ref: 10001416

Memory Dump Source

Source File: 00000010.00000002.3502842136.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.3502829670.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000010.00000002.3502854782.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000010.00000002.3502867246.0000000010004000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000010.00000002.3502881574.0000000010017000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: PositionSleepwave
String ID:
API String ID: 2381551157-0
Opcode ID: cf7434af3cec0125fce73027c4f15a138c38a2a64dc93ea248612d2cb0c73b90
Instruction ID: 708fbda80c6a82a2279f4d4a49f6192a252f93001582e63d44a1b805c9e5f71e
Opcode Fuzzy Hash: cf7434af3cec0125fce73027c4f15a138c38a2a64dc93ea248612d2cb0c73b90
Instruction Fuzzy Hash: 51F08C329002D8EBFB02CF148C00BC63F68EB163D1F0A4061FA456A1AAC3B48D80CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 10001134 Relevance: 1.5, APIs: 1, Instructions: 10
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000009,10004000,10001BC7,10004164), ref: 1000113D

Memory Dump Source

Source File: 00000010.00000002.3502842136.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.3502829670.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000010.00000002.3502854782.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000010.00000002.3502867246.0000000010004000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000010.00000002.3502881574.0000000010017000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9098c2567be60f5a839c9e852f95c253592f1850101e8cd0641dedea866c5221
Instruction ID: 2161fad69fcb9aae42f35faaec487752547eb58a6de77c809ca4bc1e54b3640a
Opcode Fuzzy Hash: 9098c2567be60f5a839c9e852f95c253592f1850101e8cd0641dedea866c5221
Instruction Fuzzy Hash: CCB092763402119FF7128B61BC89BA63798EB80BE8B238421E512D50A8F65188805550

Uniqueness

Uniqueness Score: -1.00%

Function 10001414 Relevance: 1.3, APIs: 1, Instructions: 7
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000005), ref: 10001416

Memory Dump Source

Source File: 00000010.00000002.3502842136.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.3502829670.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000010.00000002.3502854782.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000010.00000002.3502867246.0000000010004000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000010.00000002.3502881574.0000000010017000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 6d46402de44bb3ab673ab0dea5f0a5686e666231684e6e2dd873c03bb3975b8e
Instruction ID: 26896bdba1bfa70f82b30afd89e87a67b1790004b5f4f36a08bb48c09e2d2b29
Opcode Fuzzy Hash: 6d46402de44bb3ab673ab0dea5f0a5686e666231684e6e2dd873c03bb3975b8e
Instruction Fuzzy Hash: 7AB0923218025486F3019F80A8087D67358D720393F40C026E225440E4837488A1DE60

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10001380 Relevance: 9.0, APIs: 6, Instructions: 44
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,10004160,?,?,?,?,?,1000128D,10001040,?,?,00000001), ref: 10001396
CloseHandle.KERNEL32(?,10004160,?,?,?,?,?,1000128D,10001040,?,?,00000001), ref: 1000139C
waveOutReset.WINMM(02F3B000,02F3B000,10016198,00000020,02F3B000,?,?,?,?,1000128D,10001040,?,?,00000001), ref: 100013BE
waveOutUnprepareHeader.WINMM(?,?,?,?,1000128D,10001040,?,?,00000001), ref: 100013C4
waveOutClose.WINMM(?,?,?,?,1000128D,10001040,?,?,00000001), ref: 100013CA
HeapDestroy.KERNEL32(05F00000,?,?,?,?,1000128D,10001040,?,?,00000001), ref: 100013DB

Memory Dump Source

Source File: 00000010.00000002.3502842136.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.3502829670.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000010.00000002.3502854782.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000010.00000002.3502867246.0000000010004000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000010.00000002.3502881574.0000000010017000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: wave$Close$DestroyHandleHeaderHeapObjectResetSingleUnprepareWait
String ID:
API String ID: 755419389-0
Opcode ID: 0c8edf64347d0c7ab07e493f9c5edb427a8040aef40a79b560d8962686cbdfcc
Instruction ID: 7a5e45d39f3742ef7a03327aef812cd67cbe7a1c08f55e259b8cce1fe85a7349
Opcode Fuzzy Hash: 0c8edf64347d0c7ab07e493f9c5edb427a8040aef40a79b560d8962686cbdfcc
Instruction Fuzzy Hash: D401FBB1601258BBEB119F56DC98AAF7BBCFB84AD1B518029F909CB254C735DE048A60

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dup2patcher.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_5aa1c5c01549fa45ad9a16e66b3c3c2aa3426eb_7522e4b5_23c4799e-a01f-4f8f-8700-ed783e5e0556\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_717b893d71ade4662cb34ff8156d52b401b83c9_7522e4b5_43c3c8b8-f495-436e-b067-5961b7a877fa\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_717b893d71ade4662cb34ff8156d52b401b83c9_7522e4b5_4911ab3a-36da-4fff-bddc-3152bc9cdcd8\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_717b893d71ade4662cb34ff8156d52b401b83c9_7522e4b5_a92e9e53-3091-45c3-a6b1-e201de41f298\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B1E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B2E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C29.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C2A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C69.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C78.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6183.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6201.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER62DB.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER631B.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6369.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER63A8.tmp.xml

C:\Users\user\AppData\Local\Temp\bassmod.dll

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Windows Analysis Report
dup2patcher.dll