Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8TuwlFKxC5.dll

Overview

General Information

Sample name:8TuwlFKxC5.dll
renamed because original name is a hash value
Original sample name:da6d952b6509ce400e9ea2098ba796f9.dll
Analysis ID:1541899
MD5:da6d952b6509ce400e9ea2098ba796f9
SHA1:cce66c35c8e3028f296b7793cd4dbb0a9baafe19
SHA256:ad9513cf9a7f6a59bc7ed9a2bea44ec5e4bb655d18384336c0c124bfa2140286
Tags:32dllexetrojan
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Sigma detected: Potential WinAPI Calls Via CommandLine
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5688 cmdline: loaddll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5908 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 4592 cmdline: rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1520 cmdline: rundll32.exe C:\Users\user\Desktop\8TuwlFKxC5.dll,FreeLibraryMemoryAndExitThread MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 432 cmdline: rundll32.exe C:\Users\user\Desktop\8TuwlFKxC5.dll,NtUnloadDllMemoryAndExitThread MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4564 cmdline: rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",FreeLibraryMemoryAndExitThread MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5356 cmdline: rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",NtUnloadDllMemoryAndExitThread MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Potential WinAPI Calls Via CommandLine
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: rundll32.exe C:\Users\user\Desktop\8TuwlFKxC5.dll,FreeLibraryMemoryAndExitThread, CommandLine: rundll32.exe C:\Users\user\Desktop\8TuwlFKxC5.dll,FreeLibraryMemoryAndExitThread, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: loaddll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll", ParentImage: C:\Windows\System32\loaddll32.exe, ParentProcessId: 5688, ParentProcessName: loaddll32.exe, ProcessCommandLine: rundll32.exe C:\Users\user\Desktop\8TuwlFKxC5.dll,FreeLibraryMemoryAndExitThread, ProcessId: 1520, ProcessName: rundll32.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 8TuwlFKxC5.dllAvira: detected
Multi AV Scanner detection for submitted file
Source: 8TuwlFKxC5.dllReversingLabs: Detection: 68%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.5% probability
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0C7B84 CryptStringToBinaryA,CryptStringToBinaryA,3_2_6E0C7B84
Source: 8TuwlFKxC5.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: 8TuwlFKxC5.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0B4DD0 NtUnloadDllMemoryAndExitThread,3_2_6E0B4DD0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0CFE8F3_2_6E0CFE8F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0CDED63_2_6E0CDED6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0D67FE3_2_6E0D67FE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0CA2C03_2_6E0CA2C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0D63503_2_6E0D6350
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0C811F3_2_6E0C811F
Source: 8TuwlFKxC5.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engineClassification label: mal64.winDLL@14/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7104:120:WilError_03
Source: 8TuwlFKxC5.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8TuwlFKxC5.dll,FreeLibraryMemoryAndExitThread
Source: 8TuwlFKxC5.dllReversingLabs: Detection: 68%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8TuwlFKxC5.dll,FreeLibraryMemoryAndExitThread
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8TuwlFKxC5.dll,NtUnloadDllMemoryAndExitThread
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",FreeLibraryMemoryAndExitThread
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",NtUnloadDllMemoryAndExitThread
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8TuwlFKxC5.dll,FreeLibraryMemoryAndExitThreadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8TuwlFKxC5.dll,NtUnloadDllMemoryAndExitThreadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",FreeLibraryMemoryAndExitThreadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",NtUnloadDllMemoryAndExitThreadJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: 8TuwlFKxC5.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 8TuwlFKxC5.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 8TuwlFKxC5.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 8TuwlFKxC5.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 8TuwlFKxC5.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 8TuwlFKxC5.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 8TuwlFKxC5.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: 8TuwlFKxC5.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 8TuwlFKxC5.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 8TuwlFKxC5.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 8TuwlFKxC5.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 8TuwlFKxC5.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 8TuwlFKxC5.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0C7868 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_6E0C7868
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0C9A06 push ecx; ret 3_2_6E0C9A19
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0C8BC5 push ecx; ret 3_2_6E0C8BD8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0C811F std::_Xinvalid_argument,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_6E0C811F
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_3-14078
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 7.6 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0C9841 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6E0C9841
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0C7868 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_6E0C7868
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0D05B1 mov eax, dword ptr fs:[00000030h]3_2_6E0D05B1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0D375D GetProcessHeap,3_2_6E0D375D
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0C9841 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6E0C9841
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0C9609 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6E0C9609
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0D1283 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6E0D1283
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0C9A1B cpuid 3_2_6E0C9A1B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0C9764 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_6E0C9764

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Native API		1
DLL Side-Loading		11
Process Injection		1
Rundll32		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory2
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS12
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1541899 Sample: 8TuwlFKxC5.dll Startdate: 25/10/2024 Architecture: WINDOWS Score: 64 19 Antivirus / Scanner detection for submitted sample 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 AI detected suspicious sample 2->23 25 Sigma detected: Potential WinAPI Calls Via CommandLine 2->25 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        13 rundll32.exe 7->13         started        15 3 other processes 7->15 process5 17 rundll32.exe 9->17         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
8TuwlFKxC5.dll68%ReversingLabsWin32.Trojan.Generic
8TuwlFKxC5.dll100%AviraTR/AVI.Agent.uwasx

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1541899
Start date and time:2024-10-25 09:47:07 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 34s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:8TuwlFKxC5.dll
renamed because original name is a hash value
Original Sample Name:da6d952b6509ce400e9ea2098ba796f9.dll
Detection:MAL
Classification:mal64.winDLL@14/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 7
  • Number of non-executed functions: 37
Cookbook Comments:
  • Found application associated with file extension: .dll
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: 8TuwlFKxC5.dll

Simulations

Behavior and APIs

TimeTypeDescription
03:48:13API Interceptor1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.8631787601033265
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:8TuwlFKxC5.dll
File size:241'664 bytes
MD5:da6d952b6509ce400e9ea2098ba796f9
SHA1:cce66c35c8e3028f296b7793cd4dbb0a9baafe19
SHA256:ad9513cf9a7f6a59bc7ed9a2bea44ec5e4bb655d18384336c0c124bfa2140286
SHA512:6ea810c92b126d68796eacd69f9abccfad40aa73dda3e94a2fea1079925c65f2aa29df8a6cb88c2627f3446f0ffe78619471960fd9f1ec05d1607e397dfd9e68
SSDEEP:3072:LMVZ7NHajTpjxoY7doVFNEYUHsSpg1Wpw4BU2r4aKZXew4L27U7GitjxKYF5PXxD:o7NHajjoiw7EbHsSZm2rzqXeGYXF5P
TLSH:40347CD27A6381F3D26E4B3500ADC53B5A38A63617A5CAEBD3D05C3D7E217C16630E1A
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'.37cw]dcw]dcw]d...dmw]d...d.w]d...dzw]d...dbw]d..^etw]d...djw]dcw\d.w]d..Xe.w]d..Yetw]dcw]dgw]d..Yebw]d..Xeaw]d..]ebw]d...dbw]

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x10018fa2
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x10000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x6715ED2B [Mon Oct 21 05:56:59 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:294349e3872fd2e2a711c642739f8d71

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F7E10707A57h
call 00007F7E10708209h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F7E10707906h
add esp, 0Ch
pop ebp
retn 000Ch
int3
int3
push ebx
push esi
push edi
push 00000000h
push 00000FA0h
push 10039538h
call 00007F7E1070A326h
add esp, 0Ch
push 1002C2CCh
call dword ptr [1002B040h]
mov esi, eax
test esi, esi
je 00007F7E10707AE2h
push 1002C50Ch
push esi
call dword ptr [1002B01Ch]
push 1002C55Ch
push esi
mov ebx, eax
call dword ptr [1002B01Ch]
push 1002C540h
push esi
mov edi, eax
call dword ptr [1002B01Ch]
mov esi, eax
test ebx, ebx
je 00007F7E10707A89h
test edi, edi
je 00007F7E10707A85h
test esi, esi
je 00007F7E10707A81h
and dword ptr [10039554h], 00000000h
mov ecx, ebx
push 10039550h
call 00007F7E10707CAEh
call ebx
push edi
call 00007F7E10707CDDh
push esi
mov dword ptr [10039558h], eax
call 00007F7E10707CD2h
pop ecx
pop ecx
mov dword ptr [1003955Ch], eax
jmp 00007F7E10707A68h
xor eax, eax
push eax
push eax
push 00000001h
push eax
call dword ptr [1002B078h]
mov dword ptr [10039554h], eax

Rich Headers

Programming Language:
  • [ C ] VS2015 build 23026
  • [C++] VS2015 build 23026
  • [EXP] VS2015 build 23026
  • [RES] VS2015 build 23026
  • [LNK] VS2015 build 23026

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x342900x85.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x343180x64.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c0000x288.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x3d0000x33ec.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x330c00x38.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x331540x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x330f80x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x160.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x2972f0x2980084621c9831745af74595ad40aa5deecdFalse0.5457454819277109data6.774633127237972IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x2b0000x9afa0x9c00628165d1fdabc39adcf9ed10dfca9449False0.5496544471153846data5.794625899194168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x350000x50200x3e00d5adb8b8e4881d883bccc5bb90cf1df3False0.48481602822580644data7.0631628978847365IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0x3b0000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x3c0000x2880x400a808368e771c27a25a8bf59b0125efb5False0.3330078125data3.852800632054433IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x3d0000x33ec0x3400d11266207a6f19993524d9a707ee573fFalse0.5196063701923077data6.43692802092624IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_MANIFEST0x3c0600x224XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (488), with CRLF line terminatorsEnglishUnited States0.531021897810219

Imports

DLLImport
USER32.dllwsprintfW
CRYPT32.dllCryptStringToBinaryA
KERNEL32.dllIsDebuggerPresent, GetCurrentProcess, FreeLibrary, GetProcAddress, LoadLibraryW, VirtualProtect, CreateFileW, GetFileSize, ReadFile, CloseHandle, SetLastError, GetLastError, GetModuleHandleW, GetModuleHandleA, GetNativeSystemInfo, VirtualAlloc, LoadLibraryA, VirtualFree, GetThreadLocale, lstrlenW, QueryPerformanceCounter, WaitForSingleObjectEx, Sleep, GetCurrentThread, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, CreateEventW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, EnterCriticalSection, LeaveCriticalSection, SetEvent, ResetEvent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetCurrentProcessId, InitializeSListHead, GetStartupInfoW, EncodePointer, GetThreadTimes, GetModuleFileNameW, LoadLibraryExW, InterlockedFlushSList, DeleteCriticalSection, RtlUnwind, RaiseException, VirtualQuery, MultiByteToWideChar, GetModuleHandleExW, HeapAlloc, HeapFree, ExitProcess, WideCharToMultiByte, GetACP, GetStdHandle, GetFileType, GetStringTypeW, LCMapStringW, GetProcessHeap, IsValidCodePage, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetCommandLineA, GetCommandLineW, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, SetStdHandle, SetFilePointerEx, HeapSize, HeapReAlloc, WriteConsoleW, DecodePointer
ADVAPI32.dllSystemFunction036

Exports

NameOrdinalAddress
FreeLibraryMemoryAndExitThread10x10004dd0
NtUnloadDllMemoryAndExitThread20x10004dd0

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:03:48:01
Start date:25/10/2024
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll"
Imagebase:0x450000
File size:126'464 bytes
MD5 hash:51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:1
Start time:03:48:01
Start date:25/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6d64d0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:03:48:01
Start date:25/10/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",#1
Imagebase:0x790000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:03:48:01
Start date:25/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\8TuwlFKxC5.dll,FreeLibraryMemoryAndExitThread
Imagebase:0x4c0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:03:48:01
Start date:25/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",#1
Imagebase:0x4c0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:6
Start time:03:48:04
Start date:25/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\8TuwlFKxC5.dll,NtUnloadDllMemoryAndExitThread
Imagebase:0x4c0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:7
Start time:03:48:13
Start date:25/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",FreeLibraryMemoryAndExitThread
Imagebase:0x4c0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:8
Start time:03:48:13
Start date:25/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",NtUnloadDllMemoryAndExitThread
Imagebase:0x4c0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:2%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:11.8%
    Total number of Nodes:280
    Total number of Limit Nodes:3
    execution_graph 13952 6e0b4dd0 13953 6e0b4dde 13952->13953 13956 6e0c15f0 13953->13956 13957 6e0c1613 13956->13957 13960 6e0bed70 13957->13960 13959 6e0c161f RtlExitUserThread 13961 6e0bedb0 GetModuleHandleA GetProcAddress 13960->13961 13961->13959 13963 6e0c8fa2 13964 6e0c8fab 13963->13964 13965 6e0c8fb0 13963->13965 13986 6e0c9764 13964->13986 13969 6e0c8e6f 13965->13969 13968 6e0c8fbe 13970 6e0c8e7b CallCatchBlock 13969->13970 13971 6e0c8e91 dllmain_raw 13970->13971 13972 6e0c8e8c 13970->13972 13973 6e0c8eab dllmain_crt_dispatch 13971->13973 13985 6e0c8f66 CallCatchBlock 13971->13985 13976 6e0c8ecd 13972->13976 14008 6e0cb29e 13972->14008 13973->13972 13973->13985 13990 6e0c7868 13976->13990 13978 6e0c8f04 13979 6e0c8f17 13978->13979 14015 6e0cb33a 13978->14015 13981 6e0c8f21 dllmain_crt_dispatch 13979->13981 13979->13985 13983 6e0c8f34 dllmain_raw 13981->13983 13981->13985 13982 6e0c7868 __DllMainCRTStartup@12 60 API calls 13984 6e0c8ef0 dllmain_crt_dispatch dllmain_raw 13982->13984 13983->13985 13984->13978 13985->13968 13987 6e0c9794 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 13986->13987 13988 6e0c9787 13986->13988 13989 6e0c978b 13987->13989 13988->13987 13988->13989 13989->13965 13991 6e0c7885 13990->13991 13992 6e0c7b4d 13990->13992 14022 6e0c7422 LoadLibraryW LoadLibraryW 13991->14022 14057 6e0c8731 13992->14057 13995 6e0c7b5d 13995->13978 13995->13982 13997 6e0c7892 LoadLibraryW LoadLibraryW 13998 6e0c7a8f 13997->13998 13999 6e0c7969 13997->13999 14039 6e0c7694 13998->14039 13999->13998 14000 6e0c7971 6 API calls 13999->14000 14000->13998 14003 6e0c7694 __DllMainCRTStartup@12 32 API calls 14004 6e0c7b3c 14003->14004 14005 6e0c7694 __DllMainCRTStartup@12 32 API calls 14004->14005 14006 6e0c7b45 14005->14006 14054 6e0c7ced 14006->14054 14288 6e0cb264 GetModuleFileNameW 14008->14288 14010 6e0c8731 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14011 6e0cb336 14010->14011 14011->13976 14012 6e0cb328 14012->14010 14013 6e0cb2c6 __DllMainCRTStartup@12 14013->14012 14292 6e0c723a 14013->14292 14016 6e0cb264 __DllMainCRTStartup@12 2 API calls 14015->14016 14017 6e0cb362 __DllMainCRTStartup@12 14016->14017 14020 6e0c723a __DllMainCRTStartup@12 5 API calls 14017->14020 14021 6e0cb3c4 14017->14021 14018 6e0c8731 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14019 6e0cb3d2 14018->14019 14019->13979 14020->14021 14021->14018 14023 6e0c751c 14022->14023 14024 6e0c767a 14022->14024 14027 6e0c7524 GetProcAddress GetProcAddress GetProcAddress 14023->14027 14028 6e0c7677 FreeLibrary 14023->14028 14025 6e0c767e FreeLibrary 14024->14025 14026 6e0c7681 14024->14026 14025->14026 14031 6e0c8731 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14026->14031 14029 6e0c766c FreeLibrary 14027->14029 14030 6e0c755c 14027->14030 14028->14024 14029->14025 14030->14029 14033 6e0c756f 14030->14033 14032 6e0c7690 14031->14032 14032->13992 14032->13997 14064 6e0c73de 14033->14064 14035 6e0c7595 __DllMainCRTStartup@12 14036 6e0c73de __DllMainCRTStartup@12 7 API calls 14035->14036 14037 6e0c75fb __DllMainCRTStartup@12 14036->14037 14038 6e0c7653 FreeLibrary FreeLibrary 14037->14038 14038->14026 14040 6e0c780a 14039->14040 14043 6e0c76b9 14039->14043 14041 6e0c8731 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14040->14041 14042 6e0c7864 14041->14042 14042->14003 14043->14040 14093 6e0cd0e2 14043->14093 14046 6e0c77c3 PathRemoveFileSpecW 14047 6e0cd0e2 __DllMainCRTStartup@12 26 API calls 14046->14047 14048 6e0c77e4 PathAppendW 14047->14048 14048->14040 14049 6e0c77f9 PathFileExistsW 14048->14049 14049->14040 14050 6e0c780f 14049->14050 14051 6e0cd0e2 __DllMainCRTStartup@12 26 API calls 14050->14051 14052 6e0c7823 PathAppendW 14051->14052 14052->14040 14053 6e0c7838 MoveFileExW 14052->14053 14053->14040 14240 6e0c7d52 14054->14240 14058 6e0c873c IsProcessorFeaturePresent 14057->14058 14059 6e0c873a 14057->14059 14061 6e0c9645 14058->14061 14059->13995 14287 6e0c9609 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 14061->14287 14063 6e0c9728 14063->13995 14071 6e0c7352 14064->14071 14066 6e0c73fd 14075 6e0c80ac 14066->14075 14069 6e0c8731 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14070 6e0c741e 14069->14070 14070->14035 14072 6e0c736e __DllMainCRTStartup@12 14071->14072 14074 6e0c7374 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __DllMainCRTStartup@12 14072->14074 14083 6e0c7f9f 14072->14083 14074->14066 14089 6e0c8065 14075->14089 14077 6e0c80d7 Sleep 14078 6e0c8065 _xtime_get GetSystemTimeAsFileTime 14077->14078 14079 6e0c80cb __Xtime_diff_to_millis2 14078->14079 14079->14077 14080 6e0c8110 14079->14080 14081 6e0c8731 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14080->14081 14082 6e0c740f 14081->14082 14082->14069 14086 6e0c84ed 14083->14086 14085 6e0c7fad 14085->14074 14087 6e0c850d GetSystemTimeAsFileTime 14086->14087 14088 6e0c8502 14086->14088 14087->14088 14088->14085 14090 6e0c8074 14089->14090 14092 6e0c8081 __aulldvrm 14089->14092 14091 6e0c7f9f __Xtime_get_ticks GetSystemTimeAsFileTime 14090->14091 14090->14092 14091->14092 14092->14079 14094 6e0cd0ef 14093->14094 14095 6e0cd0fd 14093->14095 14094->14095 14098 6e0cd116 14094->14098 14102 6e0d1509 14095->14102 14099 6e0c77a7 GetModuleFileNameW 14098->14099 14100 6e0d1509 __dosmaperr 20 API calls 14098->14100 14099->14040 14099->14046 14101 6e0cd107 14100->14101 14105 6e0d144d 14101->14105 14108 6e0d1977 GetLastError 14102->14108 14219 6e0d13d2 14105->14219 14107 6e0d1459 14107->14099 14109 6e0d1990 14108->14109 14112 6e0d1996 14108->14112 14127 6e0d334a 14109->14127 14113 6e0d19ed SetLastError 14112->14113 14134 6e0cfa17 14112->14134 14116 6e0d150e 14113->14116 14115 6e0d19b0 14141 6e0cfa74 14115->14141 14116->14101 14120 6e0d19b6 14122 6e0d19e4 SetLastError 14120->14122 14121 6e0d19cc 14154 6e0d1739 14121->14154 14122->14116 14125 6e0cfa74 _free 17 API calls 14126 6e0d19dd 14125->14126 14126->14113 14126->14122 14159 6e0d3187 14127->14159 14129 6e0d3371 14130 6e0d3389 TlsGetValue 14129->14130 14131 6e0d337d 14129->14131 14130->14131 14132 6e0c8731 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14131->14132 14133 6e0d339a 14132->14133 14133->14112 14135 6e0cfa24 __ExceptionPtr::__ExceptionPtr 14134->14135 14136 6e0cfa64 14135->14136 14137 6e0cfa4f HeapAlloc 14135->14137 14172 6e0d0e3c 14135->14172 14139 6e0d1509 __dosmaperr 19 API calls 14136->14139 14137->14135 14138 6e0cfa62 14137->14138 14138->14115 14147 6e0d33a0 14138->14147 14139->14138 14142 6e0cfa7f HeapFree 14141->14142 14146 6e0cfaa8 __dosmaperr 14141->14146 14143 6e0cfa94 14142->14143 14142->14146 14144 6e0d1509 __dosmaperr 18 API calls 14143->14144 14145 6e0cfa9a GetLastError 14144->14145 14145->14146 14146->14120 14148 6e0d3187 _abort 5 API calls 14147->14148 14149 6e0d33c7 14148->14149 14150 6e0d33e2 TlsSetValue 14149->14150 14151 6e0d33d6 14149->14151 14150->14151 14152 6e0c8731 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14151->14152 14153 6e0d19c5 14152->14153 14153->14115 14153->14121 14187 6e0d1711 14154->14187 14162 6e0d31b3 14159->14162 14164 6e0d31b7 __crt_fast_encode_pointer 14159->14164 14160 6e0d31d7 14163 6e0d31e3 GetProcAddress 14160->14163 14160->14164 14162->14160 14162->14164 14165 6e0d3223 14162->14165 14163->14164 14164->14129 14166 6e0d3244 LoadLibraryExW 14165->14166 14171 6e0d3239 14165->14171 14167 6e0d3261 GetLastError 14166->14167 14170 6e0d3279 14166->14170 14169 6e0d326c LoadLibraryExW 14167->14169 14167->14170 14168 6e0d3290 FreeLibrary 14168->14171 14169->14170 14170->14168 14170->14171 14171->14162 14177 6e0d0e80 14172->14177 14174 6e0c8731 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14175 6e0d0e7c 14174->14175 14175->14135 14176 6e0d0e52 14176->14174 14178 6e0d0e8c CallCatchBlock 14177->14178 14183 6e0cfb2b EnterCriticalSection 14178->14183 14180 6e0d0e97 14184 6e0d0ec9 14180->14184 14182 6e0d0ebe CallCatchBlock 14182->14176 14183->14180 14185 6e0cfb73 _abort LeaveCriticalSection 14184->14185 14186 6e0d0ed0 14185->14186 14186->14182 14193 6e0d1651 14187->14193 14189 6e0d1735 14190 6e0d16c1 14189->14190 14203 6e0d1555 14190->14203 14192 6e0d16e5 14192->14125 14194 6e0d165d CallCatchBlock 14193->14194 14199 6e0cfb2b EnterCriticalSection 14194->14199 14196 6e0d1667 14200 6e0d168d 14196->14200 14198 6e0d1685 CallCatchBlock 14198->14189 14199->14196 14201 6e0cfb73 _abort LeaveCriticalSection 14200->14201 14202 6e0d1697 14201->14202 14202->14198 14204 6e0d1561 CallCatchBlock 14203->14204 14211 6e0cfb2b EnterCriticalSection 14204->14211 14206 6e0d156b 14212 6e0d187c 14206->14212 14208 6e0d1583 14216 6e0d1599 14208->14216 14210 6e0d1591 CallCatchBlock 14210->14192 14211->14206 14213 6e0d188b __fassign 14212->14213 14215 6e0d18b2 __fassign 14212->14215 14214 6e0d5929 __fassign 20 API calls 14213->14214 14213->14215 14214->14215 14215->14208 14217 6e0cfb73 _abort LeaveCriticalSection 14216->14217 14218 6e0d15a3 14217->14218 14218->14210 14220 6e0d1977 __dosmaperr 20 API calls 14219->14220 14221 6e0d13e8 14220->14221 14222 6e0d1447 14221->14222 14225 6e0d13f6 14221->14225 14230 6e0d145d IsProcessorFeaturePresent 14222->14230 14224 6e0d144c 14226 6e0d13d2 ___std_exception_copy 26 API calls 14224->14226 14227 6e0c8731 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14225->14227 14228 6e0d1459 14226->14228 14229 6e0d141d 14227->14229 14228->14107 14229->14107 14231 6e0d1468 14230->14231 14234 6e0d1283 14231->14234 14235 6e0d129f _abort ___scrt_fastfail 14234->14235 14236 6e0d12cb IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14235->14236 14239 6e0d139c _abort 14236->14239 14237 6e0c8731 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14238 6e0d13ba GetCurrentProcess TerminateProcess 14237->14238 14238->14224 14239->14237 14255 6e0c8c1f 14240->14255 14242 6e0c7d5e CreateFileW 14243 6e0c7e57 GetFileSize 14242->14243 14254 6e0c7f01 __DllMainCRTStartup@12 14242->14254 14244 6e0c7e69 14243->14244 14243->14254 14256 6e0c8bb7 14244->14256 14245 6e0c7f2c 14272 6e0c8bda 14245->14272 14247 6e0c7f25 CloseHandle 14247->14245 14254->14245 14254->14247 14255->14242 14257 6e0c972c ___std_exception_copy 14256->14257 14258 6e0c7e72 ReadFile 14257->14258 14259 6e0d0e3c new 7 API calls 14257->14259 14275 6e0c9c1e 14257->14275 14280 6e0c9c01 14257->14280 14262 6e0c7b84 CryptStringToBinaryA 14258->14262 14259->14257 14263 6e0c7bbc 14262->14263 14264 6e0c7bc0 ___std_exception_copy 14262->14264 14265 6e0c8731 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14263->14265 14264->14263 14267 6e0c7bcf CryptStringToBinaryA 14264->14267 14266 6e0c7c09 14265->14266 14266->14254 14268 6e0c7c8a 14266->14268 14267->14263 14269 6e0c7cb4 __DllMainCRTStartup@12 14268->14269 14270 6e0c8731 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14269->14270 14271 6e0c7ce9 14270->14271 14271->14254 14273 6e0c8731 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14272->14273 14274 6e0c7cf2 14273->14274 14274->13992 14276 6e0c9c2c new 14275->14276 14284 6e0cb1f6 14276->14284 14278 6e0c9c3a DeleteCriticalSection 14278->14257 14281 6e0c9c0f Concurrency::cancel_current_task 14280->14281 14282 6e0cb1f6 __CxxThrowException@8 RaiseException 14281->14282 14283 6e0c9c1d 14282->14283 14286 6e0cb216 14284->14286 14285 6e0cb248 RaiseException 14285->14278 14286->14285 14287->14063 14289 6e0cb27e 14288->14289 14290 6e0cb295 14288->14290 14289->14290 14291 6e0cb28b GetLastError 14289->14291 14290->14013 14291->14290 14295 6e0cb778 14292->14295 14294 6e0c72ba 14294->14012 14298 6e0cb59a 14295->14298 14297 6e0cb792 14297->14294 14301 6e0cb5ca 14298->14301 14303 6e0cb5ce __crt_fast_encode_pointer 14298->14303 14299 6e0cb5ee 14302 6e0cb5fa GetProcAddress 14299->14302 14299->14303 14301->14299 14301->14303 14304 6e0cb63a 14301->14304 14302->14303 14303->14297 14305 6e0cb662 LoadLibraryExW 14304->14305 14310 6e0cb657 14304->14310 14306 6e0cb67e GetLastError 14305->14306 14307 6e0cb696 14305->14307 14306->14307 14308 6e0cb689 LoadLibraryExW 14306->14308 14309 6e0cb6ad FreeLibrary 14307->14309 14307->14310 14308->14307 14309->14310 14310->14301

    Executed Functions

    Function 6E0C7868 Relevance: 37.0, APIs: 8, Strings: 13, Instructions: 234libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 6E0C7422: LoadLibraryW.KERNEL32(?,00000001,00000000,?), ref: 6E0C74FC
      • Part of subcall function 6E0C7422: LoadLibraryW.KERNEL32(?), ref: 6E0C750A
      • Part of subcall function 6E0C7422: GetProcAddress.KERNEL32(00000000,?), ref: 6E0C752F
      • Part of subcall function 6E0C7422: GetProcAddress.KERNEL32(00000000,?), ref: 6E0C753C
      • Part of subcall function 6E0C7422: GetProcAddress.KERNEL32(00000000,00000047), ref: 6E0C7546
    • LoadLibraryW.KERNEL32(?,00000001,00000000,?), ref: 6E0C794F
    • LoadLibraryW.KERNEL32(?), ref: 6E0C7957
    • GetProcAddress.KERNEL32(00000000,?), ref: 6E0C7A3A
    • GetProcAddress.KERNEL32(00000000,?), ref: 6E0C7A49
    • GetProcAddress.KERNEL32(00000000,?), ref: 6E0C7A58
    • GetProcAddress.KERNEL32(00000000,?), ref: 6E0C7A67
    • GetProcAddress.KERNEL32(00000000,00006150), ref: 6E0C7A73
    • GetProcAddress.KERNEL32(00000000,?), ref: 6E0C7A82
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: Call$ExW$F$M$Pa$W$cW$hApp$l$ndW$rary$s$v
    • API String ID: 2238633743-375626469
    • Opcode ID: b11894b946d4b8df0d918e5c068b50fc11e195bf83a08cd542d2faa70f41a7fb
    • Instruction ID: 33c4898e0ced88da877b9d860a144077e1ce67010db8885d8d452ad9b5aa95b3
    • Opcode Fuzzy Hash: b11894b946d4b8df0d918e5c068b50fc11e195bf83a08cd542d2faa70f41a7fb
    • Instruction Fuzzy Hash: 9D914F21D1439CD9EB10CBF4D941BEEB7B4FF69700F14555AD508EB2A1E7710A84CB2A
    Function 6E0C7422 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 182libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryW.KERNEL32(?,00000001,00000000,?), ref: 6E0C74FC
    • LoadLibraryW.KERNEL32(?), ref: 6E0C750A
    • GetProcAddress.KERNEL32(00000000,?), ref: 6E0C752F
    • GetProcAddress.KERNEL32(00000000,?), ref: 6E0C753C
    • GetProcAddress.KERNEL32(00000000,00000047), ref: 6E0C7546
    • FreeLibrary.KERNEL32(00000000), ref: 6E0C7673
      • Part of subcall function 6E0C73DE: __Thrd_sleep.LIBCPMT ref: 6E0C740A
    • FreeLibrary.KERNEL32(?), ref: 6E0C765F
    • FreeLibrary.KERNEL32(00000000), ref: 6E0C7662
    • FreeLibrary.KERNEL32(00000000), ref: 6E0C7678
    • FreeLibrary.KERNEL32(00000000), ref: 6E0C767F
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: Library$Free$AddressProc$Load$Thrd_sleep
    • String ID: Coun$F$G$kCou$ncy$nt64$qu$t$tTic
    • API String ID: 1212583105-1930867906
    • Opcode ID: f85ba3001b2bd65f7da76d70dd6fb89fd86b00f3d7f0fefd5e23a8e658c37761
    • Instruction ID: 239dde13c1ae74b6d8b06c7b980e311a2aae466a1e65d45eee3265dba49d6045
    • Opcode Fuzzy Hash: f85ba3001b2bd65f7da76d70dd6fb89fd86b00f3d7f0fefd5e23a8e658c37761
    • Instruction Fuzzy Hash: 21715C32D0475D9ADF21CBF8C850BEEBBB8BF19740F14429AD908B7281DB705A85CB65
    Function 6E0C7694 Relevance: 9.2, APIs: 6, Instructions: 157COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000078,0000002E,00000065), ref: 6E0C77B4
    • PathRemoveFileSpecW.SHLWAPI(?), ref: 6E0C77CA
    • PathAppendW.SHLWAPI(?,6E0C7B33), ref: 6E0C77EF
    • PathFileExistsW.KERNELBASE(?), ref: 6E0C7800
    • PathAppendW.SHLWAPI(?,6E0C7B33), ref: 6E0C782E
    • MoveFileExW.KERNELBASE(?,?,00000001), ref: 6E0C7848
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: FilePath$Append$ExistsModuleMoveNameRemoveSpec
    • String ID:
    • API String ID: 4096670196-0
    • Opcode ID: 18ab0ebed11ef29c13fe3585c2b6c5ee8ec23853d4daa33f1eb0f442242213c6
    • Instruction ID: 0d46eefbc1467e6bec7933c05d279257bf8df29065f15380ed236e19b691a8e6
    • Opcode Fuzzy Hash: 18ab0ebed11ef29c13fe3585c2b6c5ee8ec23853d4daa33f1eb0f442242213c6
    • Instruction Fuzzy Hash: 4B517D31A54349A9EF50CBE0DC55FEE73B8EF44B00F14046AE608E71D0E7718A84CBAA
    Function 6E0C8E6F Relevance: 9.1, APIs: 6, Instructions: 87COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: dllmain_crt_dispatchdllmain_raw
    • String ID:
    • API String ID: 1382799047-0
    • Opcode ID: 4e33bcde253d02d99fa69706b5b726d293647bcbb509677aeb3d0e14e132f894
    • Instruction ID: a4a6cf737aedc35e23864c4d2a9bcd246bf7ea08079c775a11a941f587af1db5
    • Opcode Fuzzy Hash: 4e33bcde253d02d99fa69706b5b726d293647bcbb509677aeb3d0e14e132f894
    • Instruction Fuzzy Hash: 9E216572D01726ABCB519EE5CC40B9F2ABEAF49F94F050A04F92537155C734E4128BB6
    Function 6E0C7D52 Relevance: 7.7, APIs: 5, Instructions: 168fileCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 6E0C7D59
    • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,0000007C,6E0C7CF2,6E0C7B4D), ref: 6E0C7E39
    • GetFileSize.KERNEL32(00000000,00000000), ref: 6E0C7E59
    • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 6E0C7E88
      • Part of subcall function 6E0C7B84: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 6E0C7BB2
    • CloseHandle.KERNEL32(00000000), ref: 6E0C7F26
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: File$BinaryCloseCreateCryptH_prolog3_HandleReadSizeString
    • String ID:
    • API String ID: 2259240775-0
    • Opcode ID: 4dca4a58d187d528a72b4497f9634358d15a1bf25fe1cd41220c50eae475da19
    • Instruction ID: b536c8ef70e41cdc47c990eab797b34b6aed343b4d3f0073b04a15ed91398536
    • Opcode Fuzzy Hash: 4dca4a58d187d528a72b4497f9634358d15a1bf25fe1cd41220c50eae475da19
    • Instruction Fuzzy Hash: C8516D71E14348A9EB10CBE0DC95BEEB778FF58B50F20141AE618BF291E7714945CB1A
    Function 6E0C73DE Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 129 6e0c73de-6e0c7421 call 6e0c7352 call 6e0c80ac call 6e0c8731
    APIs
    • __Thrd_sleep.LIBCPMT ref: 6E0C740A
      • Part of subcall function 6E0C80AC: _xtime_get.LIBCPMT ref: 6E0C80C6
      • Part of subcall function 6E0C80AC: __Xtime_diff_to_millis2.LIBCPMT ref: 6E0C80D2
      • Part of subcall function 6E0C80AC: Sleep.KERNELBASE(00000000,00000000,?,?,6E0C7595,00000000,?,?,?,?,?,?,?,?,6E0C7595,?), ref: 6E0C80DA
      • Part of subcall function 6E0C80AC: _xtime_get.LIBCPMT ref: 6E0C80E6
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: _xtime_get$SleepThrd_sleepXtime_diff_to_millis2
    • String ID:
    • API String ID: 2593056502-0
    • Opcode ID: 4fe4e47c75a0d496fc6161e6e501925529c79d19b9e917d15181f9bf7c1aaf77
    • Instruction ID: 650b2ec61dc0c164a1a322b9fbced7cb9c23d3c1025d34104c634a062aaae1ad
    • Opcode Fuzzy Hash: 4fe4e47c75a0d496fc6161e6e501925529c79d19b9e917d15181f9bf7c1aaf77
    • Instruction Fuzzy Hash: 0BE0ED72A0010CAB8B00DEE8C9409DFB3BC9F8A600B100566E908AB100EA32AB0587F6
    Function 6E0C15F0 Relevance: 1.5, APIs: 1, Instructions: 28threadCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 6E0BED70: GetModuleHandleA.KERNEL32(63E27454), ref: 6E0BEE5C
      • Part of subcall function 6E0BED70: GetProcAddress.KERNEL32(00000000,?), ref: 6E0BEE67
    • RtlExitUserThread.NTDLL(?,239215D8,?,?,6E0B4DE4,?,?), ref: 6E0C1620
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: AddressExitHandleModuleProcThreadUser
    • String ID:
    • API String ID: 3902016533-0
    • Opcode ID: 339ba303f30e119319516b9611d48b8d6952ee3ba5963e7e0ff39becb53ac70f
    • Instruction ID: 936997d5a0148324f7b109bd8be60c15da875f28a2dc00287d2b9021f4686bbc
    • Opcode Fuzzy Hash: 339ba303f30e119319516b9611d48b8d6952ee3ba5963e7e0ff39becb53ac70f
    • Instruction Fuzzy Hash: 17D0A737411C006FC9059B50DC509EE332EAEC7A2830C892CD41113342C7717C07CB55

    Non-executed Functions

    Function 6E0C811F Relevance: 147.2, APIs: 42, Strings: 42, Instructions: 223libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • std::_Xinvalid_argument.LIBCPMT ref: 6E0C813D
    • GetModuleHandleW.KERNEL32(kernel32.dll,?,invalid random_device value), ref: 6E0C8149
    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6E0C8157
    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6E0C816E
    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6E0C8185
    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6E0C819C
    • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 6E0C81B3
    • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 6E0C81CA
    • GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 6E0C81E1
    • GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 6E0C81F8
    • GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 6E0C820F
    • GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 6E0C8226
    • GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 6E0C823D
    • GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 6E0C8254
    • GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 6E0C826B
    • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 6E0C8282
    • GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 6E0C8299
    • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 6E0C82B0
    • GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 6E0C82C7
    • GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 6E0C82DE
    • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 6E0C82F5
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleModuleXinvalid_argumentstd::_
    • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$invalid random_device value$kernel32.dll
    • API String ID: 2259925219-2420364413
    • Opcode ID: b7c60226f008dcdec1b93a89cf632d28482de3986c242fcf00eacf79a74e8641
    • Instruction ID: 9ead944497700957758594015c244becc56b4278d565d50a316fd12b2b85046f
    • Opcode Fuzzy Hash: b7c60226f008dcdec1b93a89cf632d28482de3986c242fcf00eacf79a74e8641
    • Instruction Fuzzy Hash: B9912E71821B44EBCF24DFF8CA88A477BE8EB5F701781446AE619DE208DB749404DF60
    Function 6E0D67FE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: __floor_pentium4
    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
    • API String ID: 4168288129-2761157908
    • Opcode ID: 0da99d7a049e6a97f09435ced001b1c2d772291f6e959a024ec9fb69ac2a7051
    • Instruction ID: 91c0053f369e8075e3496001a834afe4dd80c5a8b854b9206dfeafb1e8c9bf3c
    • Opcode Fuzzy Hash: 0da99d7a049e6a97f09435ced001b1c2d772291f6e959a024ec9fb69ac2a7051
    • Instruction Fuzzy Hash: 8EC27A71E186298FDB65CEA8DC407DAB3F9EB44354F1445EAD80DE7280E774AE898F40
    Function 6E0D6350 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: kyn$kyn
    • API String ID: 0-1156257421
    • Opcode ID: a7e908e60855b0d3f0200f10504a8927068f362ae4f47767e58ebdef8eafd6f7
    • Instruction ID: f4dc5c50f7062f2c8d6be219fdb04c4e8cd2533ea0aa7acc440c0afcdef18d92
    • Opcode Fuzzy Hash: a7e908e60855b0d3f0200f10504a8927068f362ae4f47767e58ebdef8eafd6f7
    • Instruction Fuzzy Hash: 42023A71E102199FDB14CFA9D89079DBBF1FF88324F25826AD919E7384D731AA45CB80
    Function 6E0D1283 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6E0D137B
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6E0D1385
    • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 6E0D1392
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$DebuggerPresent
    • String ID:
    • API String ID: 3906539128-0
    • Opcode ID: 781f8f4520bde96fc9230ec3e2d2772cbaeaa555b5ca5f4934fe8d26a06dc188
    • Instruction ID: 7df2100a9b499ad6b03b31d1a6edf689621cac59cdc19c4a29f1cc3f73e91d55
    • Opcode Fuzzy Hash: 781f8f4520bde96fc9230ec3e2d2772cbaeaa555b5ca5f4934fe8d26a06dc188
    • Instruction Fuzzy Hash: 4331B17490132D9BCB61DF68D9887CDBBB8EF08750F5046EAE81CA7250EB709B858F45
    Function 6E0D05B1 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(?,?,6E0D0587,?,6E0E3DC8,0000000C,6E0D06BA,00000000,00000000,00000001,6E0C8E32,6E0E3BB0,0000000C,6E0C8CDB,?), ref: 6E0D05D2
    • TerminateProcess.KERNEL32(00000000,?,6E0D0587,?,6E0E3DC8,0000000C,6E0D06BA,00000000,00000000,00000001,6E0C8E32,6E0E3BB0,0000000C,6E0C8CDB,?), ref: 6E0D05D9
    • ExitProcess.KERNEL32 ref: 6E0D05EB
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: Process$CurrentExitTerminate
    • String ID:
    • API String ID: 1703294689-0
    • Opcode ID: 1b68e8c2c224d6e28a6d42c0da229ca254a98d66d1f2da56f8e89e0c8f1154b8
    • Instruction ID: f97dc46d071d0efc5af49dfaa7b22506011b15f1126f233e1c3273eb262d0b70
    • Opcode Fuzzy Hash: 1b68e8c2c224d6e28a6d42c0da229ca254a98d66d1f2da56f8e89e0c8f1154b8
    • Instruction Fuzzy Hash: 27E09231004708ABCF216F95C908B893F6AEB45795B004418FD199B129EB35DD4ADF90
    Function 6E0C9A1B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(0000000A,?), ref: 6E0C9A34
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: FeaturePresentProcessor
    • String ID:
    • API String ID: 2325560087-3916222277
    • Opcode ID: 00bbe9ed00853e4265bca539e4cdc2b6148e7e209487d933b50766d0f58f8a32
    • Instruction ID: 7ecd911da1ecfb7b121d02a589db345225b8bae6c6082daeca8a5b9e9fa583fa
    • Opcode Fuzzy Hash: 00bbe9ed00853e4265bca539e4cdc2b6148e7e209487d933b50766d0f58f8a32
    • Instruction Fuzzy Hash: 4F51AEB19046099FEF54CFA9C69179EBBF4FB08B58F50816AD415E7290D3749900CFA2
    Function 6E0C7B84 Relevance: 3.1, APIs: 2, Instructions: 62encryptionCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 6E0C7BB2
    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 6E0C7BDC
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: BinaryCryptString
    • String ID:
    • API String ID: 80407269-0
    • Opcode ID: 6825193c209c3f3cf2ef04c751665f573b030284c6cbf1a4cd6b817422e7a69a
    • Instruction ID: abf9c1082e137d0ef84684b5335a9b5282686f6b1919feecf2a907c49e83c46e
    • Opcode Fuzzy Hash: 6825193c209c3f3cf2ef04c751665f573b030284c6cbf1a4cd6b817422e7a69a
    • Instruction Fuzzy Hash: C1115E75A10209BFEB048FA5CC41FEEB7BCEF85B10F14416DF90597280EB70AA418B61
    Function 6E0CFE8F Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6E0CFE8A,?,?,00000008,?,?,6E0D870C,00000000), ref: 6E0D00BC
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionRaise
    • String ID:
    • API String ID: 3997070919-0
    • Opcode ID: d5f94386f033acd77f75db8c2051e6417eacd17c985a65fdcc6bb752d358d101
    • Instruction ID: c74bf9e24ee82236def06cdfe63d1ab923360976445057b3729827bd9f37e8cf
    • Opcode Fuzzy Hash: d5f94386f033acd77f75db8c2051e6417eacd17c985a65fdcc6bb752d358d101
    • Instruction Fuzzy Hash: 34B1AC31210709DFD744CFA8C496B587BE1FF4A3A4F258658E8A9CF2A1D335E986CB41
    Function 6E0D375D Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: HeapProcess
    • String ID:
    • API String ID: 54951025-0
    • Opcode ID: 2b4597fe270a401b0c292767e4e0a1926e50dbd895ec6933982a73409e0681ec
    • Instruction ID: 2b153a7c5f4eac09ceac887990470422bce7554f9e4d187014b7d18bae49871c
    • Opcode Fuzzy Hash: 2b4597fe270a401b0c292767e4e0a1926e50dbd895ec6933982a73409e0681ec
    • Instruction Fuzzy Hash: 73A00174605A018B9B889E3686492897BA9AA97A91B9580A9A805D5294EA2484909F01
    Function 6E0CDED6 Relevance: .2, Instructions: 237COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f8a05dae78a5152ec8d78dd15b1625567afc8fd2e822a10da507b29b69898596
    • Instruction ID: 94028d2700d3c2734886284bfef75092c3d657cc818e5c1a2d75a68f54241f14
    • Opcode Fuzzy Hash: f8a05dae78a5152ec8d78dd15b1625567afc8fd2e822a10da507b29b69898596
    • Instruction Fuzzy Hash: 95619F316D06066ADA6049E448627FE33D8FF0AF8CF500819E956EB2D0D735E9838B97
    Function 6E0B4DD0 Relevance: .0, Instructions: 18COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: ExitThreadUser
    • String ID:
    • API String ID: 3424019298-0
    • Opcode ID: db2c3dc1b94d624184f4172ee39d6c45529e8b6447585cfb2bc89e0087804046
    • Instruction ID: 33bfefc8082089631afb9ba86fe94f8b087c0159ae20c4d5aab2216b7e89f1f3
    • Opcode Fuzzy Hash: db2c3dc1b94d624184f4172ee39d6c45529e8b6447585cfb2bc89e0087804046
    • Instruction Fuzzy Hash: 2EB01231005120BFC5051FD0CC04ACF77ADAE4D254F14CC04B354230208775AC024797
    Function 6E0CBDD9 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 270COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 173 6e0cbdd9-6e0cbdf7 174 6e0cbdff 173->174 175 6e0cbdf9-6e0cbdfd 173->175 176 6e0cbe02-6e0cbe08 174->176 175->176 177 6e0cbe0e-6e0cbe11 176->177 178 6e0cc0f2 call 6e0cfaae 176->178 177->178 179 6e0cbe17-6e0cbe20 177->179 183 6e0cc0f7-6e0cc112 call 6e0cba51 call 6e0cbb06 call 6e0cb1f6 178->183 181 6e0cc0bb 179->181 182 6e0cbe26-6e0cbe2a 179->182 184 6e0cc0be-6e0cc0c2 181->184 185 6e0cbefe-6e0cbf04 182->185 186 6e0cbe30-6e0cbe37 182->186 211 6e0cc117 183->211 192 6e0cc0c4-6e0cc0c8 184->192 193 6e0cc0e0-6e0cc0e9 call 6e0cc806 184->193 188 6e0cbf0c-6e0cbf12 185->188 189 6e0cbe4f-6e0cbe53 186->189 190 6e0cbe39-6e0cbe40 186->190 188->184 196 6e0cbf18-6e0cbf1c 188->196 189->185 197 6e0cbe59-6e0cbe62 call 6e0cc806 189->197 190->189 194 6e0cbe42-6e0cbe49 190->194 192->178 198 6e0cc0ca-6e0cc0dd call 6e0cc137 192->198 193->178 210 6e0cc0eb-6e0cc0f1 193->210 194->185 194->189 196->184 201 6e0cbf22-6e0cbf29 196->201 197->210 213 6e0cbe68-6e0cbe81 call 6e0cc806 * 2 197->213 198->193 206 6e0cbf2b-6e0cbf32 201->206 207 6e0cbf41-6e0cbf45 201->207 206->207 212 6e0cbf34-6e0cbf3b 206->212 214 6e0cc04f-6e0cc053 207->214 215 6e0cbf4b-6e0cbf66 call 6e0c9ebf 207->215 216 6e0cc11a-6e0cc136 call 6e0c9f69 call 6e0cc562 call 6e0cbcda 211->216 212->184 212->207 213->178 238 6e0cbe87-6e0cbe8d 213->238 219 6e0cc05f-6e0cc063 214->219 220 6e0cc055-6e0cc05e call 6e0cba51 214->220 215->214 229 6e0cbf6c-6e0cbf72 215->229 219->193 221 6e0cc065-6e0cc071 219->221 220->219 221->193 226 6e0cc073-6e0cc077 221->226 231 6e0cc07f-6e0cc083 226->231 232 6e0cc079-6e0cc07d 226->232 235 6e0cbf75-6e0cbf81 229->235 231->178 236 6e0cc085-6e0cc092 call 6e0cc252 231->236 232->193 232->231 239 6e0cc03c-6e0cc049 235->239 240 6e0cbf87-6e0cbf8a 235->240 236->193 252 6e0cc094-6e0cc0b6 call 6e0cc806 * 4 236->252 243 6e0cbe8f-6e0cbe93 238->243 244 6e0cbeba-6e0cbec3 call 6e0cc806 238->244 239->214 239->235 240->239 245 6e0cbf90-6e0cbfa0 240->245 243->244 249 6e0cbe95-6e0cbe9c 243->249 258 6e0cbec5-6e0cbee6 call 6e0cc806 * 2 call 6e0cc252 244->258 259 6e0cbf06-6e0cbf09 244->259 245->239 250 6e0cbfa6-6e0cbfba 245->250 253 6e0cbe9e-6e0cbea5 249->253 254 6e0cbeb0-6e0cbeb4 249->254 255 6e0cbfbd-6e0cbfcb 250->255 252->211 285 6e0cc0b8-6e0cc0b9 252->285 253->254 261 6e0cbea7-6e0cbeae 253->261 254->178 254->244 256 6e0cbfcd-6e0cbfe0 call 6e0cc726 255->256 257 6e0cbff7-6e0cc003 255->257 270 6e0cc00a-6e0cc030 call 6e0cbd14 256->270 271 6e0cbfe2-6e0cbff2 256->271 264 6e0cc005-6e0cc008 257->264 265 6e0cc033-6e0cc039 257->265 258->259 284 6e0cbee8-6e0cbef3 call 6e0cc2ee 258->284 259->188 261->244 261->254 264->255 265->239 270->265 271->256 274 6e0cbff4 271->274 274->257 284->178 288 6e0cbef9 284->288 285->216 288->183
    APIs
    • IsInExceptionSpec.LIBVCRUNTIME ref: 6E0CBEDD
    • _GetRangeOfTrysToCheck.LIBVCRUNTIME ref: 6E0CBF58
    • ___TypeMatch.LIBVCRUNTIME ref: 6E0CBFD6
    • IsInExceptionSpec.LIBVCRUNTIME ref: 6E0CC089
    • FindHandlerForForeignException.LIBVCRUNTIME ref: 6E0CC0D8
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6E0CC112
    • _UnwindNestedFrames.LIBCMT ref: 6E0CC11A
    • ___FrameUnwindToState.LIBVCRUNTIME ref: 6E0CC126
    • CallUnexpected.LIBVCRUNTIME ref: 6E0CC131
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: Exception$SpecUnwind$CallCheckException@8FindForeignFrameFramesHandlerMatchNestedRangeStateThrowTrysTypeUnexpected
    • String ID: csm$csm$csm
    • API String ID: 3606550248-393685449
    • Opcode ID: 8db7f056149c4404a4da803b7a9230e898917e22ec6e6e0a2ff319b62570e63b
    • Instruction ID: 1ce8b02fc86a759c458c5211163ddd90627555d8d044b9d90cc45a969600d420
    • Opcode Fuzzy Hash: 8db7f056149c4404a4da803b7a9230e898917e22ec6e6e0a2ff319b62570e63b
    • Instruction Fuzzy Hash: 6BB16A718002099FCF20CFD5C880B9EB7B9BF08B58F104959E9556B654C775E986CFA3
    Function 6E0D5929 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 289 6e0d5929-6e0d593d 290 6e0d593f-6e0d5944 289->290 291 6e0d59ab-6e0d59b3 289->291 290->291 294 6e0d5946-6e0d594b 290->294 292 6e0d59fa-6e0d5a12 call 6e0d5a9c 291->292 293 6e0d59b5-6e0d59b8 291->293 302 6e0d5a15-6e0d5a1c 292->302 293->292 295 6e0d59ba-6e0d59f7 call 6e0cfa74 * 4 293->295 294->291 297 6e0d594d-6e0d5950 294->297 295->292 297->291 300 6e0d5952-6e0d595a 297->300 303 6e0d595c-6e0d595f 300->303 304 6e0d5974-6e0d597c 300->304 305 6e0d5a1e-6e0d5a22 302->305 306 6e0d5a3b-6e0d5a3f 302->306 303->304 307 6e0d5961-6e0d5973 call 6e0cfa74 call 6e0d5c3d 303->307 309 6e0d597e-6e0d5981 304->309 310 6e0d5996-6e0d59aa call 6e0cfa74 * 2 304->310 311 6e0d5a38 305->311 312 6e0d5a24-6e0d5a27 305->312 316 6e0d5a57-6e0d5a63 306->316 317 6e0d5a41-6e0d5a46 306->317 307->304 309->310 315 6e0d5983-6e0d5995 call 6e0cfa74 call 6e0d5d3b 309->315 310->291 311->306 312->311 320 6e0d5a29-6e0d5a37 call 6e0cfa74 * 2 312->320 315->310 316->302 319 6e0d5a65-6e0d5a72 call 6e0cfa74 316->319 324 6e0d5a48-6e0d5a4b 317->324 325 6e0d5a54 317->325 320->311 324->325 332 6e0d5a4d-6e0d5a53 call 6e0cfa74 324->332 325->316 332->325
    APIs
    • ___free_lconv_mon.LIBCMT ref: 6E0D596D
      • Part of subcall function 6E0D5C3D: _free.LIBCMT ref: 6E0D5C5A
      • Part of subcall function 6E0D5C3D: _free.LIBCMT ref: 6E0D5C6C
      • Part of subcall function 6E0D5C3D: _free.LIBCMT ref: 6E0D5C7E
      • Part of subcall function 6E0D5C3D: _free.LIBCMT ref: 6E0D5C90
      • Part of subcall function 6E0D5C3D: _free.LIBCMT ref: 6E0D5CA2
      • Part of subcall function 6E0D5C3D: _free.LIBCMT ref: 6E0D5CB4
      • Part of subcall function 6E0D5C3D: _free.LIBCMT ref: 6E0D5CC6
      • Part of subcall function 6E0D5C3D: _free.LIBCMT ref: 6E0D5CD8
      • Part of subcall function 6E0D5C3D: _free.LIBCMT ref: 6E0D5CEA
      • Part of subcall function 6E0D5C3D: _free.LIBCMT ref: 6E0D5CFC
      • Part of subcall function 6E0D5C3D: _free.LIBCMT ref: 6E0D5D0E
      • Part of subcall function 6E0D5C3D: _free.LIBCMT ref: 6E0D5D20
      • Part of subcall function 6E0D5C3D: _free.LIBCMT ref: 6E0D5D32
    • _free.LIBCMT ref: 6E0D5962
      • Part of subcall function 6E0CFA74: HeapFree.KERNEL32(00000000,00000000,?,6E0D0AD1,00000001,00000001), ref: 6E0CFA8A
      • Part of subcall function 6E0CFA74: GetLastError.KERNEL32(7692A396,?,6E0D0AD1,00000001,00000001), ref: 6E0CFA9C
    • _free.LIBCMT ref: 6E0D5984
    • _free.LIBCMT ref: 6E0D5999
    • _free.LIBCMT ref: 6E0D59A4
    • _free.LIBCMT ref: 6E0D59C6
    • _free.LIBCMT ref: 6E0D59D9
    • _free.LIBCMT ref: 6E0D59E7
    • _free.LIBCMT ref: 6E0D59F2
    • _free.LIBCMT ref: 6E0D5A2A
    • _free.LIBCMT ref: 6E0D5A31
    • _free.LIBCMT ref: 6E0D5A4E
    • _free.LIBCMT ref: 6E0D5A66
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
    • String ID:
    • API String ID: 161543041-0
    • Opcode ID: bd14e6a1da0aa6c221ce10952b458f9ce1c6024ea2291ac2c9e9bc387445c7db
    • Instruction ID: 6366c5ff124c82068234e48fdd4e6852384d910fa688477b96feae845f0950e4
    • Opcode Fuzzy Hash: bd14e6a1da0aa6c221ce10952b458f9ce1c6024ea2291ac2c9e9bc387445c7db
    • Instruction Fuzzy Hash: 4A318175504702DFEB509AF9D840F9AF3EDEF007A4F24591AE859D7150DF30A944CB22
    Function 6E0D17D3 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • _free.LIBCMT ref: 6E0D17E7
      • Part of subcall function 6E0CFA74: HeapFree.KERNEL32(00000000,00000000,?,6E0D0AD1,00000001,00000001), ref: 6E0CFA8A
      • Part of subcall function 6E0CFA74: GetLastError.KERNEL32(7692A396,?,6E0D0AD1,00000001,00000001), ref: 6E0CFA9C
    • _free.LIBCMT ref: 6E0D17F3
    • _free.LIBCMT ref: 6E0D17FE
    • _free.LIBCMT ref: 6E0D1809
    • _free.LIBCMT ref: 6E0D1814
    • _free.LIBCMT ref: 6E0D181F
    • _free.LIBCMT ref: 6E0D182A
    • _free.LIBCMT ref: 6E0D1835
    • _free.LIBCMT ref: 6E0D1840
    • _free.LIBCMT ref: 6E0D184E
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 7bec22e636af1981bb4cd3a32fcb309242d2c315e6605cfe627a96795f15c704
    • Instruction ID: e811518735b32aefcd66e97722e04783dd3493cf926b40b2f29eea6e996f2a41
    • Opcode Fuzzy Hash: 7bec22e636af1981bb4cd3a32fcb309242d2c315e6605cfe627a96795f15c704
    • Instruction Fuzzy Hash: D311A4B6100548EFCF01EF94C840EDD7BADEF05694B2956A2B9088F231DB31EB54DB82
    Function 6E0D44D0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 373 6e0d44d0-6e0d452d GetConsoleCP 374 6e0d4670-6e0d4682 call 6e0c8731 373->374 375 6e0d4533-6e0d454f 373->375 377 6e0d456a-6e0d457b call 6e0d2c18 375->377 378 6e0d4551-6e0d4568 375->378 384 6e0d457d-6e0d4580 377->384 385 6e0d45a1-6e0d45a3 377->385 380 6e0d45a4-6e0d45b3 call 6e0d1e09 378->380 380->374 389 6e0d45b9-6e0d45d9 WideCharToMultiByte 380->389 387 6e0d4647-6e0d4666 384->387 388 6e0d4586-6e0d4598 call 6e0d1e09 384->388 385->380 387->374 388->374 395 6e0d459e-6e0d459f 388->395 389->374 391 6e0d45df-6e0d45f5 WriteFile 389->391 393 6e0d4668-6e0d466e GetLastError 391->393 394 6e0d45f7-6e0d4608 391->394 393->374 394->374 396 6e0d460a-6e0d460e 394->396 395->389 397 6e0d463c-6e0d463f 396->397 398 6e0d4610-6e0d462e WriteFile 396->398 397->375 399 6e0d4645 397->399 398->393 400 6e0d4630-6e0d4634 398->400 399->374 400->374 401 6e0d4636-6e0d4639 400->401 401->397
    APIs
    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,6E0D4C45,?,00000000,?,00000000,00000000), ref: 6E0D4512
    • __fassign.LIBCMT ref: 6E0D458D
    • __fassign.LIBCMT ref: 6E0D45A8
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 6E0D45CE
    • WriteFile.KERNEL32(?,?,00000000,ELn,00000000,?,?,?,?,?,?,?,?,?,6E0D4C45,?), ref: 6E0D45ED
    • WriteFile.KERNEL32(?,?,00000001,ELn,00000000,?,?,?,?,?,?,?,?,?,6E0D4C45,?), ref: 6E0D4626
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
    • String ID: ELn
    • API String ID: 1324828854-3953799589
    • Opcode ID: 06d75a298bdd4013cc99ed4cda2ef55eec6972191b6385262cb58648325e0815
    • Instruction ID: 876010ecc3ba4a6ff6b4e0f9dd734dc62757affc01ceeee694b36bdb4c409576
    • Opcode Fuzzy Hash: 06d75a298bdd4013cc99ed4cda2ef55eec6972191b6385262cb58648325e0815
    • Instruction Fuzzy Hash: 5051A47190034AAFDB10CFE8D845BEEBBF8EF09300F15415AE955E7251E7709945CB61
    Function 6E0D6001 Relevance: 12.2, APIs: 8, Instructions: 216COMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,6E0D6252,?,?,00000003), ref: 6E0D605B
    • __alloca_probe_16.LIBCMT ref: 6E0D6093
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,?,?,6E0D6252,?,?,00000003,?), ref: 6E0D60E1
    • __alloca_probe_16.LIBCMT ref: 6E0D6178
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000003,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 6E0D61DB
    • __freea.LIBCMT ref: 6E0D61E8
      • Part of subcall function 6E0D1204: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,6E0D8205,00000001,00000000,?,6E0D4294,00000001,00000004,00000000,00000001,?,?,6E0D0BA3), ref: 6E0D1236
    • __freea.LIBCMT ref: 6E0D61F1
    • __freea.LIBCMT ref: 6E0D6216
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
    • String ID:
    • API String ID: 2597970681-0
    • Opcode ID: 2f6364a9f0a51bc8190640764afca646abd7441e90e571e2d146efe5d556154c
    • Instruction ID: 44eb21c0942a23e69cfb4c007fedc2df13d4895e0b3b342390d18b2f4d7b9c80
    • Opcode Fuzzy Hash: 2f6364a9f0a51bc8190640764afca646abd7441e90e571e2d146efe5d556154c
    • Instruction Fuzzy Hash: A251DE7262031AAFEB158EE4DC81FAF3BA9EB44790B154628FC14D7141EB35DC58C760
    Function 6E0D5DE0 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 6E0D5DA4: _free.LIBCMT ref: 6E0D5DCD
    • _free.LIBCMT ref: 6E0D5E2E
      • Part of subcall function 6E0CFA74: HeapFree.KERNEL32(00000000,00000000,?,6E0D0AD1,00000001,00000001), ref: 6E0CFA8A
      • Part of subcall function 6E0CFA74: GetLastError.KERNEL32(7692A396,?,6E0D0AD1,00000001,00000001), ref: 6E0CFA9C
    • _free.LIBCMT ref: 6E0D5E39
    • _free.LIBCMT ref: 6E0D5E44
    • _free.LIBCMT ref: 6E0D5E98
    • _free.LIBCMT ref: 6E0D5EA3
    • _free.LIBCMT ref: 6E0D5EAE
    • _free.LIBCMT ref: 6E0D5EB9
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 2e0abbf9e2f0679a27bed9c289bf954e3f22a9d2ebe3e0042cd6ddc301c31e5a
    • Instruction ID: 8cbe6d34e7e6f3585eddcb1cb2e831a6fbfe13936063bf8482160291ad028d8d
    • Opcode Fuzzy Hash: 2e0abbf9e2f0679a27bed9c289bf954e3f22a9d2ebe3e0042cd6ddc301c31e5a
    • Instruction Fuzzy Hash: FE114C71540B04EAD670ABF0CC09FDBB7DCAF00B08F440D15AAE9AB050DB75B5098762
    Function 6E0CC814 Relevance: 10.5, APIs: 7, Instructions: 48COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(00000001,00000000,6E0CB97B,6E0C938D,6E0C8CB8,?,6E0C8EB5,?,00000001,?,?,00000001,?,6E0E3BD0,0000000C,6E0C8FBE), ref: 6E0CC822
    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6E0CC830
    • SetLastError.KERNEL32(00000000,6E0C8EB5,?,00000001,?,?,00000001,?,6E0E3BD0,0000000C,6E0C8FBE,?,00000001,?), ref: 6E0CC83D
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$Value___vcrt_
    • String ID:
    • API String ID: 483936075-0
    • Opcode ID: 4dcca90f700cc586bdfa0758eb74e7b7783504aabdc6a1f52b15c7d5fe91324c
    • Instruction ID: 7c698d5f6b9c9ca3270cbd8ab73d3287c5b362bce1dce4edb3cac2378c171a6b
    • Opcode Fuzzy Hash: 4dcca90f700cc586bdfa0758eb74e7b7783504aabdc6a1f52b15c7d5fe91324c
    • Instruction Fuzzy Hash: 3AF02D36505F119B862216F5984C75F2AE4DB47FB57160135F810AB2C4EF304805D792
    Function 6E0CCB70 Relevance: 9.3, APIs: 6, Instructions: 275COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _ValidateScopeTableHandlers.LIBCMT ref: 6E0CCC80
    • __FindPESection.LIBCMT ref: 6E0CCC9A
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: FindHandlersScopeSectionTableValidate
    • String ID:
    • API String ID: 876702719-0
    • Opcode ID: faf42885b9ae5df9973bc4dcca2c357e7d85f152b04db7c1b62944fdb1782a7c
    • Instruction ID: 9236945f94a0ab25e57eb70d523b8f9ecd3bf38f0e5c7539095ca6f55469b539
    • Opcode Fuzzy Hash: faf42885b9ae5df9973bc4dcca2c357e7d85f152b04db7c1b62944fdb1782a7c
    • Instruction Fuzzy Hash: D5A17872A006168FDB00CFA8C9D079DBBF4AB49B54F2946A9D815AF245D731ED00CB92
    Function 6E0D18F3 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(00000008,?,6E0D3179,?,?,?,?,?,?,?,?,?,?,6E0C812C,?), ref: 6E0D18F7
    • _free.LIBCMT ref: 6E0D192A
    • _free.LIBCMT ref: 6E0D1952
    • SetLastError.KERNEL32(00000000,6E0CF850,00000016,6E0D3595), ref: 6E0D195F
    • SetLastError.KERNEL32(00000000,6E0CF850,00000016,6E0D3595), ref: 6E0D196B
    • _abort.LIBCMT ref: 6E0D1971
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$_free$_abort
    • String ID:
    • API String ID: 3160817290-0
    • Opcode ID: f56b65160949e61b69d31b2b9c502cd27bc5b6543b492b16b3a7f2453f47a9c9
    • Instruction ID: 2930848ed17d932e8de577436857e644c5110da3dd7e839169dfc722b8337668
    • Opcode Fuzzy Hash: f56b65160949e61b69d31b2b9c502cd27bc5b6543b492b16b3a7f2453f47a9c9
    • Instruction Fuzzy Hash: 6BF0C236144B017AD64263E45C0CF8E66FD9FC3BF9B250524F928A3294FF34884E4322
    Function 6E0BF720 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 123libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(63E27454), ref: 6E0BF8F7
    • GetProcAddress.KERNEL32(00000000,-0B2180EC), ref: 6E0BF8FF
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: _$4$_$4$_$4
    • API String ID: 1646373207-3055943180
    • Opcode ID: 04b196a6534875e32f1c52265e575a18d07fe2fe11ee87ca2f8b3090877f9034
    • Instruction ID: 69faaf8ab0c2e6be624c7ee47cbdfaf31fa33c80a1b0ab664698ad951dcef69e
    • Opcode Fuzzy Hash: 04b196a6534875e32f1c52265e575a18d07fe2fe11ee87ca2f8b3090877f9034
    • Instruction Fuzzy Hash: 33414A3964CA418FCF24C9BD8D84218BEF9F78A310BF484AAE580DB306E636DC458B51
    Function 6E0C1050 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 121COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: Q>,$Q>,$Q>,
    • API String ID: 0-1249747301
    • Opcode ID: 850cb6204b35bfc19ac96f8bd69d5bf3eecb55938b2e8fc79b1083382bed46bc
    • Instruction ID: ab0a3a961397951111cb515d6e13452d9ae6c9fb1d8c73d24a9128f93828e4eb
    • Opcode Fuzzy Hash: 850cb6204b35bfc19ac96f8bd69d5bf3eecb55938b2e8fc79b1083382bed46bc
    • Instruction Fuzzy Hash: C7415A7170D9418FCF1489FD898021E7BF1EB4EB10BA48969E958C7346D279DC4A8B93
    Function 6E0CB440 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON
    Download Yara Rule
    APIs
    • _ValidateLocalCookies.LIBCMT ref: 6E0CB46B
    • __IsNonwritableInCurrentImage.LIBCMT ref: 6E0CB4E5
      • Part of subcall function 6E0DA0A0: __FindPESection.LIBCMT ref: 6E0DA0F9
    • _ValidateLocalCookies.LIBCMT ref: 6E0CB559
    • _ValidateLocalCookies.LIBCMT ref: 6E0CB584
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: CookiesLocalValidate$CurrentFindImageNonwritableSection
    • String ID: csm
    • API String ID: 1685366865-1018135373
    • Opcode ID: 8f85bce11e9bca9fd95d6bb6ecac4e24fc17ca144360faf26dd2f2f13decde48
    • Instruction ID: 6c7090c00a5658b33816fba8189f5815f14ade7411c2cc809f80c1977785759f
    • Opcode Fuzzy Hash: 8f85bce11e9bca9fd95d6bb6ecac4e24fc17ca144360faf26dd2f2f13decde48
    • Instruction Fuzzy Hash: 09419030D00209ABCF00DFE8D890B9EBBF9AF45768F148955E9186B359C731DA06CF92
    Function 6E0D9B85 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3_catch.LIBCMT ref: 6E0D9B8C
    • new.LIBCMT ref: 6E0D9BF8
    • __ExceptionPtr::__ExceptionPtr.LIBCMT ref: 6E0D9C10
    • __ExceptionPtr::__ExceptionPtr.LIBCMT ref: 6E0D9C43
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: Exception$Ptr::__$H_prolog3_catch
    • String ID: csm
    • API String ID: 2421427270-1018135373
    • Opcode ID: db4b01c767e2b90c2114d44652076268a60d81806ccdc0cef7701e628cac7b33
    • Instruction ID: f5404e69350fb276baebb50ad56975147dfb785feb2bc1152b937b1006716d97
    • Opcode Fuzzy Hash: db4b01c767e2b90c2114d44652076268a60d81806ccdc0cef7701e628cac7b33
    • Instruction Fuzzy Hash: B13105B0D053599FDF05CFE8C6A0BEDBBF8AF09614F544459E805AB280DBB49A09CB60
    Function 6E0D0636 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,6E0D05E7,?,?,6E0D0587,?,6E0E3DC8,0000000C,6E0D06BA,00000000,00000000), ref: 6E0D0656
    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6E0D0669
    • FreeLibrary.KERNEL32(00000000,?,?,?,6E0D05E7,?,?,6E0D0587,?,6E0E3DC8,0000000C,6E0D06BA,00000000,00000000,00000001,6E0C8E32), ref: 6E0D068C
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: 68903465faa50dda81015505ba6a644dd1e0e4e6b46461b8d6dfbeace50884ea
    • Instruction ID: cbe76d07fe49630ab0b496eacb96dae2add76f06df22fe75dbf0156463fe1566
    • Opcode Fuzzy Hash: 68903465faa50dda81015505ba6a644dd1e0e4e6b46461b8d6dfbeace50884ea
    • Instruction Fuzzy Hash: 6DF08C3090061EABCB109FD4C818B9EBFA9EB45751F414169F80DE6250DB309A44DFA4
    Function 6E0D0B16 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: e761ffa314129c21605515c79a596fee0bc2d9e51b90f868c488188f43651897
    • Instruction ID: 3888e84f08cc9366949574dbcb49950d84236bf08a3aa399faa4aea560ae0118
    • Opcode Fuzzy Hash: e761ffa314129c21605515c79a596fee0bc2d9e51b90f868c488188f43651897
    • Instruction Fuzzy Hash: E441D332A043009FDB10CFB8C880B9EB7F6EF85718F2549A9D519EB345E731A905CB81
    Function 6E0D5EC4 Relevance: 7.6, APIs: 5, Instructions: 110COMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000,?,?,?,6E0D1B22,00000001,?,?,00000001,?,6E0D1C55), ref: 6E0D5F11
    • __alloca_probe_16.LIBCMT ref: 6E0D5F49
    • MultiByteToWideChar.KERNEL32(?,00000001,?,00000001,00000000,00000001,?,?,?,6E0D1B22,00000001,?,?,00000001,?,6E0D1C55), ref: 6E0D5F9A
    • GetStringTypeW.KERNEL32(?,00000000,00000000,6E0D1B22,?,?,?,6E0D1B22,00000001,?,?,00000001,?,6E0D1C55,?,00000001), ref: 6E0D5FAC
    • __freea.LIBCMT ref: 6E0D5FB5
      • Part of subcall function 6E0D1204: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,6E0D8205,00000001,00000000,?,6E0D4294,00000001,00000004,00000000,00000001,?,?,6E0D0BA3), ref: 6E0D1236
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
    • String ID:
    • API String ID: 1857427562-0
    • Opcode ID: 7056b8833f23f6b0b70e569bb0b87357e6db893564fb400a876001775fc3ae4c
    • Instruction ID: 87d42d18fa2140e9870ae0b885adf21fcdd71704e6cbe95d23f8e77f331696f5
    • Opcode Fuzzy Hash: 7056b8833f23f6b0b70e569bb0b87357e6db893564fb400a876001775fc3ae4c
    • Instruction Fuzzy Hash: 9331BE76A0020AEBDF158FA4CC85EEE7BB9EB44750B004528FC15EB290E735C959CBA0
    Function 6E0D41BD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 6E0D41C6
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6E0D41E9
      • Part of subcall function 6E0D1204: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,6E0D8205,00000001,00000000,?,6E0D4294,00000001,00000004,00000000,00000001,?,?,6E0D0BA3), ref: 6E0D1236
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6E0D420F
    • _free.LIBCMT ref: 6E0D4222
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6E0D4231
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
    • String ID:
    • API String ID: 2278895681-0
    • Opcode ID: 46c05c245a5463bc30c66bd396b21ef6cf9a1fe06802d3ed6f549ccacfa5f775
    • Instruction ID: dbccbf90a5bd4b80e24d7de9ed03309af782613ea103fbbae644cbff4d830e75
    • Opcode Fuzzy Hash: 46c05c245a5463bc30c66bd396b21ef6cf9a1fe06802d3ed6f549ccacfa5f775
    • Instruction Fuzzy Hash: 8401B572601B167F67215AEA5C8CE7F29ADDEDB9913510129FD14C3100EA608D068774
    Function 6E0D1977 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(00000001,7692A396,-00000004,6E0D150E,6E0CFA9A,7692A396,?,6E0D0AD1,00000001,00000001), ref: 6E0D197C
    • _free.LIBCMT ref: 6E0D19B1
    • _free.LIBCMT ref: 6E0D19D8
    • SetLastError.KERNEL32(00000000,00000001), ref: 6E0D19E5
    • SetLastError.KERNEL32(00000000,00000001), ref: 6E0D19EE
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$_free
    • String ID:
    • API String ID: 3170660625-0
    • Opcode ID: d02bdd00a125e508e608229165c0620c87f860996b81af978074d1e309ff5dba
    • Instruction ID: eaeafac4965519b75bf13743a6f3eb3256e5a32057da5a8fc48ae5f48de90f04
    • Opcode Fuzzy Hash: d02bdd00a125e508e608229165c0620c87f860996b81af978074d1e309ff5dba
    • Instruction Fuzzy Hash: 7701D176109B006B820266E5AC88F4FAAFD8BC2BF87650525F924E3244EF34880E8361
    Function 6E0D5D3B Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 6E0D5D53
      • Part of subcall function 6E0CFA74: HeapFree.KERNEL32(00000000,00000000,?,6E0D0AD1,00000001,00000001), ref: 6E0CFA8A
      • Part of subcall function 6E0CFA74: GetLastError.KERNEL32(7692A396,?,6E0D0AD1,00000001,00000001), ref: 6E0CFA9C
    • _free.LIBCMT ref: 6E0D5D65
    • _free.LIBCMT ref: 6E0D5D77
    • _free.LIBCMT ref: 6E0D5D89
    • _free.LIBCMT ref: 6E0D5D9B
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: f3a72e3a6afd6e2085d070ed54412ad88606798b000737b492ea85e77fcc722e
    • Instruction ID: 002af4643bd61035620d4b233a804755e7f52994da8035618ba290eaff9c705f
    • Opcode Fuzzy Hash: f3a72e3a6afd6e2085d070ed54412ad88606798b000737b492ea85e77fcc722e
    • Instruction Fuzzy Hash: 2EF04FB5500B05DB8AA4EAE4D195F6BB3DDEB01B5036C0D06EC58D7500D730F880C7B1
    Function 6E0D0D68 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 6E0D0D86
      • Part of subcall function 6E0CFA74: HeapFree.KERNEL32(00000000,00000000,?,6E0D0AD1,00000001,00000001), ref: 6E0CFA8A
      • Part of subcall function 6E0CFA74: GetLastError.KERNEL32(7692A396,?,6E0D0AD1,00000001,00000001), ref: 6E0CFA9C
    • _free.LIBCMT ref: 6E0D0D98
    • _free.LIBCMT ref: 6E0D0DAB
    • _free.LIBCMT ref: 6E0D0DBC
    • _free.LIBCMT ref: 6E0D0DCD
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 0c326a9fa5c6860eed8737a5fe124c096a48c78b3f16d4d9ffcdb488188573a5
    • Instruction ID: 6f3218c3cf7526e10a94c0fdf20cb037e67148ae1230b17ce38469c5e240f1b0
    • Opcode Fuzzy Hash: 0c326a9fa5c6860eed8737a5fe124c096a48c78b3f16d4d9ffcdb488188573a5
    • Instruction Fuzzy Hash: 31F0DAF0804E209F8E05AFA89801A9C7BE9B70AF343991AABF81467364DB354541CF92
    Function 6E0B7CA9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(1B191CF2), ref: 6E0B7D01
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: j3$j3$j3
    • API String ID: 4139908857-1354161450
    • Opcode ID: d80f6db6b5e6d16430a785c2faca32ce2d8c149eb0bc40f4aa92c260e1146509
    • Instruction ID: ae4a8d28caf02c39ed3262fd0f7c464501ef51497de4acf1eb4bd6aaa526d8bd
    • Opcode Fuzzy Hash: d80f6db6b5e6d16430a785c2faca32ce2d8c149eb0bc40f4aa92c260e1146509
    • Instruction Fuzzy Hash: F63192746187448FC720CF69C48076ABBF1FB99380F18896EE8D4CB365D636D9048F42
    Function 6E0D2064 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: __alldvrm$_strrchr
    • String ID:
    • API String ID: 1036877536-0
    • Opcode ID: c8569fa6165621ae4bfdc23a65b375cf660c5957c43072294c7eaaba4b6edca1
    • Instruction ID: 462183f3666866358c52c811ace7a5260f8ad38c70631e5bd337f832a2eab196
    • Opcode Fuzzy Hash: c8569fa6165621ae4bfdc23a65b375cf660c5957c43072294c7eaaba4b6edca1
    • Instruction Fuzzy Hash: B6A17A76904786AFE702CFD8C8917AEBBF5FF26350F1445ADE5949B281C338894AC750
    Function 6E0D3223 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,?,00000001,?,6E0D31CA,?,00000001,00000000,?,?,6E0D35F8,00000008,GetCurrentPackageId), ref: 6E0D3255
    • GetLastError.KERNEL32(?,6E0D31CA,?,00000001,00000000,?,?,6E0D35F8,00000008,GetCurrentPackageId,6E0DEA78,6E0DEA80,00000000), ref: 6E0D3261
    • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,6E0D31CA,?,00000001,00000000,?,?,6E0D35F8,00000008,GetCurrentPackageId,6E0DEA78,6E0DEA80,00000000), ref: 6E0D326F
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID:
    • API String ID: 3177248105-0
    • Opcode ID: 14c9937a9385974e8b9bf278d9b3c30cd58e307ff5c70478aa46e9981112a386
    • Instruction ID: ffa7ae912098ab9f9942e338667c27d7b7b6c419ae3a37881f12ad1a888cb3dc
    • Opcode Fuzzy Hash: 14c9937a9385974e8b9bf278d9b3c30cd58e307ff5c70478aa46e9981112a386
    • Instruction Fuzzy Hash: 0501FC32A55726ABCB6149ED8C4CB667BA8AF1ABF1B100620FD19D3144D724D808CBE0
    Function 6E0D3F95 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6E0D3B68: GetOEMCP.KERNEL32 ref: 6E0D3B93
    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,6E0D3E36,?,00000000), ref: 6E0D4009
    • GetCPInfo.KERNEL32(00000000,6>n,?,?,?,6E0D3E36,?,00000000), ref: 6E0D401C
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: CodeInfoPageValid
    • String ID: 6>n
    • API String ID: 546120528-3310715625
    • Opcode ID: 38ccc17f5ef102b2cf51aeee85a8cf374f20bb68e088057b400f67b8b7787e3f
    • Instruction ID: 8b3a7fa8ee7347eda5ba93ba6576462c52a3ce2c9590def693d58c2d33a1c24a
    • Opcode Fuzzy Hash: 38ccc17f5ef102b2cf51aeee85a8cf374f20bb68e088057b400f67b8b7787e3f
    • Instruction Fuzzy Hash: FD516474A0030AAEDB10CFF5C8907ABBFF5EF46300F14492ED0968B241E779994ACB91
    Function 6E0D9964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
    Download Yara Rule
    APIs
    • DecodePointer.KERNEL32(?,7692A396,?,?,?,6E0DA65A,000000FF), ref: 6E0D99C2
    • _free.LIBCMT ref: 6E0D9A1B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: DecodePointer_free
    • String ID: csm
    • API String ID: 4139015823-1018135373
    • Opcode ID: 8846ce2443b705a4ea6b0c353a450441f6ec3db3c6a152fa9bdb06f6b6ff8aef
    • Instruction ID: faeba5706a0b21eeb1aa5eef810a0e2c9675fe44752fad26e3d3060cfb08f0ff
    • Opcode Fuzzy Hash: 8846ce2443b705a4ea6b0c353a450441f6ec3db3c6a152fa9bdb06f6b6ff8aef
    • Instruction Fuzzy Hash: 4321DE366047429BCB048FACC4A0B99F7E8FF04754F94865AD81887648CBB0E848CBD2
    Function 6E0CD26E Relevance: 5.1, APIs: 4, Instructions: 139COMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,?,?), ref: 6E0CD304
    • GetLastError.KERNEL32 ref: 6E0CD312
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 6E0CD36D
    Memory Dump Source
    • Source File: 00000003.00000002.2139424852.000000006E0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E0B0000, based on PE: true
    • Associated: 00000003.00000002.2139408740.000000006E0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139450570.000000006E0DB000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139469889.000000006E0E5000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139487091.000000006E0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2139507992.000000006E0EC000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6e0b0000_rundll32.jbxd
    Similarity
    • API ID: ByteCharMultiWide$ErrorLast
    • String ID:
    • API String ID: 1717984340-0
    • Opcode ID: febe4f9b8e6de226df435688cebc503f73ea466ba70ac050a7fbdb4c66e4a7fa
    • Instruction ID: 2bf0518149e9218d33b0d8799a3de15fd693c6c19fb22ead51a3707c18e40104
    • Opcode Fuzzy Hash: febe4f9b8e6de226df435688cebc503f73ea466ba70ac050a7fbdb4c66e4a7fa
    • Instruction Fuzzy Hash: A741C430654606EFDB118FE5C844BAE7BF5EF42BA0F214559F869A7194EB30C902CF52