Edit tour

Windows Analysis Report
tiiEwuElgl.dll

Overview

General Information

Sample name:	tiiEwuElgl.dll renamed because original name is a hash value
Original sample name:	9ab73f82afce07d6190bfe0495e28856bf06c2f284f5d849b2de202bebdbc0bf.dll
Analysis ID:	1544796
MD5:	90cdcc23fa3e1b2e0f0d9b9212dfa960
SHA1:	4ce4c2647cbdab647ccb46c968569d7a4a573cfb
SHA256:	9ab73f82afce07d6190bfe0495e28856bf06c2f284f5d849b2de202bebdbc0bf
Tags:	2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7904 cmdline: loaddll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7980 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 8004 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 8084 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8004 -s 648 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7988 cmdline: rundll32.exe C:\Users\user\Desktop\tiiEwuElgl.dll,BarCreate MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7228 cmdline: rundll32.exe C:\Users\user\Desktop\tiiEwuElgl.dll,BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7392 cmdline: rundll32.exe C:\Users\user\Desktop\tiiEwuElgl.dll,BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7512 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",BarCreate MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7536 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7584 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7664 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeSetFocus MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7712 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeSetDirty MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5776 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeResize MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 2848 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkePaint2 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6920 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeKillFocus MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6888 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeIsDirty MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6720 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeInitialize MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1344 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeGetCaretRect MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5480 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireMouseWheelEvent MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5972 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireMouseEvent MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 2760 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireKeyUpEvent MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5280 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireKeyPressEvent MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6248 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireKeyDownEvent MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6632 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireContextMenuEvent MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7108 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFinalize MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7752 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeDestroyWebView MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6676 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeCreateWebView MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5840 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",dbkFCallWrapperAddr MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7224 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 648 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7956 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 8020 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",TMethodImplementationIntercept MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 1076 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8020 -s 640 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 8068 cmdline: rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",BarRecognize MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: tiiEwuElgl.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: tiiEwuElgl.dll

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: tiiEwuElgl.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040D1C4 FindFirstFileW,FindClose,		5_2_0040D1C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040CBF8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,		5_2_0040CBF8

Source: Amcache.hve.8.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 5_2_004EA1D8 GetClipboardData,CopyEnhMetaFileW,GetEnhMetaFileHeader,

5_2_004EA1D8

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 5_2_004EAA7C GetObjectW,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

5_2_004EAA7C

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004F6444	5_2_004F6444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004F6704	5_2_004F6704
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004E6918	5_2_004E6918
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004B0F64	5_2_004B0F64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004B10A8	5_2_004B10A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0043B4C4	5_2_0043B4C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004FFD00	5_2_004FFD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004EFE80	5_2_004EFE80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004F1FC4	5_2_004F1FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004F5F80	5_2_004F5F80

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8004 -s 648

Source: tiiEwuElgl.dll

Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)

Source: tiiEwuElgl.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal60.winDLL@63/13@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 5_2_004E5AA0 GetLastError,FormatMessageW,

5_2_004E5AA0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 5_2_004219D8 GetDiskFreeSpaceW,

5_2_004219D8

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 5_2_004AA910 FindResourceW,LoadResource,SizeofResource,LockResource,

5_2_004AA910

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8020
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8004
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5840

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\17f842e5-f424-4781-99a7-8e058a9694fc

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tiiEwuElgl.dll,BarCreate

Source: tiiEwuElgl.dll

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tiiEwuElgl.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8004 -s 648
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tiiEwuElgl.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tiiEwuElgl.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeSetFocus
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeSetDirty
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeResize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkePaint2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeKillFocus
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeIsDirty
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeInitialize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeGetCaretRect
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireMouseWheelEvent
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireMouseEvent
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireKeyUpEvent
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireKeyPressEvent
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireKeyDownEvent
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireContextMenuEvent
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFinalize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeDestroyWebView
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeCreateWebView
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",dbkFCallWrapperAddr
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",BarRecognize
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 648
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8020 -s 640
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tiiEwuElgl.dll,BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tiiEwuElgl.dll,BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tiiEwuElgl.dll,BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeSetFocus	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeSetDirty	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeResize	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkePaint2	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeKillFocus	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeIsDirty	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeInitialize	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeGetCaretRect	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireMouseWheelEvent	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireMouseEvent	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireKeyUpEvent	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireKeyPressEvent	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireKeyDownEvent	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireContextMenuEvent	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFinalize	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeDestroyWebView	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeCreateWebView	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",dbkFCallWrapperAddr	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",__dbk_fcall_wrapper	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",TMethodImplementationIntercept	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",BarRecognize	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: tiiEwuElgl.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: tiiEwuElgl.dll

Static file information: File size 1270784 > 1048576

Source: tiiEwuElgl.dll

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x10cc00

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 5_2_00509A20 LoadLibraryW,GetProcAddress,GetProcAddress,IsBadReadPtr,

5_2_00509A20

Source: tiiEwuElgl.dll

Static PE information: section name: .didata

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0050E000 push 0050E0DEh; ret	5_2_0050E0D6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0050E47C push 0050E519h; ret	5_2_0050E511
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00460068 push ecx; mov dword ptr [esp], edx	5_2_00460069
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00504014 push 0050403Ah; ret	5_2_00504032
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004380A4 push ecx; mov dword ptr [esp], eax	5_2_004380A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_005041A4 push 005041CAh; ret	5_2_005041C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00466248 push ecx; mov dword ptr [esp], ecx	5_2_0046624C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00464264 push ecx; mov dword ptr [esp], ecx	5_2_00464268
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004BE2E4 push ecx; mov dword ptr [esp], edx	5_2_004BE2E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004BA2F8 push ecx; mov dword ptr [esp], edx	5_2_004BA2FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004C42F4 push ecx; mov dword ptr [esp], edx	5_2_004C42F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004682FC push ecx; mov dword ptr [esp], ecx	5_2_00468300
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004C0340 push ecx; mov dword ptr [esp], edx	5_2_004C0341
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00502340 push 00502398h; ret	5_2_00502390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0043A3D0 push ecx; mov dword ptr [esp], eax	5_2_0043A3D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0050239C push ecx; mov dword ptr [esp], ecx	5_2_005023A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00464450 push ecx; mov dword ptr [esp], ecx	5_2_00464454
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0050A48C push 0050A500h; ret	5_2_0050A4F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0050E540 push 0050E5F6h; ret	5_2_0050E5EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004C460C push ecx; mov dword ptr [esp], edx	5_2_004C460D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0050E610 push 0050E671h; ret	5_2_0050E669
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0050E740 push 0050E7DCh; ret	5_2_0050E7D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0046670C push ecx; mov dword ptr [esp], edx	5_2_0046670D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0046671C push ecx; mov dword ptr [esp], edx	5_2_0046671D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004827C4 push 00482826h; ret	5_2_0048281E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004648E4 push ecx; mov dword ptr [esp], eax	5_2_004648E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0042E970 push 0042EA60h; ret	5_2_0042EA58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004C2A30 push ecx; mov dword ptr [esp], edx	5_2_004C2A31
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00508B48 push 00508BA8h; ret	5_2_00508BA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00468B60 push ecx; mov dword ptr [esp], edx	5_2_00468B61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00462CE0 push ecx; mov dword ptr [esp], ecx	5_2_00462CE4

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 4.5 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040D1C4 FindFirstFileW,FindClose,		5_2_0040D1C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040CBF8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,		5_2_0040CBF8

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 5_2_0040EE84 GetSystemInfo,

5_2_0040EE84

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe

API call chain: ExitProcess graph end node

graph_5-48170

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 5_2_004B8000 IsDebuggerPresent,RaiseException,

5_2_004B8000

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 5_2_00509A20 LoadLibraryW,GetProcAddress,GetProcAddress,IsBadReadPtr,

5_2_00509A20

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 5_2_005096C0 FreeLibrary,VirtualFree,GetProcessHeap,HeapFree,VirtualFree,

5_2_005096C0

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 5_2_004079E8 cpuid

5_2_004079E8

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	5_2_0040D2FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_0040C79C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	5_2_00428FD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	5_2_0042920C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	5_2_00425334
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	5_2_00425380

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 5_2_00423868 GetLocalTime,

5_2_00423868

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 5_2_0040C520 InitializeCriticalSection,GetVersion,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,

5_2_0040C520

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	25 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
tiiEwuElgl.dll	47%	ReversingLabs	Win32.Trojan.Midie
tiiEwuElgl.dll	100%	Avira	TR/Redcap.jycqg

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.8.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544796
Start date and time:	2024-10-29 18:53:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	tiiEwuElgl.dll renamed because original name is a hash value
Original Sample Name:	9ab73f82afce07d6190bfe0495e28856bf06c2f284f5d849b2de202bebdbc0bf.dll
Detection:	MAL
Classification:	mal60.winDLL@63/13@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 91% Number of executed functions: 17 Number of non-executed functions: 88
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.189.173.21
Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
VT rate limit hit for: tiiEwuElgl.dll

Simulations

Behavior and APIs

Time	Type	Description
13:54:23	API Interceptor	3x Sleep call for process: WerFault.exe modified
13:54:23	API Interceptor	1x Sleep call for process: loaddll32.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2fe5f38a4f5ae3ed51518cca5baa2e5e637fb76_7522e4b5_64422e78-53cc-46d8-a19d-7baef0af0e5c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8691065039970594
Encrypted:	false
SSDEEP:	96:u6FNi6iShVy5sj94sSCqCG6tQXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyNlX:d3iSO59b0BU/wjeTdzuiF0Z24IO84ci
MD5:	19E1DEA9C9BB677F1107B6E657E627BE
SHA1:	0F160355B2BF91364B6372128A0D4394D10C704E
SHA-256:	D21B040DEC0B7F43300D34052BD5F685187908A3B67CB5183568BB75A7C2F6BE
SHA-512:	2E47918979C161C2D3B78458451CE43FA6C6888ACC67B0F3766344BD68D995F9AF71BB4591D3437D076CDA75B3B06A2925E335ECD2E803E1EC78198AF8457C32
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.6.9.8.0.5.2.7.5.7.6.0.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.6.9.8.0.5.3.7.5.7.5.9.5.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.4.4.2.2.e.7.8.-.5.3.c.c.-.4.6.d.8.-.a.1.9.d.-.7.b.a.e.f.0.a.f.0.e.5.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.0.8.d.0.7.6.6.-.a.9.4.e.-.4.a.e.8.-.b.d.7.b.-.b.d.c.5.d.5.c.a.d.1.f.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.4.4.-.0.0.0.1.-.0.0.1.3.-.8.d.d.7.-.d.8.8.f.2.b.2.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2fe5f38a4f5ae3ed51518cca5baa2e5e637fb76_7522e4b5_d2f2c237-4255-4da5-8098-3eac21645fd8\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8689875991534548
Encrypted:	false
SSDEEP:	96:08Fp6iRhVyPsj94sSCqCG6tQXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyNl4G:9eiROP9b0BU/wjeTdzuiF0Z24IO84ci
MD5:	139108EB747D045BC5BA6652E220FC42
SHA1:	A5EBDA2783203A12C6022ABB61081146FE0A1662
SHA-256:	1FA78085C2DB1F329F0C853B777A71A2D3E7490434FEE7E15035A34E402DB069
SHA-512:	55B0E07688887E3403C32B85967705682769BB22FA439969D6B99FD0AC79377D1E449C7CDBB3F8FFFA4768520D39EBDC706C28064F08E6B55D125DCC1BE49364
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.6.9.8.0.6.4.3.1.8.4.3.2.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.6.9.8.0.6.5.4.2.7.8.1.5.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.2.f.2.c.2.3.7.-.4.2.5.5.-.4.d.a.5.-.8.0.9.8.-.3.e.a.c.2.1.6.4.5.f.d.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.e.8.9.a.d.d.-.e.5.c.e.-.4.2.b.8.-.8.a.9.2.-.8.b.d.0.8.0.0.a.2.9.d.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.d.0.-.0.0.0.1.-.0.0.1.3.-.1.6.5.7.-.a.a.9.6.2.b.2.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_b0cdffbca525ee12a6aa688b50d1504e3557d02a_7522e4b5_063399f1-1e56-4d88-a8ba-4023344517e5\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8635870108850204
Encrypted:	false
SSDEEP:	192:48WiTOb9p0BU/wjeTdzuiF0Z24IO8dci:Eiab9KBU/wjeJzuiF0Y4IO8dci
MD5:	057778C55AD4D9EFA245A2F3BB8CFB5D
SHA1:	C11E6FDA3D1E2CBA5DB6CFCB9956CFA07798888B
SHA-256:	67BDDE146E492414D281B3A00B6844038A1C5374B2D5DD23A39C01C6021C14C0
SHA-512:	9DB56215C169F5BABCFB8FA787D16BEB08B6CB290D2C4D4303F255BB609609B3C84C09DEF5E7534A2FC46AB408F08B47DF03A69FB9610283EA81DF1B0C5F2F3F
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.6.9.8.0.6.4.4.0.8.6.1.6.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.6.9.8.0.6.5.4.3.9.8.6.6.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.6.3.3.9.9.f.1.-.1.e.5.6.-.4.d.8.8.-.a.8.b.a.-.4.0.2.3.3.4.4.5.1.7.e.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.4.a.b.3.5.d.7.-.e.a.4.9.-.4.9.6.8.-.a.5.e.2.-.4.9.4.9.b.f.f.7.1.5.0.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.5.4.-.0.0.0.1.-.0.0.1.3.-.e.b.4.5.-.b.6.9.6.2.b.2.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER12A0.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Oct 29 17:54:24 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44436
Entropy (8bit):	1.8946708614481673
Encrypted:	false
SSDEEP:	192:l92ZqdIXmiXO5H45Wbp03/poJr1CJyAF4eOus:b7TL5Hscp2/CHqyAs
MD5:	A6AF0FB27856612E5A838BE16F81452C
SHA1:	F09F574F89CF275B97B8913D6A3427EA0C1F197E
SHA-256:	6141FC33875969977DD2C83AAF566B281C3D41B351E83ADAFED3BEF8D8C88A83
SHA-512:	F00173F865E691AE272D5A817B502354F3810CFF0266AF28BA9C5CC16628AA145356B34146FFF376CE04204AA4F00B14C098E8E471ED60698433F2816BE7EC9D
Malicious:	false
Preview:	MDMP..a..... .......P!!g.........................................)..........T.......8...........T.......................................................................................................................eJ......,.......GenuineIntel............T...........O!!g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER12FE.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Oct 29 17:54:24 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	43412
Entropy (8bit):	1.9955129084803749
Encrypted:	false
SSDEEP:	192:lNh2ZodIXmv/QXO5H4WYJswEePIvtoe12HRq2CAfbPv9DzC2M2Qnm5/bW:Hh1bt5HXYJpEeP6d12/bPv9Dzxy
MD5:	ABFC70C62DB627C7EADE055C6F92BF4C
SHA1:	5AE32B597E08ABD2911D78543D839148F4345D92
SHA-256:	0546629EF79138877CE70B7F299CE431314EE82DB25A9C4BAC2C9D4B565F1F7A
SHA-512:	6FBD92C7B55DF8D57FCAB446ACA7DE1BAB620331455EA4D50E2F87BA72FA2BCD0351F6ACE79BBB6C21DDEA35DCCAA426AF34C5E83CE239099ED23F4CFE6E112D
Malicious:	false
Preview:	MDMP..a..... .......P!!g....................................$....)..........T.......8...........T.......................................................................................................................eJ......,.......GenuineIntel............T.......T...O!!g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER133E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8342
Entropy (8bit):	3.6897210028579956
Encrypted:	false
SSDEEP:	192:R6l7wVeJ0O6IUD6YUri6A/gmf8Copr089bNgsfdPm:R6lXJF6IUD6Y164gmf8CsNzf4
MD5:	BDA203DDF109951F9340BD0A46BA460A
SHA1:	39C794E37A0B993326ECE81B6ED03A53E083C5DD
SHA-256:	E428C17E939E57773048265B886621F7FAA7B8C571F1C178326A02843EA214B9
SHA-512:	FCEDB21548C9B3F3A370DF31381DA89632730B2710A0878FF60E0081C39EC40EF0EEDBE292E0B3EBEDE318F3375E8190A72ADDCB420A366A94E5864701D21A2C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER13BC.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4751
Entropy (8bit):	4.443922870698804
Encrypted:	false
SSDEEP:	48:cvIwWl8zscJg77aI9cKyWpW8VYaYm8M4JCdPAnFEc+q8vjPAqaGScSNad:uIjfaI7am7VyJjRK8qaJ3Nad
MD5:	DA9E0B02666EF742BF4D3107C99A0D3A
SHA1:	4BDB79BC8121040B32034C6EF6AC45D497F674A7
SHA-256:	D7BEAEDD18D36DAA2D583501610CFEF4F3DC094414E4EA733E9596DE7A9DACFD
SHA-512:	8BCC0F7219FCEAC76A48965988687D85D01EF9FC44C7F067C89A8C13A8E55C565B17F2D68726800D0827CD9DCC223C0698245D52E35B0B4C84D2B25DA96EF9EA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="565017" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER13DA.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8278
Entropy (8bit):	3.691488623323235
Encrypted:	false
SSDEEP:	192:R6l7wVeJ366IdLH6YUrM6h/gmfT9oprZ89bNJsfIPm:R6lXJq6Idr6Yb65gmfT9bNif9
MD5:	35D05BE26EC6A38FC4D2DD20EB7B7895
SHA1:	F8CD7409AD829AD0A51A647B9F62EF6E744A9D53
SHA-256:	F794FC099C64D78BC4E6757501E84A4531DEAD9EAA59B62D71397951C013BCF5
SHA-512:	552876501BD0746A7E515B66329B14C8CD7A97527648B062B4CA9A28ACE6C11EF3C5E36A8280F7A9281A68D1202AE2761F3C06A7C413A60C752540EC5628BFD1
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER140A.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4650
Entropy (8bit):	4.461927515845154
Encrypted:	false
SSDEEP:	48:cvIwWl8zscJg77aI9cKyWpW8VYaYm8M4JCdPgF1+q8/VqGScSid:uIjfaI7am7VyJntJ3id
MD5:	0144CCF0346C5BDA272827960076E4C9
SHA1:	6F462A6DD1C8FB4FB0AB57582C27A8D4C126B228
SHA-256:	B5ACEB0DF404A7DBDCD599A83FF74930EEA22C4A0D8660D2DB5863B75EF00AEC
SHA-512:	39F3521376112A25ADE3B4AE131B11E26F6F069B0E26865B5DD359E42B6F7E9346E53D65292596D4E0265900A79FB9F278A6EF326883036CC2AF4EBD53AA3122
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="565017" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE576.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Oct 29 17:54:12 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44956
Entropy (8bit):	1.8874173327295376
Encrypted:	false
SSDEEP:	192:paT2Z0dIX1ZAO5H44spoN5U/YxAMm6QA1G:odMZX5H1spoNe/YJG
MD5:	DEF5AE0C6FA63EABBDC6647EB27794C6
SHA1:	BE3F741AE896997E32B335DD048CA7310C9FBE03
SHA-256:	B24DFC541489D98EA9EC94A74B28F03A9A1FCB791E91F330CB566B150427B2AA
SHA-512:	71386620F1E0BDC207650A1E62B1A756AAF9A1CDB009C3E9BB9427A19BE6B9F58F0499D8FE432CE592328734FA3BCC6E4C9B41415D777827A8F56C5F07F1765F
Malicious:	false
Preview:	MDMP..a..... .......D!!g.........................................)..........T.......8...........T......................................................................................................................eJ......,.......GenuineIntel............T.......D...D!!g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE632.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8322
Entropy (8bit):	3.6875750410672286
Encrypted:	false
SSDEEP:	192:R6l7wVeJyM66IUe6YFO6vgmf8Copr+89boosfB4m:R6lXJc6IUe6Y86vgmf8Caobfr
MD5:	5D1F6B9396B623A65243D05980C1227F
SHA1:	6CB2D8DB9B78821BCCD32776C91F501E75AFF9E9
SHA-256:	2638C26453E00246A5ABF7C995986033D6DE996D58B07D788A96085A5E6095EF
SHA-512:	8199FCF53B54E1CF768FE748DB6A60A61FA53021E57856917E6ED027B6BD72410A7553502AB63E4C93751B9DEEEAAAC7A22C8EE72413D74ACF5E164ADE6CF65E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE662.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4751
Entropy (8bit):	4.445641255550173
Encrypted:	false
SSDEEP:	48:cvIwWl8zsrJg77aI9cKyWpW8VYXYm8M4JCdPAnF9O+q8vjPA7SGScSxd:uIjfFI7am7V/JjuK82J3xd
MD5:	3ED9351C9232187C55A4D4741409A5B0
SHA1:	E4C95110C5333363F354F756A7A7443379E620DB
SHA-256:	3FFED36ACEBC56C93227D8C4A2C5A0EAFC549C1A9E8350A84622FC88051A11C8
SHA-512:	10CF6E2E54068B64F4EAA05481FADFBE2D07A8DE5149C139AA0A278012D86FE27674F82BBED941E0507208BC4F66442E296B926BCE0BCAB5A0D749CDE0E0E243
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="565016" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.2961146062225986
Encrypted:	false
SSDEEP:	6144:441fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+SwmBMZJh1Vj/:11/YCW2AoQ0Ni0wwMHrVT
MD5:	0C51AC780021BD88A8301E46F443AC09
SHA1:	052E270B4D318DB11BB1CA5D6E2332D146884AA7
SHA-256:	CEFFACCFD7E578438CAF826C5D7FAC6F4D9B90BB5354C96F9E64580FC8B7D80F
SHA-512:	B225F31EBAC70E4F41020EECA53B95CEEB7986E949F396C0EAEB37640D1908B19CFE6832217715E9BFE178893DC033AB64F3FFA7412ED6D63A3047A254AA8FE6
Malicious:	false
Preview:	regfH...H....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....+*..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.649023845545503
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 95.46% Win32 EXE PECompact compressed (generic) (41571/9) 3.96% Win16/32 Executable Delphi generic (2074/23) 0.20% Generic Win/DOS Executable (2004/3) 0.19% DOS Executable Generic (2002/1) 0.19%
File name:	tiiEwuElgl.dll
File size:	1'270'784 bytes
MD5:	90cdcc23fa3e1b2e0f0d9b9212dfa960
SHA1:	4ce4c2647cbdab647ccb46c968569d7a4a573cfb
SHA256:	9ab73f82afce07d6190bfe0495e28856bf06c2f284f5d849b2de202bebdbc0bf
SHA512:	4d027e67d93ea248108caf36e435005497a0a9826859fcaef8e47dab861a4fd0e7e3458239557901786bf0001ade39bba3fcf9d1198ba649d9a0c97e0224c1a5
SSDEEP:	24576:UG7sj6RB+VtcAi11S8K0mH6DzmYT4VKh:l7eVY4v0zDztT4VK
TLSH:	2B455C62F245643EC4AA0A364977AE50583FB7A2755AEC1E57F4088CCE395802F3E74F
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x50eed8
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x66F1631C [Mon Sep 23 12:46:20 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	6327992c879b906e750778c69d550fed

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFC0h
mov eax, 0050A560h
call 00007F3A38FB9B05h
call 00007F3A38FB2F20h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x122000	0x2a2	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11f000	0x1c46	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13d000	0x4600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x124000	0x18548	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11f5a4	0x464	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x121000	0x366	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x10cb58	0x10cc00	720d8dddc24baf7db1c60411759c302e	False	0.3668450218023256	data	6.492266813610806	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x10e000	0xef0	0x1000	840537971360cb196412496867fc16a4	False	0.53466796875	data	6.082139005305649	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x10f000	0x8fb0	0x9000	7b0def8645aa9b86432bae9f010e4c7d	False	0.6369357638888888	data	6.630620900357122	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x118000	0x6300	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x11f000	0x1c46	0x1e00	bd166391d3b2991897d3f90ec0b419cb	False	0.32083333333333336	data	4.974350011480841	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x121000	0x366	0x400	9c7b1e6fd492c18332b403fa3ad29c2e	False	0.3544921875	data	3.0967012674854977	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x122000	0x2a2	0x400	55c7b4a05e67b2c1db68d44822d879ac	False	0.40234375	data	3.984099517856658	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rdata	0x123000	0x44	0x200	c9f8bfa36b2dc5163b75d3196d251b45	False	0.15625	data	1.1660636886017055	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x124000	0x18548	0x18600	a13078d0fde5d7a72efd42912f29044d	False	0.5806790865384616	data	6.711473706749173	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x13d000	0x4600	0x4600	f108b90f7acd21044da6de8b37820df2	False	0.2732700892857143	data	3.688534955035787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_STRING	0x13d460	0x31c	DOS executable (COM, 0x8C-variant)			0.4258793969849246
RT_STRING	0x13d77c	0xb5c	data			0.2548143053645117
RT_STRING	0x13e2d8	0x428	data			0.37406015037593987
RT_STRING	0x13e700	0x3c4	data			0.37655601659751037
RT_STRING	0x13eac4	0x3cc	data			0.2757201646090535
RT_STRING	0x13ee90	0x394	data			0.4334061135371179
RT_STRING	0x13f224	0x4e4	data			0.35303514376996803
RT_STRING	0x13f708	0x374	data			0.3563348416289593
RT_STRING	0x13fa7c	0x454	data			0.38898916967509023
RT_STRING	0x13fed0	0x1ec	data			0.3983739837398374
RT_STRING	0x1400bc	0xc4	data			0.6428571428571429
RT_STRING	0x140180	0x170	data			0.5597826086956522
RT_STRING	0x1402f0	0x334	data			0.41585365853658535
RT_STRING	0x140624	0x408	data			0.3168604651162791
RT_STRING	0x140a2c	0x36c	data			0.4018264840182648
RT_STRING	0x140d98	0x2b8	data			0.4367816091954023
RT_RCDATA	0x141050	0x10	data			1.5
RT_RCDATA	0x141060	0x380	data			0.59375
RT_RCDATA	0x1413e0	0x2	data	English	United States	5.0
RT_VERSION	0x1413e4	0x1e8	data	English	United States	0.5

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc, FreeLibrary
user32.dll	ReleaseDC, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, LoadImageW, LoadIconW, GetSystemMetrics, GetSysColor, GetIconInfo, GetDC, GetClipboardData, FrameRect, FillRect, DrawTextExW, DrawIconEx, DrawFocusRect, DestroyIcon, CreateIcon, CopyIcon, CharUpperBuffW, CharUpperW, CharLowerBuffW
gdi32.dll	UnrealizeObject, StretchDIBits, StretchBlt, SetWinMetaFileBits, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, RoundRect, ResizePalette, Rectangle, RealizePalette, Polyline, Polygon, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStretchBltMode, GetStockObject, GetPixel, GetPaletteEntries, GetObjectW, GetNearestPaletteIndex, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutW, ExtFloodFill, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, Chord, BitBlt, ArcTo, Arc, AngleArc
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
kernel32.dll	WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetFilePointer, SetEvent, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, RaiseException, IsDebuggerPresent, MulDiv, LockResource, LocalFree, LoadResource, LoadLibraryW, LeaveCriticalSection, IsValidLocale, IsBadReadPtr, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GetVersionExW, GetTickCount, GetThreadPriority, GetThreadLocale, GetStdHandle, GetProcessHeap, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetExitCodeThread, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcess, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageW, FindResourceW, EnumSystemLocalesW, EnumCalendarInfoW, EnterCriticalSection, DeleteCriticalSection, CreateFileW, CreateEventW, CompareStringW, CloseHandle
advapi32.dll	RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey
kernel32.dll	Sleep
netapi32.dll	NetApiBufferFree, NetWkstaGetInfo
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
ole32.dll	CoCreateInstance, IsEqualGUID
msvcrt.dll	memset, memcpy

Exports

Name	Ordinal	Address
BarCreate	4	0x50a554
BarDestroy	5	0x50a550
BarFreeRec	6	0x50a54c
BarRecognize	7	0x50a548
TMethodImplementationIntercept	3	0x45f330
__dbk_fcall_wrapper	2	0x41041c
dbkFCallWrapperAddr	1	0x51b630
wkeCreateWebView	13	0x50a530
wkeDestroyWebView	8	0x50a544
wkeFinalize	9	0x50a540
wkeFireContextMenuEvent	16	0x50a524
wkeFireKeyDownEvent	12	0x50a534
wkeFireKeyPressEvent	14	0x50a52c
wkeFireKeyUpEvent	23	0x50a508
wkeFireMouseEvent	15	0x50a528
wkeFireMouseWheelEvent	17	0x50a520
wkeGetCaretRect	20	0x50a514
wkeInitialize	22	0x50a50c
wkeIsDirty	21	0x50a510
wkeKillFocus	19	0x50a518
wkePaint2	24	0x50a504
wkeResize	11	0x50a538
wkeSetDirty	10	0x50a53c
wkeSetFocus	18	0x50a51c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	1
Start time:	13:54:12
Start date:	29/10/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll"
Imagebase:	0xff0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:54:12
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:54:12
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",#1
Imagebase:	0xd70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:54:12
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\tiiEwuElgl.dll,BarCreate
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:54:12
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",#1
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:54:12
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8004 -s 648
Imagebase:	0x2a0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:54:15
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\tiiEwuElgl.dll,BarDestroy
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:54:18
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\tiiEwuElgl.dll,BarFreeRec
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:54:21
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",BarCreate
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:54:21
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",BarDestroy
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:54:21
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",BarFreeRec
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:54:21
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeSetFocus
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	13:54:22
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeSetDirty
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	13:54:22
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeResize
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	13:54:22
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkePaint2
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	13:54:22
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeKillFocus
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	13:54:22
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeIsDirty
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	13:54:22
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeInitialize
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	13:54:22
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeGetCaretRect
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	13:54:22
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireMouseWheelEvent
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	13:54:23
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireMouseEvent
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	13:54:23
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireKeyUpEvent
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	13:54:23
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireKeyPressEvent
Imagebase:	0x7ff620390000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	13:54:23
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireKeyDownEvent
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	13:54:23
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFireContextMenuEvent
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	13:54:23
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeFinalize
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	13:54:23
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeDestroyWebView
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	13:54:23
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",wkeCreateWebView
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	13:54:23
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",dbkFCallWrapperAddr
Imagebase:	0x7ff7df220000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	13:54:23
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",__dbk_fcall_wrapper
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	13:54:23
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",TMethodImplementationIntercept
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	13:54:23
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tiiEwuElgl.dll",BarRecognize
Imagebase:	0x60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	13:54:24
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 648
Imagebase:	0x2a0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	13:54:24
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8020 -s 640
Imagebase:	0x2a0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.6%
Total number of Nodes:	332
Total number of Limit Nodes:	36

Executed Functions

Function 0040D2FC Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040D3BC,?,?), ref: 0040D32E
GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040D3BC,?,?), ref: 0040D337

Part of subcall function 0040D1C4: FindFirstFileW.KERNEL32(00000000,?,00000000,0040D222,?,00000001), ref: 0040D1F7
Part of subcall function 0040D1C4: FindClose.KERNEL32(00000000,00000000,?,00000000,0040D222,?,00000001), ref: 0040D207

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: bb5aebafb1050cca1833a86485a25d2ce173cc466728c947d737821306c0bec7
Instruction ID: 31cc6c2f53d714b9faa06a3b986118d36ba9187928ad3646f11bb52bdd509fcd
Opcode Fuzzy Hash: bb5aebafb1050cca1833a86485a25d2ce173cc466728c947d737821306c0bec7
Instruction Fuzzy Hash: DD113670E042099BDF00EFA5D952AAEB3B4EF45304F50447EB904B73C2D7785E098669

Function 0040D1C4 Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0040D222,?,00000001), ref: 0040D1F7
FindClose.KERNEL32(00000000,00000000,?,00000000,0040D222,?,00000001), ref: 0040D207

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: fd6b56c6bec8101a1a2edd49b896a968750317b75b60eb436ea3e7407fe2b467
Instruction ID: f2706f95e4b90df003fff4208de2c5c05cd5cdeba3f5e8022b992bb7b9acb03d
Opcode Fuzzy Hash: fd6b56c6bec8101a1a2edd49b896a968750317b75b60eb436ea3e7407fe2b467
Instruction Fuzzy Hash: 80F08271944608BEDB20FBB5DC5299EB7FCEB48314BA005BAB404F31D2EB389E14995D

Function 0040EE84 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 0040EE88

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: c27e8cf9b7b8b28db5bf16ce19b686b88097b3598cd7681285108ea85b127420
Instruction ID: 4e8efc271a9064b51e8e7fb51594f2112b3c6a5914667696f4d1ddbf71e3eb2d
Opcode Fuzzy Hash: c27e8cf9b7b8b28db5bf16ce19b686b88097b3598cd7681285108ea85b127420
Instruction Fuzzy Hash: 72A012208088000EC408A7194C4350F31805941118FC40624785CA92C2E619896546EF

Function 0040CDE8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040D00D,?,?), ref: 0040CE21
RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040D00D,?,?), ref: 0040CE6A
RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040D00D,?,?), ref: 0040CE8C
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040CEAA
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040CEC8
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040CEE6
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040CF04
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040CFF0,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040D00D), ref: 0040CF44
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040CFF0,?,80000001), ref: 0040CF6F
RegCloseKey.ADVAPI32(?,0040CFF7,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040CFF0,?,80000001,Software\Embarcadero\Locales), ref: 0040CFEA

Strings

Software\Embarcadero\Locales, xrefs: 0040CE60, 0040CE82
Software\CodeGear\Locales, xrefs: 0040CEA0, 0040CEBE
Software\Borland\Delphi\Locales, xrefs: 0040CEFA
Software\Borland\Locales, xrefs: 0040CEDC

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Open$QueryValue$CloseFileModuleName
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
API String ID: 2701450724-3496071916
Opcode ID: f7c917e479dc5b8b684dcf2a59e43bffe3130ab6fea02e13758483d346620e00
Instruction ID: 80583e44c54d8f6c8431ac525ce0e8cce3f8a82ce7c118a8e5b64ed8406c3328
Opcode Fuzzy Hash: f7c917e479dc5b8b684dcf2a59e43bffe3130ab6fea02e13758483d346620e00
Instruction Fuzzy Hash: DC512675A40609BEEB20DBA5CC82FAFB7BCDB08704F504077BA04F61C1D6789D059A5D

Function 0040CAB4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(0051AC10,00000000,0040CBB8,?,?,?,00000000,?,0040D480,00000000,0040D4DF,?,?,00000000,00000000,00000000), ref: 0040CAD2
LeaveCriticalSection.KERNEL32(0051AC10,0051AC10,00000000,0040CBB8,?,?,?,00000000,?,0040D480,00000000,0040D4DF,?,?,00000000,00000000), ref: 0040CAF6
LeaveCriticalSection.KERNEL32(0051AC10,0051AC10,00000000,0040CBB8,?,?,?,00000000,?,0040D480,00000000,0040D4DF,?,?,00000000,00000000), ref: 0040CB05
IsValidLocale.KERNEL32(00000000,00000002,0051AC10,0051AC10,00000000,0040CBB8,?,?,?,00000000,?,0040D480,00000000,0040D4DF), ref: 0040CB17
EnterCriticalSection.KERNEL32(0051AC10,00000000,00000002,0051AC10,0051AC10,00000000,0040CBB8,?,?,?,00000000,?,0040D480,00000000,0040D4DF), ref: 0040CB74
LeaveCriticalSection.KERNEL32(0051AC10,0051AC10,00000000,00000002,0051AC10,0051AC10,00000000,0040CBB8,?,?,?,00000000,?,0040D480,00000000,0040D4DF), ref: 0040CB9D

Strings

en-GB,en,en-US,, xrefs: 0040CAE2, 0040CB89

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$LocaleValid
String ID: en-GB,en,en-US,
API String ID: 975949045-3021119265
Opcode ID: 16983b795ea3f6d15511b6f3b7a2fd081026003eab2b4e0bc2c7165cd39925dc
Instruction ID: dbd07ac227d82710da470fa0a9828874cbe6fbb8e5c29b4c0eb771d3e90eaa4c
Opcode Fuzzy Hash: 16983b795ea3f6d15511b6f3b7a2fd081026003eab2b4e0bc2c7165cd39925dc
Instruction Fuzzy Hash: 59214220740744D7EA12B77AA85376E36A4EB45718F50853BB000B72C2D9BD9D418ADF

Function 004EEE14 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 004EEE3A

Part of subcall function 004EEDD0: GetDC.USER32(00000000), ref: 004EEDD9
Part of subcall function 004EEDD0: SelectObject.GDI32(00000000,058A00B4), ref: 004EEDEB
Part of subcall function 004EEDD0: GetTextMetricsW.GDI32(00000000), ref: 004EEDF6
Part of subcall function 004EEDD0: ReleaseDC.USER32(00000000,00000000), ref: 004EEE07

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 004EEE90
Tahoma, xrefs: 004EEE5C
MS Shell Dlg 2, xrefs: 004EEEA4

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: MetricsObjectReleaseSelectText
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 2013942131-1011973972
Opcode ID: be482c23fc04854ccbbdcf28bf65d170dbc827ea5ae0eb728837008b27a61e6b
Instruction ID: fedfb2c2bc4fa0aeb11c7dea6b38eca75a12a753985ff0520aa7ec168d4a3772
Opcode Fuzzy Hash: be482c23fc04854ccbbdcf28bf65d170dbc827ea5ae0eb728837008b27a61e6b
Instruction Fuzzy Hash: F611D030600149AFD711EF6BCC12A9E7BB5EB45705F9084BBF400A7791DB39AD01CB18

Function 0040961C Relevance: 6.2, APIs: 4, Instructions: 161
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00409653

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 5a2d98b2b9303db085ca7903a3e8743554e309b17d8937ec0eab1567879db523
Instruction ID: 57d564f7514a768ac0d6b140dc1e0ae383663f7c9c7dd69698fd604fdf563357
Opcode Fuzzy Hash: 5a2d98b2b9303db085ca7903a3e8743554e309b17d8937ec0eab1567879db523
Instruction Fuzzy Hash: FF516B706002449BDB25EF6AC88479B7BE1AF59314F14843FE809AA3D3D779DC88CB59

Function 0050E000 Relevance: 6.0, APIs: 4, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadLocale.KERNEL32(00000400,00000000,0050E0D7), ref: 0050E02D

Part of subcall function 0040C520: InitializeCriticalSection.KERNEL32(0051AC10,0050E037,00000400,00000000,0050E0D7), ref: 0040C525
Part of subcall function 0040C520: GetVersion.KERNEL32(0051AC10,0050E037,00000400,00000000,0050E0D7), ref: 0040C533
Part of subcall function 0040C520: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,0051AC10,0050E037,00000400,00000000,0050E0D7), ref: 0040C55A
Part of subcall function 0040C520: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040C560
Part of subcall function 0040C520: GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,0051AC10,0050E037,00000400,00000000,0050E0D7), ref: 0040C574
Part of subcall function 0040C520: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040C57A
Part of subcall function 0040C520: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,0051AC10,0050E037,00000400,00000000,0050E0D7), ref: 0040C58E
Part of subcall function 0040C520: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040C594

Part of subcall function 0040EE84: GetSystemInfo.KERNEL32 ref: 0040EE88

GetCommandLineW.KERNEL32(00000400,00000000,0050E0D7), ref: 0050E092

Part of subcall function 00405244: GetStartupInfoW.KERNEL32 ref: 00405255

GetACP.KERNEL32(00000400,00000000,0050E0D7), ref: 0050E0A6
GetCurrentThreadId.KERNEL32 ref: 0050E0BA

Part of subcall function 0040EE98: GetVersion.KERNEL32(0050E0C9,00000400,00000000,0050E0D7), ref: 0040EE98

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc$InfoThreadVersion$CommandCriticalCurrentInitializeLineLocaleSectionStartupSystem
String ID:
API String ID: 2740004594-0
Opcode ID: da96efc90d0f3f823da1e0c30568e20cb602c22b5ccd4f7319bb0d9d278b2238
Instruction ID: b63630b870325ab19e945f9b7a74bc4420f07e9680e2ed97b13d29786ef075bf
Opcode Fuzzy Hash: da96efc90d0f3f823da1e0c30568e20cb602c22b5ccd4f7319bb0d9d278b2238
Instruction Fuzzy Hash: 3411217040478889D720FF72AC1A2693AA4FB19308710C87ED1006A2E2DFBD540CEF6E

Function 004D915C Relevance: 4.6, APIs: 3, Instructions: 150
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,004D931F), ref: 004D91D5
RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,004D931F), ref: 004D924B
RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 004D92BC

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 297e97f5790f3bfbe46446021c8049ae68c7a4fb6bdd877cd8b5aad7bbb95b8b
Instruction ID: ad3af0877aad2f918cc60e01b05eab59aa261d8504b712c7e441bbb361f6d9d3
Opcode Fuzzy Hash: 297e97f5790f3bfbe46446021c8049ae68c7a4fb6bdd877cd8b5aad7bbb95b8b
Instruction Fuzzy Hash: 87515431B00208BFDB11EBA5C852B9EB7FAAB48304F15446FB444E3382DA7D9F069759

Function 00427884 Relevance: 4.6, APIs: 3, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00427984), ref: 004278C9
GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,00427967,?,00000000,?,00000000,00427984), ref: 00427902
VerQueryValueW.VERSION(?,00427998,?,?,00000000,?,00000000,?,00000000,00427967,?,00000000,?,00000000,00427984), ref: 0042791C

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue
String ID:
API String ID: 2179348866-0
Opcode ID: d254ea856f19eca79d65d9f3d227b80f169b0e93736270e157245cabf41f0a7c
Instruction ID: c637f2b1f86e41ba3c57f6c02bd3706f471a10e856d15e50b91235f572eefc7d
Opcode Fuzzy Hash: d254ea856f19eca79d65d9f3d227b80f169b0e93736270e157245cabf41f0a7c
Instruction Fuzzy Hash: BC3141B5A04319AFEB00DFA9D881DAEB7F8EB48704B9144BAF544E3241D778DE40CB65

Function 004D9EDC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,004D9BB9), ref: 004D9F07

Strings

8DA, xrefs: 004D9F26

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: QueryValue
String ID: 8DA
API String ID: 3660427363-1089967677
Opcode ID: be06913722247d54d528faf6a06bf9397d8024039bca483372a6ac41c7d8e945
Instruction ID: 93ec59a722418d2350404c6d4511a7549c5540bd7efde8b6b2c56d608387ccd1
Opcode Fuzzy Hash: be06913722247d54d528faf6a06bf9397d8024039bca483372a6ac41c7d8e945
Instruction Fuzzy Hash: AE015E71A00208AFDB00EFA9DC81ADEB7A89B59314F0081ABF914DB342DA759E0587A5

Function 0040D3C8 Relevance: 3.1, APIs: 2, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNEL32(00000000,0040D4DF,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040D566,00000000,?,00000105), ref: 0040D473
GetSystemDefaultUILanguage.KERNEL32(00000000,0040D4DF,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040D566,00000000,?,00000105), ref: 0040D49B

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: DefaultLanguage$SystemUser
String ID:
API String ID: 384301227-0
Opcode ID: e5fbb9e0fc620f56b36578c07845851fe2fed8148833940ec20a2950b4b279a8
Instruction ID: 914cf1b0947d833fcc03ff50d5076885400eec8b7426a2207ce03941fa5f7576
Opcode Fuzzy Hash: e5fbb9e0fc620f56b36578c07845851fe2fed8148833940ec20a2950b4b279a8
Instruction Fuzzy Hash: DB31EB30E142099BDB10EFA9C891BAEB7B5EF44304F50457BE400B72D2D778AD498A59

Function 0040D4EC Relevance: 3.1, APIs: 2, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040D5A6,?,00400000,0050FC1C), ref: 0040D528
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040D5A6,?,00400000,0050FC1C), ref: 0040D579

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: FileLibraryLoadModuleName
String ID:
API String ID: 1159719554-0
Opcode ID: 783f705d58062fb5f8e85dc88ba71afedba3f43c8334a4a5c8ebaaa4e4aa5bf8
Instruction ID: 258510d9c4dee0299c5f3f79c4fbca46c564eaaadbdb9c5c4e3057b0bb4fa4ad
Opcode Fuzzy Hash: 783f705d58062fb5f8e85dc88ba71afedba3f43c8334a4a5c8ebaaa4e4aa5bf8
Instruction Fuzzy Hash: 3F114F70E4461CABDB10EB94CC86BDE73B8DB04304F5144BAB508B72D1EA785F858A99

Function 00405600 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,?,00405C17), ref: 00405617

Strings

@., xrefs: 00405652, 00405670

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: @.
API String ID: 4275171209-4201455939
Opcode ID: e9bd031fac14de1d523f3f0fd1d0bc821c44dc6a8c79c950d7b754ab0e602f81
Instruction ID: 7dac567e4a07de2f06f580edb35680116b9bdba5c2a0860377bbd693bdd19f0d
Opcode Fuzzy Hash: e9bd031fac14de1d523f3f0fd1d0bc821c44dc6a8c79c950d7b754ab0e602f81
Instruction Fuzzy Hash: 49F0AFF2B003004FD7248F789D407A67AD4FB08324F10827FE908EB798DBB488048B84

Function 004D8EA0 Relevance: 3.0, APIs: 2, Instructions: 18
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegFlushKey.ADVAPI32(00000000,?,004D8F0C,?,?,00000000,004D9123,00000000,00000000,00000000,?,?,00000000,004D9139), ref: 004D8EB1
RegCloseKey.ADVAPI32(00000000,?,004D8F0C,?,?,00000000,004D9123,00000000,00000000,00000000,?,?,00000000,004D9139), ref: 004D8EBA

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: CloseFlush
String ID:
API String ID: 320916635-0
Opcode ID: 53487b9075c46a64610a4022df3c6a921f3544410d10f835025151eaea8ac81c
Instruction ID: 6f4c2654893a1a96a1da4be1dd0c350b83e18a7e628d6434c516513760379d46
Opcode Fuzzy Hash: 53487b9075c46a64610a4022df3c6a921f3544410d10f835025151eaea8ac81c
Instruction Fuzzy Hash: 40D067B1E042049ADF60EF7AC9C5A577BDC6F44315B08C4ABB808DF247DA3CD9409B28

Function 004D98DC Relevance: 1.5, APIs: 1, Instructions: 36
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,004D9AE0,00000000,004D9C1C), ref: 004D990D

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ad67be82557188437bc6127552a9993e0998d0cde0f580ab283647e522f4a4dc
Instruction ID: bf80709a24f295cc4fff76cdf4c79f612c8773d4563c6b2b62db8eae0a0485ee
Opcode Fuzzy Hash: ad67be82557188437bc6127552a9993e0998d0cde0f580ab283647e522f4a4dc
Instruction Fuzzy Hash: 3CF01C623052046FD344FA6E9C81F6B66DC9B88754F10843FB248C7342D964DC058375

Function 0040C278 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00400000,?,0000020A), ref: 0040C296

Part of subcall function 0040D4EC: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040D5A6,?,00400000,0050FC1C), ref: 0040D528
Part of subcall function 0040D4EC: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040D5A6,?,00400000,0050FC1C), ref: 0040D579

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: d994d483d02e46fdff6fa18ed6b597f72d1d7e29fcadbbba57b44e2c2294e8a2
Instruction ID: dd2aa8039920255b97d322d6193c29fca073ce87a4a4145dda77fc50cf625817
Opcode Fuzzy Hash: d994d483d02e46fdff6fa18ed6b597f72d1d7e29fcadbbba57b44e2c2294e8a2
Instruction Fuzzy Hash: 07E0ED71E003109BCB10DF98C9C5A4737D8AB08754F0446A6AD14DF387D775DD148BD5

Non-executed Functions

Function 004EAA7C Relevance: 48.5, APIs: 32, Instructions: 501windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(00000000,00000054,?), ref: 004EAAFC
GetDC.USER32(00000000), ref: 004EAB0D
CreateCompatibleDC.GDI32(00000000), ref: 004EAB1E
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 004EAB6A
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004EAB8E
SelectObject.GDI32(?,?), ref: 004EADE6
SelectPalette.GDI32(?,00000000,00000000), ref: 004EAE26
RealizePalette.GDI32(?), ref: 004EAE32
SetTextColor.GDI32(?,00000000), ref: 004EAE9B
SetBkColor.GDI32(?,00000000), ref: 004EAEB6
SetDIBColorTable.GDI32(?,00000000,00000002,?,?,00000000,?,00000000,00000000,004EB046,?,00000000,004EB068,?,00000000,004EB079), ref: 004EAEFF
FillRect.USER32(?,00000000,00000000), ref: 004EAE83

Part of subcall function 004E32AC: GetSysColor.USER32(?), ref: 004E32B6

PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 004EAF21
CreateCompatibleDC.GDI32(00000000), ref: 004EAF34
SelectObject.GDI32(004EB33B,00000000), ref: 004EAF57
SelectPalette.GDI32(004EB33B,00000000,00000000), ref: 004EAF73
RealizePalette.GDI32(004EB33B), ref: 004EAF7E
SetTextColor.GDI32(004EB33B,00000000), ref: 004EAF9C
SetBkColor.GDI32(004EB33B,00000000), ref: 004EAFB7
BitBlt.GDI32(?,00000000,00000000,?,?,004EB33B,00000000,00000000,00CC0020), ref: 004EAFDF
SelectPalette.GDI32(004EB33B,00000000,000000FF), ref: 004EAFF1
SelectObject.GDI32(004EB33B,00000000), ref: 004EAFFB
DeleteDC.GDI32(004EB33B), ref: 004EB016

Part of subcall function 004E45BC: EnterCriticalSection.KERNEL32(-00000008), ref: 004E45E4
Part of subcall function 004E45BC: CreateBrushIndirect.GDI32(?), ref: 004E4671
Part of subcall function 004E45BC: LeaveCriticalSection.KERNEL32(?,004E46A5,-00000008), ref: 004E4698

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapCriticalRealizeSectionText$BrushDeleteEnterFillIndirectLeaveRectTable
String ID:
API String ID: 3271313764-0
Opcode ID: fe2f7d032ca60ba23a25b8aee0731278cea1c8a05eae85922534dd69cbd64bb5
Instruction ID: 35a244f6f23a8f79e02010a3497fee76c02ec5d27261e314751b2550eb949676
Opcode Fuzzy Hash: fe2f7d032ca60ba23a25b8aee0731278cea1c8a05eae85922534dd69cbd64bb5
Instruction Fuzzy Hash: 47121975A00248AFDB10DFAAC885F9EB7B9EF08315F118456F914EB291C778EE80CB55

Function 0040C520 Relevance: 21.0, APIs: 8, Strings: 4, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(0051AC10,0050E037,00000400,00000000,0050E0D7), ref: 0040C525
GetVersion.KERNEL32(0051AC10,0050E037,00000400,00000000,0050E0D7), ref: 0040C533
GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,0051AC10,0050E037,00000400,00000000,0050E0D7), ref: 0040C55A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040C560
GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,0051AC10,0050E037,00000400,00000000,0050E0D7), ref: 0040C574
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040C57A
GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,0051AC10,0050E037,00000400,00000000,0050E0D7), ref: 0040C58E
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040C594

Strings

SetThreadPreferredUILanguages, xrefs: 0040C56A
GetThreadPreferredUILanguages, xrefs: 0040C550
kernel32.dll, xrefs: 0040C555, 0040C56F, 0040C589
GetThreadUILanguage, xrefs: 0040C584

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc$CriticalInitializeSectionVersion
String ID: GetThreadPreferredUILanguages$GetThreadUILanguage$SetThreadPreferredUILanguages$kernel32.dll
API String ID: 74573329-1403180336
Opcode ID: 3eb0d1b683875d0a4e7ed686173063676bd5968c29d9e357da0c930b2f0c2479
Instruction ID: 8edfc10a46b7400df28ad4f2c85025a5e0675a444164cbed82ad90a550fe5e83
Opcode Fuzzy Hash: 3eb0d1b683875d0a4e7ed686173063676bd5968c29d9e357da0c930b2f0c2479
Instruction Fuzzy Hash: 15F05EB8951B10BADA023772AD8375F3680DA1070CB20853BB100790D2DEBC19549E9E

Function 004FFD00 Relevance: 20.0, APIs: 10, Strings: 1, Instructions: 742windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 004FFE79
CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 004FFEC0
DeleteObject.GDI32(00000000), ref: 004FFEDE
DeleteDC.GDI32(00000000), ref: 004FFEE7
SelectObject.GDI32(00000000,00000000), ref: 004FFF18
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 004FFF47
BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 00500607
SelectObject.GDI32(00000000,?), ref: 00500614
DeleteObject.GDI32(00000000), ref: 0050061D
DeleteDC.GDI32(00000000), ref: 00500626

Strings

4iQ, xrefs: 004FFE65

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: DeleteObject$CreateSelect$CompatibleSection
String ID: 4iQ
API String ID: 1283611041-1953506770
Opcode ID: 8e7ca6eaf7f303235836d2fe6fad7e6eca80f6b1add5d009122c9deb3bb07636
Instruction ID: 94f63837fbccb7ff26564b1a70defe71eccbe7e9b911c4b4ca547f9a17f0338c
Opcode Fuzzy Hash: 8e7ca6eaf7f303235836d2fe6fad7e6eca80f6b1add5d009122c9deb3bb07636
Instruction Fuzzy Hash: EB528D71E042598FCB15CFA9C881BEDBBF2FF45300F1481AAE458EB392C638A945DB14

Function 0040CBF8 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,0041A5A8,?,?), ref: 0040CC15
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040CC26
FindFirstFileW.KERNEL32(?,?,kernel32.dll,0041A5A8,?,?), ref: 0040CD26
FindClose.KERNEL32(?,?,?,kernel32.dll,0041A5A8,?,?), ref: 0040CD38
lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,0041A5A8,?,?), ref: 0040CD44
lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,0041A5A8,?,?), ref: 0040CD89

Strings

\, xrefs: 0040CD56
kernel32.dll, xrefs: 0040CC10
GetLongPathNameW, xrefs: 0040CC20

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 1930782624-3908791685
Opcode ID: 047ad798f282a4f53d2bfa85006bf39dd452bc892cd983c7192c00f70524a19f
Instruction ID: 182d901b7ba620ca83dfe24b28ff924219823170be1df94bbfac5eeb8ceb1ef4
Opcode Fuzzy Hash: 047ad798f282a4f53d2bfa85006bf39dd452bc892cd983c7192c00f70524a19f
Instruction Fuzzy Hash: 73417F71A00618DBDB20EBA4CCC5ADEB3B5AF84314F1846BA9504F72C1E77CAE45CB49

Function 00509A20 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 202libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00509C85,?,00000000,?,00000000), ref: 00509AA2
IsBadReadPtr.KERNEL32(?,00000014), ref: 00509C56

Strings

BuildImportTable: ReallocMemory failed, xrefs: 00509B34
BuildImportTable: can't load library: , xrefs: 00509AE9
BuildImportTable: GetProcAddress failed, xrefs: 00509C29
lQ, xrefs: 00509AE4, 00509B2F, 00509C24

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: LibraryLoadRead
String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library: $lQ
API String ID: 1452896035-1384709149
Opcode ID: e0fc64dca806d3be3a8ac4dcd0a74503476e48db07fa8fb0a4d4368182ae7ff9
Instruction ID: 7c3fc0d13e8cf1acba2340dac0967fe3ff4e6d85d22d1b6eeace5c3c395b94fa
Opcode Fuzzy Hash: e0fc64dca806d3be3a8ac4dcd0a74503476e48db07fa8fb0a4d4368182ae7ff9
Instruction Fuzzy Hash: 29715D70A00205AFEB10EB69C886BEEBBF9FF88310F0084A9E555D7396D774AD45CB50

Function 005096C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,00509649,?,?,?,?,?,00000000,00000000), ref: 00509730
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00000000,00509649,?,?,?,?,?,00000000,00000000), ref: 0050975F
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00000000,00509649,?,?,?,?,?,00000000,00000000), ref: 0050976A
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,00509649,?,?,?,?,?,00000000,00000000), ref: 00509770
VirtualFree.KERNEL32(?,?,00008000,?,?,?,?,00000000,00509649,?,?,?,?,?,00000000,00000000), ref: 005097B0

Strings

Q, xrefs: 00509775, 0050978F, 005097A2

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Free$HeapVirtual$LibraryProcess
String ID: Q
API String ID: 565514093-1716927825
Opcode ID: 70b434da8a455db8f6bd9fa7b5ae8e263af5e9c5d5d2cf6098079e8d839ee7b5
Instruction ID: e6efedfb7ad508276135ca547e941b483f7945af44cc1360eb0dc6f9bcda0346
Opcode Fuzzy Hash: 70b434da8a455db8f6bd9fa7b5ae8e263af5e9c5d5d2cf6098079e8d839ee7b5
Instruction Fuzzy Hash: 75318C76204605AFD320EF69CC84F6ABBA8FB86714F108659F554CB2A6D720EC4587A0

Function 004AA910 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,?,?,?,?,00000000,?,004AA7FE,00000000,?), ref: 004AA927
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,004AA7FE,00000000,?), ref: 004AA941
SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,004AA7FE,00000000,?), ref: 004AA95B
LockResource.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,004AA7FE,00000000), ref: 004AA965

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: fc04eeb3631007fa40f9e630dbcfa29d272b4c52aaff94a3e4b6f83a4223a638
Instruction ID: cb9b2a388fffd021e353bf4cf2117ea65373932cb549638ab777629fd56d0805
Opcode Fuzzy Hash: fc04eeb3631007fa40f9e630dbcfa29d272b4c52aaff94a3e4b6f83a4223a638
Instruction Fuzzy Hash: 96F062B26042047F5744EE5EA841D5B7BECDE5A264310011FF908D7207DA38ED51837D

Function 0040C79C Relevance: 4.6, APIs: 3, Instructions: 99COMMON

Download Yara Rule

APIs

IsValidLocale.KERNEL32(?,00000002,00000000,0040C901,?,0041A5A8,?,00000000), ref: 0040C846
GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,0040C901,?,0041A5A8,?,00000000), ref: 0040C862
GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,0040C901,?,0041A5A8,?,00000000), ref: 0040C873

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Locale$Info$Valid
String ID:
API String ID: 1826331170-0
Opcode ID: d62bc5ecf4585d0b78f38a216359797881bb5583d195145a11d1f228b605bdfe
Instruction ID: 2a28b5b25d505860436f04a2e6c8396a795a98c7f85c76968f02c108a8d9c51a
Opcode Fuzzy Hash: d62bc5ecf4585d0b78f38a216359797881bb5583d195145a11d1f228b605bdfe
Instruction Fuzzy Hash: BB319C71A0061CEBDB20EB55DC81BDE77B9EB44705F6042BAA508B32D0D6395E80DE59

Function 004EA1D8 Relevance: 4.6, APIs: 3, Instructions: 51fileclipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32(0000000E), ref: 004EA1E5
CopyEnhMetaFileW.GDI32(00000000,00000000), ref: 004EA207
GetEnhMetaFileHeader.GDI32(?,0000006C,?,00000000,00000000), ref: 004EA219

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: FileMeta$ClipboardCopyDataHeader
String ID:
API String ID: 1752724394-0
Opcode ID: fb350438d8fd3a27722cbb123cc8174b2644eb1e00c4f0dbea60cfcb4583eaa9
Instruction ID: 39c742b128a1c2fd6847a1dd24020ee331ecc18ba2b97133fe36bf2f9f239602
Opcode Fuzzy Hash: fb350438d8fd3a27722cbb123cc8174b2644eb1e00c4f0dbea60cfcb4583eaa9
Instruction Fuzzy Hash: A3118E726003448FC710DFAEC885A9AB7F8EF09314F10466EE509DB352DA74EC48CB94

Function 004EFE80 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 783COMMON

Download Yara Rule

Strings

jjj, xrefs: 004F0654

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID:
String ID: jjj
API String ID: 0-2289343631
Opcode ID: 379f3ad564931047c85a0e8324c1b925258155478eac1b2c346929ac29ebc0ac
Instruction ID: 0e6e8520d3be3831dee58035f3478674022d586b9291955b557444e96a04ac11
Opcode Fuzzy Hash: 379f3ad564931047c85a0e8324c1b925258155478eac1b2c346929ac29ebc0ac
Instruction Fuzzy Hash: CB723970600204CFDB29CF19D9C0B677BA2FB95315F14869AD9464F38BC738E856CB6A

Function 004F1FC4 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 699COMMON

Download Yara Rule

Strings

9Q, xrefs: 004F22AF

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID:
String ID: 9Q
API String ID: 0-4141447236
Opcode ID: c85e39b14b60b4e960e998f2343e0d1547b2847ac62002dfaddbb849c39a277c
Instruction ID: 872c69647381f06e73c0189917d9e5469cc943f97499b4375cee1c22dc96545a
Opcode Fuzzy Hash: c85e39b14b60b4e960e998f2343e0d1547b2847ac62002dfaddbb849c39a277c
Instruction Fuzzy Hash: 40626D70900209DFDB19CF58C984BBEBBB1BF88304F15819ADD559B386C778D985CB89

Function 004B8000 Relevance: 3.1, APIs: 2, Instructions: 61COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(00000000,004B80BB), ref: 004B8032
RaiseException.KERNEL32(406D1388,00000000,00000004,00001000,00000000,004B808D,?,00000000,004B80BB), ref: 004B807E

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: DebuggerExceptionPresentRaise
String ID:
API String ID: 1899633966-0
Opcode ID: 918f654b1989dfd3ee398986ac0d4d5983e76a9e6b43d16da8286ca8f312fc4d
Instruction ID: aa851b4e1d0f37632037c728c599de388d05abd6bc809da2430ac8adde4c7f7f
Opcode Fuzzy Hash: 918f654b1989dfd3ee398986ac0d4d5983e76a9e6b43d16da8286ca8f312fc4d
Instruction Fuzzy Hash: 7A11D671A14208AFD710EF65DC52ADEBBFCEB48704F61447BE500E3651EB785E04CA68

Function 004E5AA0 Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,004E5B3C,?,00000000,?,004E5B54,00000000,004EB19B,00000000,004EB33B,?,00000000,00000054,?,00000000,?), ref: 004E5AC0
FormatMessageW.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,004E5B3C,?,00000000,?,004E5B54,00000000,004EB19B,00000000), ref: 004E5AE6

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 3d658324b1b03f1d33dfdd215c91ea1b99e4dd16f5471f85141302732c58e772
Instruction ID: c91c4b4c8320e0c1e530085dddd9d5d25a400c360d6da16a75b1d286b8cd0c3b
Opcode Fuzzy Hash: 3d658324b1b03f1d33dfdd215c91ea1b99e4dd16f5471f85141302732c58e772
Instruction Fuzzy Hash: 7401AC707147455FE721FB628D92F9977A8DB04709F5044BAF704E62C3EAB86D40891D

Function 004219D8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 004219F9

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 7055af4c37e798c4eedd1ab66a3f56a97fac90cff517f4e9d1e1818016eb5d1c
Instruction ID: 0ac6486f21f903cb75f282dfc890b26380fbcd4d5ccfbab9b17402b0b1878633
Opcode Fuzzy Hash: 7055af4c37e798c4eedd1ab66a3f56a97fac90cff517f4e9d1e1818016eb5d1c
Instruction Fuzzy Hash: 6011CCB5A00209AFDB04CF99C8819AFB7F9EFC8704B14C56AA509E7354E6319A41CBA4

Function 00425334 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00425352

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ea3b3c1b5a1cf1a130d0f040b5935ae3e0cd2e837d4e3e09926aa746a21f6665
Instruction ID: 4ace5e9765896cc83d0c08b398fcb6cdb51b1f9deae2cd3a8e1490c56280457a
Opcode Fuzzy Hash: ea3b3c1b5a1cf1a130d0f040b5935ae3e0cd2e837d4e3e09926aa746a21f6665
Instruction Fuzzy Hash: DEE0D87171071817D714A9599C86DFBB25CAB88340F4045BFBE05D7383EDB49E4446ED

Function 0042920C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(00428FB4,00000002,?,?,0042958D,004257FD,?,00000000,0042583E,?,?,?,00000000,00000000), ref: 00429239

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: cca9abc3a11610917688cb0633c448d3797570d25fd4a641b53c3c50ab693acf
Instruction ID: 63fa091e9d080db82cecbc2cc5fa61dc70d90b6f989caf0edc4abe69f196ef62
Opcode Fuzzy Hash: cca9abc3a11610917688cb0633c448d3797570d25fd4a641b53c3c50ab693acf
Instruction Fuzzy Hash: A0E02662B415319BC120B7BA1E43B9A7A024F81BA4F08857BF498DF3C3EA6D0C0541FE

Function 00425380 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,00425482,?,00000001,00000000,00425691), ref: 00425393

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e6b6a51cb939c12e8be8693ad0cf5385fb4deb90edb709e785ba876ef48dd5f6
Instruction ID: 9eed19484239e9ca95c0a1dfbed1db1bf7cda38a4e2fdab08b9ea4c2367ee6e5
Opcode Fuzzy Hash: e6b6a51cb939c12e8be8693ad0cf5385fb4deb90edb709e785ba876ef48dd5f6
Instruction Fuzzy Hash: 0BD05EA631922036E210915B7E45DBB5ADCDBC47B2F14483FBE48CA201D2A4CC059275

Function 00428FD0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000003,?,00000400,?,00429086,?,00000000,004291D3), ref: 00428FEB

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e4b498ff0c44464bb9c319f2c4cdb7eba90f2cd8f1e1edfbafd7f3df4e5c9a38
Instruction ID: a303c1cb07ff97bfd8ef16a179b2a7490fc3f5062c6a27ca45c0f37d97ec2e54
Opcode Fuzzy Hash: e4b498ff0c44464bb9c319f2c4cdb7eba90f2cd8f1e1edfbafd7f3df4e5c9a38
Instruction Fuzzy Hash: F6D0A7E1B2420023E30426548C42B6722889B84704F10443C7784973C0EE7C591552BF

Function 00423868 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0042386C

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 4c927502ff6ca848d6d79f783507b1be3d95d0ac7cdb7b449a5a22e2f4b00210
Instruction ID: 8da0d5d7dce6a760fb6fb5968247694cf968f8d8edeffb1c78389c91dfcd4fca
Opcode Fuzzy Hash: 4c927502ff6ca848d6d79f783507b1be3d95d0ac7cdb7b449a5a22e2f4b00210
Instruction Fuzzy Hash: 25A0125044582011814037190C0317570405840621FC40789B8F8403D1E91E026040D7

Function 004F6704 Relevance: 1.5, Strings: 1, Instructions: 230COMMON

Download Yara Rule

Strings

xGQ, xrefs: 004F670A

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID:
String ID: xGQ
API String ID: 0-116873306
Opcode ID: e390bb8781cfb50e0bf67600d25b5dc8b096431c9f5b13ce083519ddae5a6ed1
Instruction ID: b43b3417401406a326c0658d495f7bfac22fcab4f87dfe3d4983a9788a7a34dd
Opcode Fuzzy Hash: e390bb8781cfb50e0bf67600d25b5dc8b096431c9f5b13ce083519ddae5a6ed1
Instruction Fuzzy Hash: 84814D77D105774BE7628E28C8043A17392AFDC39DF6B42B4ED04ABA42D536BD5386C0

Function 004F6444 Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

xGQ, xrefs: 004F644A

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID:
String ID: xGQ
API String ID: 0-116873306
Opcode ID: 6bc0205b4ab2c64538ca0b113fa78fac9b85d5e4605181a21ca93e4cce34d19d
Instruction ID: 9cfbf6d39703a2f841c89ad7d8bc5bd644356b16f8883d5035a763e39ed3e34d
Opcode Fuzzy Hash: 6bc0205b4ab2c64538ca0b113fa78fac9b85d5e4605181a21ca93e4cce34d19d
Instruction Fuzzy Hash: DB711877D204775BEB609E68C8043617392EF8925CF6B46B4DE04BBA42C636BD539AC0

Function 0043B4C4 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96dbd05c6a5cda271e1d6996937e8b3347f306cca49e2da1ac7c058721fcefef
Instruction ID: 0e1373ad738d05412743fbfe0b30fd2dda4791c2bd02ca1af8785a3d2d390580
Opcode Fuzzy Hash: 96dbd05c6a5cda271e1d6996937e8b3347f306cca49e2da1ac7c058721fcefef
Instruction Fuzzy Hash: 8702BE32910235DFDB96CF6AC040109B7B6FF8A72472A82D6D854AB229D370BE51DFD1

Function 004F5F80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8e7f5fa08233c9cf6af3f4da3c8a8b0854dd8decd54ec8197df6d450736b3b
Instruction ID: 3b8a4b9bdbcbb050131b8f531c600d22b301e14a5b3c7c96b4b24d21a3266e97
Opcode Fuzzy Hash: 3c8e7f5fa08233c9cf6af3f4da3c8a8b0854dd8decd54ec8197df6d450736b3b
Instruction Fuzzy Hash: 2871A53238978207E7288E7D9CE02B7EAD35FC531872EC97D95DAC3F42D979A4164248

Function 004B0F64 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b4a472199e05cc7d5662b025e4d780bd874dc3e3dcfc1069f2e998be189936
Instruction ID: b7ad73d6065eefe40be1e3c61ddaa82719b5b59149f48ac65b38381fd691009e
Opcode Fuzzy Hash: d7b4a472199e05cc7d5662b025e4d780bd874dc3e3dcfc1069f2e998be189936
Instruction Fuzzy Hash: F8418E31B002558BDB58EE2DC8D16A6B7A2AF94254B18C675DCA88F70BC938DD42C7A0

Function 004B10A8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b4a472199e05cc7d5662b025e4d780bd874dc3e3dcfc1069f2e998be189936
Instruction ID: 9a75494c871b48b3840d49ff1b59f6b632724ee8b9803b4084a2a4f9b95828cd
Opcode Fuzzy Hash: d7b4a472199e05cc7d5662b025e4d780bd874dc3e3dcfc1069f2e998be189936
Instruction Fuzzy Hash: 40419336A002559BDB48DE5DC8D1696B7A3BFC8314B19C675DCA88F70BC938DE02C7A0

Function 004E6918 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc20041c257ff7d61a283088bfa9f2de2708563aa29e0e00101f28d62c41ba6
Instruction ID: 2dc40e0aa77415d55bc0616e35fc77692ce9a422371aba29c42deb2143eb0115
Opcode Fuzzy Hash: 2bc20041c257ff7d61a283088bfa9f2de2708563aa29e0e00101f28d62c41ba6
Instruction Fuzzy Hash: EEE0016420010A8ED348BF38C1098A2B3E3EFECA1038BC4D0D44A9F23EF622C481C300

Function 004079E8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
Instruction ID: c1f34be03cf0569538104f0038f02cfb84df381903d0011f2ebedd3a3241928c
Opcode Fuzzy Hash: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
Instruction Fuzzy Hash: 76C0E9B550D6066E975C8F1AB480815FBE5FAC8324364C22EA01C83644D73154518A64

Function 004FABB4 Relevance: 49.7, APIs: 33, Instructions: 249windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 004FABD2
CreateDIBitmap.GDI32(?,?,00000004,?,?,00000000), ref: 004FABE7
SelectObject.GDI32(00000000,00000000), ref: 004FABEE
CreateCompatibleDC.GDI32(?), ref: 004FAC22
CreateCompatibleDC.GDI32(?), ref: 004FAC2E
CreateCompatibleDC.GDI32(?), ref: 004FAC3A
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 004FAC4D
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 004FAC5D
CreateCompatibleBitmap.GDI32(?,?,?), ref: 004FAC6B
SelectObject.GDI32(?,?), ref: 004FAC7B
SelectObject.GDI32(?,?), ref: 004FAC8B
SelectObject.GDI32(?,?), ref: 004FAC9B
SetBkColor.GDI32(00000000,?), ref: 004FACA8
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 004FACCC
SetBkColor.GDI32(00000000,?), ref: 004FACD6
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00330008), ref: 004FACF2
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 004FAD12
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 004FAD2E
StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,?,?,008800C6), ref: 004FAD4F
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00EE0086), ref: 004FAD70
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 004FAD90
SelectObject.GDI32(?,?), ref: 004FAD9D
DeleteObject.GDI32(00000000), ref: 004FADA3
SelectObject.GDI32(?,?), ref: 004FADB0
DeleteObject.GDI32(00000000), ref: 004FADB6
SelectObject.GDI32(?,?), ref: 004FADC3
DeleteObject.GDI32(00000000), ref: 004FADC9
SelectObject.GDI32(00000000,?), ref: 004FADD3
DeleteObject.GDI32(00000000), ref: 004FADD9
DeleteDC.GDI32(?), ref: 004FADE2
DeleteDC.GDI32(?), ref: 004FADEB
DeleteDC.GDI32(?), ref: 004FADF4
DeleteDC.GDI32(00000000), ref: 004FADFA

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Object$CreateDeleteSelect$Compatible$Bitmap$Stretch$Color
String ID:
API String ID: 881050057-0
Opcode ID: d06672be3dad3db98e6b51f863aed52956d6e0b67a9b4389ede429620055148c
Instruction ID: 825b2a03bc1370e51723bfade82acbff92c39003225e20d7aaefe19e3380dd92
Opcode Fuzzy Hash: d06672be3dad3db98e6b51f863aed52956d6e0b67a9b4389ede429620055148c
Instruction Fuzzy Hash: 82815BB2E40218BADB10DEE9CD85FDFBBBCAB09715F104459F604FB241D675AE408BA4

Function 0042EF9C Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 0042EFA5

Part of subcall function 0042EF70: GetProcAddress.KERNEL32(00000000), ref: 0042EF89

Strings

VarMod, xrefs: 0042F063
VarOr, xrefs: 0042F08F
VarBstrFromCy, xrefs: 0042F155
VarDateFromStr, xrefs: 0042F113
VarCyFromStr, xrefs: 0042F129
VariantChangeTypeEx, xrefs: 0042EFB3
VarMul, xrefs: 0042F021
oleaut32.dll, xrefs: 0042EFA0
VarR8FromStr, xrefs: 0042F0FD
VarXor, xrefs: 0042F0A5
VarAdd, xrefs: 0042EFF5
VarIdiv, xrefs: 0042F04D
VarBoolFromStr, xrefs: 0042F13F
VarBstrFromBool, xrefs: 0042F181
VarCmp, xrefs: 0042F0BB
VarR4FromStr, xrefs: 0042F0E7
VarNeg, xrefs: 0042EFC9
VarSub, xrefs: 0042F00B
VarAnd, xrefs: 0042F079
VarBstrFromDate, xrefs: 0042F16B
VarI4FromStr, xrefs: 0042F0D1
VarDiv, xrefs: 0042F037
VarNot, xrefs: 0042EFDF

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 51ba0cccc0257aa61a896f7588f8220aaff411b585e609356873e0dfdd144972
Instruction ID: 4d8a8b603ccf47e63391c59ab7cad31be334c78caf3acb6b5dd0fd78b8a56fbb
Opcode Fuzzy Hash: 51ba0cccc0257aa61a896f7588f8220aaff411b585e609356873e0dfdd144972
Instruction Fuzzy Hash: 15412761708239AA53046B6FBE0146677F8EA567103E1C4BBB404CBA69DB3CBC89573D

Function 004E5CEC Relevance: 37.7, APIs: 25, Instructions: 245windowCOMMON

Download Yara Rule

APIs

CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 004E5D2F
SelectObject.GDI32(?,?), ref: 004E5D44
MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029,00000000,004E5DB4,?,?), ref: 004E5D88
SelectObject.GDI32(?,?), ref: 004E5DA2
DeleteObject.GDI32(?), ref: 004E5DAE
CreateCompatibleDC.GDI32(00000000), ref: 004E5DC2
CreateCompatibleBitmap.GDI32(?,?,?), ref: 004E5DE3
SelectObject.GDI32(?,?), ref: 004E5DF8
SelectPalette.GDI32(?,24080E0F,00000000), ref: 004E5E0C
SelectPalette.GDI32(?,?,00000000), ref: 004E5E1E
SelectPalette.GDI32(?,00000000,000000FF), ref: 004E5E33
SelectPalette.GDI32(?,24080E0F,000000FF), ref: 004E5E49
RealizePalette.GDI32(?), ref: 004E5E55
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004E5E77
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 004E5E99
SetTextColor.GDI32(?,00000000), ref: 004E5EA1
SetBkColor.GDI32(?,00FFFFFF), ref: 004E5EAF
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 004E5EDB
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 004E5F00
SetTextColor.GDI32(?,?), ref: 004E5F0A
SetBkColor.GDI32(?,?), ref: 004E5F14
SelectObject.GDI32(?,00000000), ref: 004E5F27
DeleteObject.GDI32(?), ref: 004E5F30
SelectPalette.GDI32(?,00000000,00000000), ref: 004E5F52
DeleteDC.GDI32(?), ref: 004E5F5B

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize
String ID:
API String ID: 3976802218-0
Opcode ID: 3b99c414ba9b8e17d0297b6d1cc91ed47fedb4eed9150b3b92ee304eb253ee2a
Instruction ID: 7f0def9165072cf9d883f52314ce78aa1451c16151fa126266b0f192455bcc58
Opcode Fuzzy Hash: 3b99c414ba9b8e17d0297b6d1cc91ed47fedb4eed9150b3b92ee304eb253ee2a
Instruction Fuzzy Hash: F08192B2A00209AFDB50DEA9CC85EEF7BEDAB0D715F100559F618E7240C238AE408B65

Function 004EB140 Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(00000000,00000054,?), ref: 004EB163
GetDC.USER32(00000000), ref: 004EB191
CreateCompatibleDC.GDI32(?), ref: 004EB1A2
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 004EB1BD
SelectObject.GDI32(?,00000000), ref: 004EB1D7
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 004EB1F9
CreateCompatibleDC.GDI32(?), ref: 004EB207
SelectObject.GDI32(00000000,00000000), ref: 004EB24F
SelectPalette.GDI32(00000000,?,00000000), ref: 004EB262
RealizePalette.GDI32(00000000), ref: 004EB26B
SelectPalette.GDI32(?,?,00000000), ref: 004EB277
RealizePalette.GDI32(?), ref: 004EB280
SetBkColor.GDI32(00000000,00000000), ref: 004EB28A
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 004EB2AE
SetBkColor.GDI32(00000000,00000000), ref: 004EB2B8
SelectObject.GDI32(00000000,00000000), ref: 004EB2CB
DeleteObject.GDI32(00000000), ref: 004EB2D7
DeleteDC.GDI32(00000000), ref: 004EB2ED
SelectObject.GDI32(?,00000000), ref: 004EB308
DeleteDC.GDI32(00000000), ref: 004EB324
ReleaseDC.USER32(00000000,00000000), ref: 004EB335

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
String ID:
API String ID: 332224125-0
Opcode ID: 12377b0042ab6e2186f72ca2209710d3867943cee396a54fa97a17432a339029
Instruction ID: a297371bd76699a261ad6334b1a26cfdb4486747052644e0b66a5fa1a439e62f
Opcode Fuzzy Hash: 12377b0042ab6e2186f72ca2209710d3867943cee396a54fa97a17432a339029
Instruction Fuzzy Hash: 1E51FF72E00355BBDB10DAEACC56FEFB7BCEF09705F10445AB614E7281D6789A408B94

Function 004EC71C Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 357windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004EC9A4
CreateCompatibleDC.GDI32(00000001), ref: 004ECA09
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 004ECA1E
SelectObject.GDI32(?,00000000), ref: 004ECA28
SelectPalette.GDI32(?,?,00000000), ref: 004ECA58
RealizePalette.GDI32(?), ref: 004ECA64
CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 004ECA88
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,004ECAE1,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 004ECA96
SelectPalette.GDI32(?,00000000,000000FF), ref: 004ECAC8
SelectObject.GDI32(?,?), ref: 004ECAD5
DeleteObject.GDI32(00000000), ref: 004ECADB

Strings

(, xrefs: 004EC8D2
BM, xrefs: 004EC83D

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize
String ID: ($BM
API String ID: 2831685396-2980357723
Opcode ID: 51a74d50fb0d479c595bb902aeff8b0a43edf3e8b2616165d22cd558df0377f8
Instruction ID: 4eee36109a7003d341148a69d1f29571a8a2695b1317e52ac9f44060df3767e2
Opcode Fuzzy Hash: 51a74d50fb0d479c595bb902aeff8b0a43edf3e8b2616165d22cd558df0377f8
Instruction Fuzzy Hash: 01E16E71A002589FDF04DFAAC885BAEBBF5FF49305F10856AF904A7391D7389941CB58

Function 004EB698 Relevance: 24.3, APIs: 16, Instructions: 265windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004EC31C: GetDC.USER32(00000000), ref: 004EC372
Part of subcall function 004EC31C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 004EC387
Part of subcall function 004EC31C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 004EC391
Part of subcall function 004EC31C: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004EA7DB,00000000,004EA867), ref: 004EC3B5
Part of subcall function 004EC31C: ReleaseDC.USER32(00000000,00000000), ref: 004EC3C0

SelectPalette.GDI32(?,?,000000FF), ref: 004EB6DB
RealizePalette.GDI32(?), ref: 004EB6EA
GetStretchBltMode.GDI32(00000000), ref: 004EB6FC
GetDeviceCaps.GDI32(?,0000000C), ref: 004EB70D
GetDeviceCaps.GDI32(?,0000000E), ref: 004EB71C
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C,00000000), ref: 004EB74F
SetStretchBltMode.GDI32(?,00000004), ref: 004EB75D
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C,00000000), ref: 004EB775
SetStretchBltMode.GDI32(00000000,00000003), ref: 004EB792
CreateCompatibleDC.GDI32(00000000), ref: 004EB7F3
SelectObject.GDI32(?,?), ref: 004EB808
SelectObject.GDI32(?,00000000), ref: 004EB867
DeleteDC.GDI32(00000000), ref: 004EB876

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: CapsDevice$ModePaletteSelectStretch$BrushCreateObject$CompatibleDeleteHalftoneRealizeRelease
String ID:
API String ID: 28117789-0
Opcode ID: 230a5d8b8307ea4118e7af7672871789c69a95fa8ce89b2824e3c90030dde8aa
Instruction ID: 489584e9c4cd725b990482e09af51c0bca80148c9d3d35cd6fb0d49a7a8e8351
Opcode Fuzzy Hash: 230a5d8b8307ea4118e7af7672871789c69a95fa8ce89b2824e3c90030dde8aa
Instruction Fuzzy Hash: 76A1D8B1600245AFDB40EFAAC985F9AB7E8EF08305F504559F605E7652D738ED40CBA4

Function 00509F94 Relevance: 22.7, APIs: 6, Strings: 9, Instructions: 217COMMON

Download Yara Rule

Strings

BTMemoryLoadLibary: Get DLLEntyPoint failed, xrefs: 0050A1AD
BTMemoryLoadLibary: VirtualAlloc failed, xrefs: 0050A078
BTMemoryLoadLibary: Can't attach library, xrefs: 0050A1D8
BTMemoryLoadLibary: dll dos header is not valid, xrefs: 00509FDC
PE, xrefs: 0050A010
BTMemoryLoadLibary: BuildImportTable failed, xrefs: 0050A160
lQ, xrefs: 00509FD7, 0050A01C, 0050A073, 0050A15B, 0050A16A, 0050A1A8, 0050A1D3
MZ, xrefs: 00509FCF
BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid, xrefs: 0050A021

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID:
String ID: BTMemoryLoadLibary: BuildImportTable failed$BTMemoryLoadLibary: Can't attach library$BTMemoryLoadLibary: Get DLLEntyPoint failed$BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid$BTMemoryLoadLibary: VirtualAlloc failed$BTMemoryLoadLibary: dll dos header is not valid$MZ$PE$lQ
API String ID: 0-2059722052
Opcode ID: bbed9eb468cebf002a226278f3335448ee460fcc8cc7b7010884f985b2be092a
Instruction ID: bdae32854a2fd172ce7eee17552d896155053bf6d751e7e58fb075aa5d9f108d
Opcode Fuzzy Hash: bbed9eb468cebf002a226278f3335448ee460fcc8cc7b7010884f985b2be092a
Instruction Fuzzy Hash: C2718C71B04305AFDB24DFA9DC81BAEBBF9FB88704F0484A9F504E7282DA749D058B55

Function 004E5B58 Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 004E5B6F
CreateCompatibleDC.GDI32(00000000), ref: 004E5B79
GetObjectW.GDI32(?,00000018,?), ref: 004E5B99
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 004E5BB0
GetDC.USER32(00000000), ref: 004E5BBC
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004E5BE9
ReleaseDC.USER32(00000000,00000000), ref: 004E5C0F
SelectObject.GDI32(?,?), ref: 004E5C2A
SelectObject.GDI32(?,00000000), ref: 004E5C39
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 004E5C65
SelectObject.GDI32(?,00000000), ref: 004E5C73
SelectObject.GDI32(?,00000000), ref: 004E5C81
DeleteDC.GDI32(?), ref: 004E5C97
DeleteDC.GDI32(?), ref: 004E5CA0

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
String ID:
API String ID: 644427674-0
Opcode ID: aef1841c4e128ff32c9b36ede18983638337cbd9838766df907cc8eb69374be7
Instruction ID: 17c9c49937640a7ee63a15ab90711d013368aaab887e413720973401a1c3c297
Opcode Fuzzy Hash: aef1841c4e128ff32c9b36ede18983638337cbd9838766df907cc8eb69374be7
Instruction Fuzzy Hash: 3D410C72E40754BFDB10EAE9C952FAFB7BCAB09705F50045AB600E7281D6789A4087A4

Function 004EB964 Relevance: 19.8, APIs: 13, Instructions: 255windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004EC31C: GetDC.USER32(00000000), ref: 004EC372
Part of subcall function 004EC31C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 004EC387
Part of subcall function 004EC31C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 004EC391
Part of subcall function 004EC31C: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004EA7DB,00000000,004EA867), ref: 004EC3B5
Part of subcall function 004EC31C: ReleaseDC.USER32(00000000,00000000), ref: 004EC3C0

SelectPalette.GDI32(?,?,000000FF), ref: 004EB9A7
RealizePalette.GDI32(?), ref: 004EB9B6
GetDeviceCaps.GDI32(?,0000000C), ref: 004EB9C8
GetDeviceCaps.GDI32(?,0000000E), ref: 004EB9D7
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 004EBA0A
SetStretchBltMode.GDI32(?,00000004), ref: 004EBA18
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 004EBA30
SetStretchBltMode.GDI32(00000000,00000003), ref: 004EBA4D
CreateCompatibleDC.GDI32(00000000), ref: 004EBAAE
SelectObject.GDI32(?,?), ref: 004EBAC3
SelectObject.GDI32(?,00000000), ref: 004EBB22
DeleteDC.GDI32(00000000), ref: 004EBB31

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
String ID:
API String ID: 2414602066-0
Opcode ID: cd1fa1e0ecb1de98fa74186667cffcb93663ecd76ac09dee35a8bf4f5781b3c6
Instruction ID: 7ad90294f0dfa4864f0bea30e35c96d4e1fa41525923fe95d334a894f78dac22
Opcode Fuzzy Hash: cd1fa1e0ecb1de98fa74186667cffcb93663ecd76ac09dee35a8bf4f5781b3c6
Instruction Fuzzy Hash: 54912971604245AFDB50DFAAC981F9FBBE8AB08305F10455AF505E7651D738ED40CBA4

Function 004EE9A8 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsEqualGUID.OLE32(?,?), ref: 004EE9B4
IsEqualGUID.OLE32(?,00512700), ref: 004EE9D5
IsEqualGUID.OLE32(?,00512710), ref: 004EE9EB

Strings

@'Q, xrefs: 004EEA26
0'Q, xrefs: 004EEA10
'Q, xrefs: 004EE9FA
P'Q, xrefs: 004EEA3C

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Equal
String ID: 'Q$0'Q$@'Q$P'Q
API String ID: 4016716531-2080303212
Opcode ID: aa4b86813b141f7673803756baeb703b65751ce2089fe30f0f1aafc6a35ed793
Instruction ID: 3b25e7b379b8d5ec2b2337a204bca5eab6462174fdf46a10779ee1d09f703128
Opcode Fuzzy Hash: aa4b86813b141f7673803756baeb703b65751ce2089fe30f0f1aafc6a35ed793
Instruction Fuzzy Hash: 3A118B710085849EDB61DB2BAD80BF72B9D6F56305F04509BFD804F243D39D484E876E

Function 00425DC8 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 199threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00408850: GetTickCount.KERNEL32 ref: 00408887
Part of subcall function 00408850: GetTickCount.KERNEL32 ref: 0040889F

Part of subcall function 00425334: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00425352

GetThreadLocale.KERNEL32(00000000,00000004), ref: 00425E60
EnumCalendarInfoW.KERNEL32(00425C8C,00000000,00000000,00000004), ref: 00425E6B
GetThreadLocale.KERNEL32(00000000,00000003,00425C8C,00000000,00000000,00000004), ref: 00425EA6
EnumCalendarInfoW.KERNEL32(00425D30,00000000,00000000,00000003,00425C8C,00000000,00000000,00000004), ref: 00425EB1
GetThreadLocale.KERNEL32(00000000,00000004), ref: 00425F42
EnumCalendarInfoW.KERNEL32(00425C8C,00000000,00000000,00000004), ref: 00425F4D
GetThreadLocale.KERNEL32(00000000,00000003,00425C8C,00000000,00000000,00000004), ref: 00425F8A
EnumCalendarInfoW.KERNEL32(00425D30,00000000,00000000,00000003,00425C8C,00000000,00000000,00000004), ref: 00425F95

Strings

B.C., xrefs: 00425EF0
[B, xrefs: 00425E21, 00425EDD, 00426014

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: InfoLocale$CalendarEnumThread$CountTick
String ID: B.C.$[B
API String ID: 1601775584-1960173975
Opcode ID: 16270ab688083688dbcd8581444d9336086e6f2039b445ad45e114a0d5c3b501
Instruction ID: 696a8cbb88cbf135683503293481ae752516e7a6c47e6b4c93b3b9376ce1ac3d
Opcode Fuzzy Hash: 16270ab688083688dbcd8581444d9336086e6f2039b445ad45e114a0d5c3b501
Instruction Fuzzy Hash: 9761F570B006129FE710EF69E885AAA77E5EF44724B51857EF400EB3E1C738AD41DB98

Function 004ED7A0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 258windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004ED0C0: DeleteObject.GDI32(00000000), ref: 004ED206

DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004ED865
GetDIBits.GDI32(00000000,00000000,00000000,00000000,?,?), ref: 004ED8E3
GetIconInfo.USER32(00000000,?), ref: 004ED947
GetDIBits.GDI32(00000000,?,00000000,00000000,?,00000000,?), ref: 004ED980
SetDIBits.GDI32(00000000,00000000,?,00000000,?,00000000,004EDA2B), ref: 004ED9E9
DeleteObject.GDI32(?), ref: 004ED9FF
DeleteObject.GDI32(?), ref: 004EDA08

Strings

, xrefs: 004ED890
,, xrefs: 004ED86A

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: BitsDeleteObject$Icon$DrawInfo
String ID: $,
API String ID: 1810795657-71045815
Opcode ID: 0c5187b6c173e4ec8a62df78b25059c000a8f0dee15bd527dab433ee5dea9988
Instruction ID: 3b15df45811348dce314f71d9fb3896dfd83895a50164542f8512fd99f32aa23
Opcode Fuzzy Hash: 0c5187b6c173e4ec8a62df78b25059c000a8f0dee15bd527dab433ee5dea9988
Instruction Fuzzy Hash: F4913871B00145AFD700EFAAC885A9EBBF9FF48305F6041AAF505EB251DA34ED45CB94

Function 004253AC Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 216threadCOMMON

Download Yara Rule

APIs

IsValidLocale.KERNEL32(?,00000001,00000000,00425691,?,?,?,?,00000000,00000000), ref: 004253D3
GetThreadLocale.KERNEL32(?,00000001,00000000,00425691,?,?,?,?,00000000,00000000), ref: 004253DC

Part of subcall function 00425380: GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,00425482,?,00000001,00000000,00425691), ref: 00425393

Part of subcall function 00425334: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00425352

Strings

AMPM, xrefs: 0042560A
:mm:ss, xrefs: 00425644
mmmm d, yyyy, xrefs: 00425502
AMPM , xrefs: 00425619
m/d/yy, xrefs: 004254DD
2, xrefs: 0042566D
:mm, xrefs: 00425629

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Locale$Info$ThreadValid
String ID: AMPM$2$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 233154393-3379564615
Opcode ID: ecbc7d69b4f11c979955816f9b11cd38cc839c94d643873308f8a088d78fbf3d
Instruction ID: ae11f37f10c7c7cc2ece4aa2851bd9592c5e3db29736d4fa45ff2483457f4832
Opcode Fuzzy Hash: ecbc7d69b4f11c979955816f9b11cd38cc839c94d643873308f8a088d78fbf3d
Instruction Fuzzy Hash: 597122307005699BDB01EBA5E881ADE72A6DF84344FD0807BF904EB646DB3CDE16879D

Function 004266A0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004264A8: VirtualQuery.KERNEL32(?,?,0000001C,00000000,00426654), ref: 004264DB
Part of subcall function 004264A8: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 004264FF
Part of subcall function 004264A8: GetModuleFileNameW.KERNEL32(MZP,?,00000105), ref: 0042651A
Part of subcall function 004264A8: LoadStringW.USER32(00000000,0000FFEB,?,00000100), ref: 004265B5

WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,004267C5), ref: 00426701
WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00426734
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00426746
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0042674C
GetStdHandle.KERNEL32(000000F4,004267E0,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 00426760
WriteFile.KERNEL32(00000000,000000F4,004267E0,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 00426766
LoadStringW.USER32(00000000,0000FFEC,?,00000040), ref: 0042678A
MessageBoxW.USER32(00000000,?,?,00002010), ref: 004267A4

Strings

tfB, xrefs: 00426711, 004267B9

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
String ID: tfB
API String ID: 135118572-130872579
Opcode ID: 4dc91e52a7a31e98c0bad970565592839a14b729ab9cdca4ae5779fedf203f57
Instruction ID: 05b6e8fc3f298ffc30354057855b13551d5edc207cf2acb8f2b5bf8f3af3ad0b
Opcode Fuzzy Hash: 4dc91e52a7a31e98c0bad970565592839a14b729ab9cdca4ae5779fedf203f57
Instruction Fuzzy Hash: 29318475744218BFEB10EB65DC83FDA73BCEB04704F9041A6B604E61D1DA74AE84876D

Function 004E4AC0 Relevance: 15.2, APIs: 10, Instructions: 228windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E4778: EnterCriticalSection.KERNEL32(0051DE34,?,004E4858,?,?,?,?,?,?,?,?,00000000,004E4870,?,0051DE34), ref: 004E4780
Part of subcall function 004E4778: LeaveCriticalSection.KERNEL32(0051DE34,0051DE34,?,004E4858,?,?,?,?,?,?,?,?,00000000,004E4870,?,0051DE34), ref: 004E478D
Part of subcall function 004E4778: EnterCriticalSection.KERNEL32(?,0051DE34,0051DE34,?,004E4858,?,?,?,?,?,?,?,?,00000000,004E4870), ref: 004E4796

CreateCompatibleDC.GDI32(00000000), ref: 004E4B64
SelectObject.GDI32(?,?), ref: 004E4B74
StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00CC0020), ref: 004E4C70
SetTextColor.GDI32(?,00000000), ref: 004E4C7E
SetBkColor.GDI32(?,00FFFFFF), ref: 004E4C92
StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00E20746), ref: 004E4CC5
SetTextColor.GDI32(?,?), ref: 004E4CD5
SetBkColor.GDI32(?,?), ref: 004E4CE5
SelectObject.GDI32(?,00000000), ref: 004E4D15
DeleteDC.GDI32(?), ref: 004E4D1E

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Color$CriticalSection$EnterObjectSelectStretchText$CompatibleCreateDeleteLeave
String ID:
API String ID: 675119849-0
Opcode ID: 17a9f5c396fd801cce45f3af1a2c03a7e908330b3a1013798d2b0e4747143bd7
Instruction ID: 71bf14b9f78042d93af0d274de238ac5bd12102c0260bb26fb2fcf8b95af7db9
Opcode Fuzzy Hash: 17a9f5c396fd801cce45f3af1a2c03a7e908330b3a1013798d2b0e4747143bd7
Instruction Fuzzy Hash: EE919375A00248AFCB40DFAAC981E9EBBF9EF4D315B10449AF505EB661C734EE41CB64

Function 004085C8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 004085DD
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004085E3
GetLogicalProcessorInformation.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 004085F6
GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 004085FF
GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,00408676,?,00000000,?,GetLogicalProcessorInformation), ref: 0040862A

Strings

GetLogicalProcessorInformation, xrefs: 004085D3
kernel32.dll, xrefs: 004085D8
@, xrefs: 0040867D

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: InformationLogicalProcessor$AddressErrorHandleLastModuleProc
String ID: @$GetLogicalProcessorInformation$kernel32.dll
API String ID: 1184211438-79381301
Opcode ID: 9b6de5aca907aff7f49779a1cb565253b723d78320fe21404139914b83ab067e
Instruction ID: 500c6e41f31b7fdb6d34238680861789b78f08bdeabe16a24c436e355b3d89bb
Opcode Fuzzy Hash: 9b6de5aca907aff7f49779a1cb565253b723d78320fe21404139914b83ab067e
Instruction Fuzzy Hash: E0116370D00208AADB10EBA5CA05B5EB7A4DF04304F1288BFE854B72C1DA7E8E508E59

Function 00410594 Relevance: 13.8, APIs: 9, Instructions: 258COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0041064C

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 01433c88fba5b4f775e71df606895a677a3445a2bc368d898035e78ffffcbf29
Instruction ID: 0ce41ded5bccfca64fbac36b7d610e41f84856dd8e2a7bbc42b78d3b128abe8f
Opcode Fuzzy Hash: 01433c88fba5b4f775e71df606895a677a3445a2bc368d898035e78ffffcbf29
Instruction Fuzzy Hash: 0CA19075A013099FDB20DFA8D881BEEB7B5FF58310F14812AE915A7390DBB4A9C4CB54

Function 00430A54 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00430AED
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00430B09
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00430B42
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00430BBF
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 00430BD8
VariantCopy.OLEAUT32(?), ref: 00430C0D

Strings

, xrefs: 00430A6E

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-3916222277
Opcode ID: b24821290767192b64c8f13178bb3ebd50a91d5dafaf8b93d1d09599547c4c5d
Instruction ID: c5ac3e0bb315912875ce6d6a8b12eb4200af54bb65bf5f77a9b42e84e07fd96b
Opcode Fuzzy Hash: b24821290767192b64c8f13178bb3ebd50a91d5dafaf8b93d1d09599547c4c5d
Instruction Fuzzy Hash: 2C51227590022D9BCB25DB59CC91BDAB3BCAF4C304F0052DAF548E7252D634AF848F65

Function 004E9A04 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 004E9AA6
MulDiv.KERNEL32(?,000009EC,00000000), ref: 004E9AC3
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 004E9AEF
GetEnhMetaFileHeader.GDI32(00000016,0000006C,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 004E9B0F
DeleteEnhMetaFile.GDI32(00000016), ref: 004E9B30
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,0000006C,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 004E9B43

Strings

`, xrefs: 004E9A8B

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: FileMeta$Bits$DeleteHeader
String ID: `
API String ID: 1990453761-2679148245
Opcode ID: 1bc734305bfd0bdb724ca875092e956d4852018e6443de175511f346f92c27bf
Instruction ID: e4881d64baec76ee9eafe246b21c5bc9d5a9281d976d74d65e8b275913b0d6f5
Opcode Fuzzy Hash: 1bc734305bfd0bdb724ca875092e956d4852018e6443de175511f346f92c27bf
Instruction Fuzzy Hash: 8A412275D00248AFDB40DFA9C881AAEB7F9FF48711F50816AF904EB241E7389E40CB64

Function 004061E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4,00405358,00000000,?,00000000,?,?,00000000,00406B8F), ref: 00406206
WriteFile.KERNEL32(00000000,000000F4,00405358,00000000,?,00000000,?,?,00000000,00406B8F), ref: 0040620C
GetStdHandle.KERNEL32(000000F4,00405354,00000000,?,00000000,00000000,000000F4,00405358,00000000,?,00000000,?,?,00000000,00406B8F), ref: 0040622B
WriteFile.KERNEL32(00000000,000000F4,00405354,00000000,?,00000000,00000000,000000F4,00405358,00000000,?,00000000,?,?,00000000,00406B8F), ref: 00406231
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,00405354,00000000,?,00000000,00000000,000000F4,00405358,00000000,?), ref: 00406248
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,00405354,00000000,?,00000000,00000000,000000F4,00405358,00000000), ref: 0040624E

Strings

TS@, xrefs: 00406218, 00406223

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: FileHandleWrite
String ID: TS@
API String ID: 3320372497-1941835897
Opcode ID: 773f2b01c096205ed1640b90909cb80b96b374e64d656fdce13fcbbb072e403a
Instruction ID: 82cfcf8d63e4733cb96d407babe502fa205990dff362196b090b8b3cf9cfd937
Opcode Fuzzy Hash: 773f2b01c096205ed1640b90909cb80b96b374e64d656fdce13fcbbb072e403a
Instruction Fuzzy Hash: 9D0162A16486147DE110F2BA9C8AF6F368CDB18724F10077E7618F60D2C5785C449B7A

Function 0040591C Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 298sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 004059D3
Sleep.KERNEL32(0000000A,00000000), ref: 004059E9
Sleep.KERNEL32(00000000), ref: 00405A17
Sleep.KERNEL32(0000000A,00000000), ref: 00405A2D

Strings

@., xrefs: 00405AB4, 00405AD6, 00405BEC, 00405C02

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Sleep
String ID: @.
API String ID: 3472027048-4201455939
Opcode ID: ada7fe0ad1e969fa1615a2ce2c1f205a77d44d1215cb1e65cc2c198de2b16ae9
Instruction ID: a95b6186faaf28ee99436786a323c89c11953a43e3af36f3f78c15d8c677067a
Opcode Fuzzy Hash: ada7fe0ad1e969fa1615a2ce2c1f205a77d44d1215cb1e65cc2c198de2b16ae9
Instruction Fuzzy Hash: 0DC16972601B118FD725CF28D884367BBA1EB95320F1882BFD4059B3D5C778A849DF88

Function 00405CA0 Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?,?,00000000,00405912), ref: 00405D36
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,00405912), ref: 00405D50

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b3bac45a803a588073ab35a9efb47af0939235da5b92122c96ba95b50cef7661
Instruction ID: 4f935fbc936f4d5eb3d08406d1a455a3bc696dbd4939a17767f2164eefdcc051
Opcode Fuzzy Hash: b3bac45a803a588073ab35a9efb47af0939235da5b92122c96ba95b50cef7661
Instruction Fuzzy Hash: 1371D231604B008FE725DB28D888B67BBD4EF95314F14C2BFD844AB3D2D67888459F59

Function 004E6084 Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004E60B2
GetDeviceCaps.GDI32(?,00000068), ref: 004E60CE
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004E60ED
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004E6111
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 004E612F
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 004E6143
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004E6163
ReleaseDC.USER32(00000000,?), ref: 004E617B

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: EntriesPaletteSystem$CapsDeviceRelease
String ID:
API String ID: 1781840570-0
Opcode ID: 76daa9d26c080c564ad9041f13802c656f185a4c8ec9210214833560b50aa864
Instruction ID: 253042d8ae561a030da4b25cfcc59df415f83bc43ecdec077c49d488911ed581
Opcode Fuzzy Hash: 76daa9d26c080c564ad9041f13802c656f185a4c8ec9210214833560b50aa864
Instruction Fuzzy Hash: 8F2156B1A40218BADB50DFA5DD86F9EB3BCEB08705F510496F704E71C1D679AF408B28

Function 00405E98 Relevance: 10.9, APIs: 7, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6090a39ba4113efe279c4ce94d3a27bfd3a3f347abc7f88e99f6aa2524520e12
Instruction ID: 14c4d9104ddc23c6b9370c21b65e9a421d4bec3d23930416dd05d6dcb6f7df23
Opcode Fuzzy Hash: 6090a39ba4113efe279c4ce94d3a27bfd3a3f347abc7f88e99f6aa2524520e12
Instruction Fuzzy Hash: 01C12262710A014BD714AA7D9C8836FB286DBC4325F68823FE645EB3C6DA7CCC458B58

Function 00501CB0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 00501CF9
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00501D28
SelectObject.GDI32(?,?), ref: 00501D38
DeleteObject.GDI32(?), ref: 00501F51
DeleteDC.GDI32(?), ref: 00501F5D

Strings

|O, xrefs: 00501FB6

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: CreateDeleteObject$CompatibleSectionSelect
String ID: |O
API String ID: 2986811175-2178481767
Opcode ID: 2df93c88a6f9227f66246be59c453fae4e967564d741f929fa9c523e36daefe2
Instruction ID: bacbab17e1aa0ea713adc525329d28f7a5ba5f694b97a22e1cece38a515db1a1
Opcode Fuzzy Hash: 2df93c88a6f9227f66246be59c453fae4e967564d741f929fa9c523e36daefe2
Instruction Fuzzy Hash: D6B1C575E0060A9FCB04DF99C985AAEBBF5FF48300F2181A5E914AB3A1D734AD41CF55

Function 004FC798 Relevance: 10.7, APIs: 7, Instructions: 198windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004FC400: DeleteObject.GDI32(?), ref: 004FC40B
Part of subcall function 004FC400: DeleteDC.GDI32(?), ref: 004FC418
Part of subcall function 004FC400: DeleteObject.GDI32(?), ref: 004FC434

CreateCompatibleDC.GDI32(00000000), ref: 004FC903
CreateHalftonePalette.GDI32(?,00000000), ref: 004FC93E
ResizePalette.GDI32(?,00000001), ref: 004FC973
SelectPalette.GDI32(?,?,00000000), ref: 004FC998
RealizePalette.GDI32(?), ref: 004FC9A3
CreateDIBSection.GDI32(?,-00000474,00000000,-00000450,00000000,00000000), ref: 004FC9CE
SelectObject.GDI32(?,00000000), ref: 004FC9E1

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Palette$CreateDeleteObject$Select$CompatibleHalftoneRealizeResizeSection
String ID:
API String ID: 2525607832-0
Opcode ID: 3b39bf79a773d9044507b5f4a6ba50a4e1458e9f25aaa5a6f7355112836dca1f
Instruction ID: 4ba82757873bb3c143a4d1742f8b993ef62ffc4f5942cec004fa87537f0c0421
Opcode Fuzzy Hash: 3b39bf79a773d9044507b5f4a6ba50a4e1458e9f25aaa5a6f7355112836dca1f
Instruction Fuzzy Hash: E67137756005289FDB04EF19C4D5F6637E5EF0A305F0541E6F2048F3AAC678E84ACB9A

Function 00408850 Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00408CDC: GetCurrentThreadId.KERNEL32 ref: 00408CDF

GetTickCount.KERNEL32 ref: 00408887
GetTickCount.KERNEL32 ref: 0040889F
GetCurrentThreadId.KERNEL32 ref: 004088CE
GetTickCount.KERNEL32 ref: 004088F9
GetTickCount.KERNEL32 ref: 00408930
GetTickCount.KERNEL32 ref: 0040895A
GetCurrentThreadId.KERNEL32 ref: 004089CA

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: CountTick$CurrentThread
String ID:
API String ID: 3968769311-0
Opcode ID: 7d0f63ae373317c5f21e857476dc24018feec28cf215cb5a173da7a4db92fdee
Instruction ID: 59fdbd664e4c2a787114e1462c869c0698e504600effbf6fb817d1e717bb5ab3
Opcode Fuzzy Hash: 7d0f63ae373317c5f21e857476dc24018feec28cf215cb5a173da7a4db92fdee
Instruction Fuzzy Hash: BB415E716083419EDB21BE79CA4032BBAD1AB91354F14893FD4D8A73C2EE798881D75B

Function 004EA090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 004EA0E2
MulDiv.KERNEL32(?,?,000009EC), ref: 004EA0F9
GetDC.USER32(00000000), ref: 004EA110
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,004EA1CB,?,00000000,?,?,000009EC,?,?,000009EC), ref: 004EA134
GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,004EA1AB,?,?,00000000,00000000,00000008,?,00000000,004EA1CB), ref: 004EA167

Strings

`, xrefs: 004EA0C8

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: BitsFileMeta
String ID: `
API String ID: 858000408-2679148245
Opcode ID: b7f937434eb2587f847978740abbd8c81bb9dfc3e5197959b54ccdff63f1a7cc
Instruction ID: 560aeff5e142fb22fc32d70ae3aa060d7ef4d96bf65ee7c2df06f2301dcbdb9f
Opcode Fuzzy Hash: b7f937434eb2587f847978740abbd8c81bb9dfc3e5197959b54ccdff63f1a7cc
Instruction Fuzzy Hash: AD318775A00248ABDB00DFD5C882BEEF7B8EF0D705F514496F904EB281D678AE50D7A9

Function 004EA974 Relevance: 10.6, APIs: 7, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 004E62F0: GetObjectW.GDI32(00000000,00000004), ref: 004E6307
Part of subcall function 004E62F0: GetPaletteEntries.GDI32(00000000,00000000,?,00000028), ref: 004E632A

GetDC.USER32(00000000), ref: 004EA9B2
CreateCompatibleDC.GDI32(?), ref: 004EA9BE
SelectObject.GDI32(?), ref: 004EA9CB
SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,004EAA23,?,?,?,?,00000000), ref: 004EA9EF
SelectObject.GDI32(?,?), ref: 004EAA09
DeleteDC.GDI32(?), ref: 004EAA12
ReleaseDC.USER32(00000000,?), ref: 004EAA1D

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable
String ID:
API String ID: 4046155103-0
Opcode ID: ec8649657c05e97b9ba1c19bfcd01e8d0b09a6ae33e64875ffb60a9979b168a2
Instruction ID: a90b19bdd86dec3490e2a43e61abe2758ba6d863edaf7bda9a2135b5bf853f90
Opcode Fuzzy Hash: ec8649657c05e97b9ba1c19bfcd01e8d0b09a6ae33e64875ffb60a9979b168a2
Instruction Fuzzy Hash: 54115172E00359BFDB10EFE9C851AEEB7BCEB09705F4044AAF504E7241E6789E5087A4

Function 004098D0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040998E,?,?,?,?,00409AA2,00406F13,00406F5A,?,?), ref: 00409909
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040998E,?,?,?,?,00409AA2,00406F13,00406F5A,?), ref: 0040990F
GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040998E,?,?,?), ref: 0040992A
WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040998E), ref: 00409930

Strings

Error, xrefs: 00409942
Runtime error at 00000000, xrefs: 00409902, 00409947

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: FileHandleWrite
String ID: Error$Runtime error at 00000000
API String ID: 3320372497-2970929446
Opcode ID: 1f536b54c0f7e54d54e2ef4696db32368710aa63d846f2239d9123bcbb9aa4c9
Instruction ID: 1cafd5f0b55deffaaa1a260c41e3c473f996b032a313f4f96ee96a2a81eb749b
Opcode Fuzzy Hash: 1f536b54c0f7e54d54e2ef4696db32368710aa63d846f2239d9123bcbb9aa4c9
Instruction Fuzzy Hash: FBF04491A4134479FA3077A55C56F6F2B589704B18F18893FB650782D3CAB84C889766

Function 004E65E0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 004E662E
GetSystemMetrics.USER32(0000000C), ref: 004E663A
GetDC.USER32(00000000), ref: 004E6656
GetDeviceCaps.GDI32(00000000,0000000E), ref: 004E667D
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004E668A
ReleaseDC.USER32(00000000,00000000), ref: 004E66C3

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: CapsDeviceMetricsSystem$Release
String ID:
API String ID: 447804332-0
Opcode ID: 514544e9451769a20b0d63ec12d45414229ecaa25948937d2ba282ff4bb2ffa2
Instruction ID: 4016dc568379c8c19e12672c107d27f7e339e6f7b848dc7462e147759cb92e24
Opcode Fuzzy Hash: 514544e9451769a20b0d63ec12d45414229ecaa25948937d2ba282ff4bb2ffa2
Instruction Fuzzy Hash: BA318474E00244EFEB00DFA6C841AAEBBB5FF49751F11856AF414AB384C6749D41CB65

Function 004E6234 Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 004E6252
SelectObject.GDI32(00000000,00000000), ref: 004E625B
GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,?,00000000,?,?,004EC367), ref: 004E626F
SelectObject.GDI32(00000000,00000000), ref: 004E627B
DeleteDC.GDI32(00000000), ref: 004E6281
CreatePalette.GDI32 ref: 004E62DC

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
String ID:
API String ID: 2515223848-0
Opcode ID: 07141b4c2a488876938986d084f5d3c9216c3cb11d2cb0c9d8cd57b741dac934
Instruction ID: 7d7b7b9d453ff037d3cffda30c4a40109c588e289f7eb85d502ed9102ededd86
Opcode Fuzzy Hash: 07141b4c2a488876938986d084f5d3c9216c3cb11d2cb0c9d8cd57b741dac934
Instruction Fuzzy Hash: 0311E33120434022E210BB6B9C43BAB72A89FD575AF01882FB64997382E67C8D49439A

Function 004E6A9C Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E6950: GetObjectW.GDI32(?,00000054), ref: 004E6964

CreateCompatibleDC.GDI32(00000000), ref: 004E6ABE
SelectPalette.GDI32(?,?,00000000), ref: 004E6ADF
RealizePalette.GDI32(?), ref: 004E6AEB
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 004E6B02
SelectPalette.GDI32(?,00000000,00000000), ref: 004E6B2A
DeleteDC.GDI32(?), ref: 004E6B33

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize
String ID:
API String ID: 1221726059-0
Opcode ID: 9dbd0a09d7bff179ba26f2c840b696ab711f6e12a27d33c9ec649e9677f75141
Instruction ID: ce5ef7bc2b447eaaf5ad7ea58a7014afe3a29db5ee430c20c38cefb41b0ea7be
Opcode Fuzzy Hash: 9dbd0a09d7bff179ba26f2c840b696ab711f6e12a27d33c9ec649e9677f75141
Instruction Fuzzy Hash: EF114275E403047FDB10DFAA8C42F9EBBEDDB49701F51806AB514E7281D678AE408768

Function 004EEBA4 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

SetDIBits.GDI32(00000000,00000000), ref: 004EECF4

Strings

p'Q, xrefs: 004EEC33
, xrefs: 004EEC8B
,, xrefs: 004EEC6A
pN, xrefs: 004EEC15, 004EED49

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Bits
String ID: $,$p'Q$pN
API String ID: 3573556081-239200797
Opcode ID: dd73bb745f73dc684ff5184fab1c87c3add33f00a112f83163d1b8d4a2d36e5a
Instruction ID: 9f441a5b3756811afa08dfadf154d44fae048bdfa2ad6d45101e58efc57a94ba
Opcode Fuzzy Hash: dd73bb745f73dc684ff5184fab1c87c3add33f00a112f83163d1b8d4a2d36e5a
Instruction Fuzzy Hash: 2951C074A00208AFDB40DF9AD881E9EB7F9FB48314F5181A6F914EB362D735AE44CB54

Function 004EE3C8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 120COMMON

Download Yara Rule

APIs

GetDIBits.GDI32(00000000,00000000,00000000,?,?,0000002C,00000000), ref: 004EE4B2

Strings

p'Q, xrefs: 004EE3FB
,, xrefs: 004EE468
`'Q, xrefs: 004EE40A
, xrefs: 004EE483

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Bits
String ID: $,$`'Q$p'Q
API String ID: 3573556081-2603654308
Opcode ID: 4d30080a601765c855a25beeb9702f0c2ba3cd424cdda9509ae65dbf12f05595
Instruction ID: bec3c54539f68c6c0af3b8d3ad7b3bee9bcef611c91c0962a899e26579722b68
Opcode Fuzzy Hash: 4d30080a601765c855a25beeb9702f0c2ba3cd424cdda9509ae65dbf12f05595
Instruction Fuzzy Hash: 2B4144B1A00104AFDB40DF6AC885A9A77F9EF09318B2141A6FC04EB356D7B5ED45CB94

Function 004264A8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,00426654), ref: 004264DB
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 004264FF
GetModuleFileNameW.KERNEL32(MZP,?,00000105), ref: 0042651A
LoadStringW.USER32(00000000,0000FFEB,?,00000100), ref: 004265B5

Strings

MZP, xrefs: 00426519

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: MZP
API String ID: 3990497365-2889622443
Opcode ID: 24f38c40df9b29d21a7482a27281db47092b02f5bee306cf85a572d20530dcf9
Instruction ID: 146c6d1a4dcd0b7898c8f180d5f962d7682371f2073325c29d76b66a404f3a29
Opcode Fuzzy Hash: 24f38c40df9b29d21a7482a27281db47092b02f5bee306cf85a572d20530dcf9
Instruction Fuzzy Hash: 90415170A002289FDB20DF65DC81BD9B7F9AB59304F8140EAE508E7241D7799E948F59

Function 004ED0C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004ED17C
CreateHalftonePalette.GDI32(00000000,00000000), ref: 004ED189
ReleaseDC.USER32(00000000,00000000), ref: 004ED198
DeleteObject.GDI32(00000000), ref: 004ED206

Strings

(, xrefs: 004ED133

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: CreateDeleteHalftoneObjectPaletteRelease
String ID: (
API String ID: 577518360-3887548279
Opcode ID: 3f1f41b3ef125d9ed7a49561758919a6120e21a961ad02875502c61ed0793db1
Instruction ID: 73f9df9c47eaf129883820700aa1f99bcdc43d39a50d20607ac612a05abe645c
Opcode Fuzzy Hash: 3f1f41b3ef125d9ed7a49561758919a6120e21a961ad02875502c61ed0793db1
Instruction Fuzzy Hash: F841AE70E04248AFCB10DFA6C885ADEFBF5EF49305F1480AAE404AB351D6789E45DB99

Function 004B7154 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,004B722A,?,?,004B5444,00000001), ref: 004B71CC
GetCurrentThread.KERNEL32 ref: 004B7204
GetCurrentThreadId.KERNEL32 ref: 004B720C

Strings

pDA, xrefs: 004B71EB
BnK, xrefs: 004B7221, 004B71D1, 004B71DB

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: CurrentThread$ErrorLast
String ID: BnK$pDA
API String ID: 4172138867-3175749474
Opcode ID: e0f48d4165c6cdba51e8a00e46d8a1a6566346ae9eee92cff768f86f41948d34
Instruction ID: b42759e005b3f2f8ce4c62d5fa036f1a67be2660c26f4f59566ccc81797ad0ae
Opcode Fuzzy Hash: e0f48d4165c6cdba51e8a00e46d8a1a6566346ae9eee92cff768f86f41948d34
Instruction Fuzzy Hash: 532108709086456ED701DFB5C8817EABBE4BF89304F44897BE42497782DB389815C7B9

Function 0043690C Relevance: 7.8, APIs: 5, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b1296c92a046bb743362478882edb4bed3443ecb9e909bca9af9b7118eca8f6
Instruction ID: 8d3459a469465bc4371695b4e367a65a38b978d34797e4c4e50731b7cb5a1aca
Opcode Fuzzy Hash: 9b1296c92a046bb743362478882edb4bed3443ecb9e909bca9af9b7118eca8f6
Instruction Fuzzy Hash: AFD1C235A00209AFCF00EF95C4918EEFBB9EF0D310F5590A6E840A7251D638AE46DB79

Function 004F0894 Relevance: 7.6, APIs: 6, Instructions: 148COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000038), ref: 004F08C0
memcpy.MSVCRT(00000000,00000000,000016C4), ref: 004F08F3
memcpy.MSVCRT(00000000,?,?), ref: 004F0989
memcpy.MSVCRT(00000000,?,?), ref: 004F099F
memcpy.MSVCRT(00000000,?,?), ref: 004F09B5
memcpy.MSVCRT(00000000,?,?), ref: 004F09C9

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: d948a10c9f1e2417ed34ae8df7b8044f991836d94fef36a5c337458bb54a48b1
Instruction ID: bcd7db05d191351e9405a97d2655ef30d3ed96d280d6279a09f2b3dd0a47b8f8
Opcode Fuzzy Hash: d948a10c9f1e2417ed34ae8df7b8044f991836d94fef36a5c337458bb54a48b1
Instruction Fuzzy Hash: 965175B1600200AFDB14CF69CCC5E6677A8BF88314F08827AEE098F346E735E944CB94

Function 004EC31C Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004EC372
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004EC387
GetDeviceCaps.GDI32(00000000,0000000E), ref: 004EC391
CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004EA7DB,00000000,004EA867), ref: 004EC3B5
ReleaseDC.USER32(00000000,00000000), ref: 004EC3C0

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: CapsDevice$CreateHalftonePaletteRelease
String ID:
API String ID: 2404249990-0
Opcode ID: c4a1b20b6082907148ca0743ca9c7e76063a1768cc102af30ff38a7623f7df5f
Instruction ID: 76c421ad3c698b7ff88da0f61c3aa7df07cb2880bcd4f869b6d47c825d99da29
Opcode Fuzzy Hash: c4a1b20b6082907148ca0743ca9c7e76063a1768cc102af30ff38a7623f7df5f
Instruction Fuzzy Hash: 3D11D3315012D9AEEB20AF27C481BEF3B94AF55357F04505BFC005A281D7BC8DA2C7A9

Function 004E619C Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004E61B4
GetDeviceCaps.GDI32(?,00000068), ref: 004E61D0
GetPaletteEntries.GDI32(24080E0F,00000000,00000008,?), ref: 004E61E8
GetPaletteEntries.GDI32(24080E0F,00000008,00000008,?), ref: 004E6200
ReleaseDC.USER32(00000000,?), ref: 004E621C

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: EntriesPalette$CapsDeviceRelease
String ID:
API String ID: 3128150645-0
Opcode ID: e2e0119970b46360f4dbaca9755fcc1ef81ad606db22181b8a12d53334abd375
Instruction ID: fb62e25858754de89261d63ddcf899fc845c4e56b322bcc1c3ebe9d0414cdd2c
Opcode Fuzzy Hash: e2e0119970b46360f4dbaca9755fcc1ef81ad606db22181b8a12d53334abd375
Instruction Fuzzy Hash: 191108716483447EEB00DFA6EC42FA97FACE719706F40849BF204DA1C1DABA5544C324

Function 0040904A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

UnhandledExceptionFilter.KERNEL32(?,00000000), ref: 0040911E

Strings

,qB, xrefs: 0040906B
hsB, xrefs: 004090F7

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID: ,qB$hsB
API String ID: 3192549508-2187915683
Opcode ID: 1700f64120af452dff93675b6e54fdb508242944783359e32faae08426496f92
Instruction ID: 7df4318895a31e83b2a36aa030ba475ccd5b90e95bae95c0b52881597b1f7c6e
Opcode Fuzzy Hash: 1700f64120af452dff93675b6e54fdb508242944783359e32faae08426496f92
Instruction Fuzzy Hash: 834196717042029FE720DF14C888B6BB7E5EB85314F15857AE448AB393C739EC45CB59

Function 00508E64 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 00508EB1
VirtualProtect.KERNEL32(?,?,?,?,?), ref: 00508F36

Strings

lQ, xrefs: 00508F3F
FinalizeSections: VirtualProtect failed, xrefs: 00508F44

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Virtual$FreeProtect
String ID: FinalizeSections: VirtualProtect failed$lQ
API String ID: 2581862158-2227185769
Opcode ID: ffec637c8259a18f5241ac3077646ca467aa47a9a348421ddbaa2147e73c95d7
Instruction ID: c314e3de9cf4c83f6d25740841c829b86395eef794fabfa9df7492c7fc59e805
Opcode Fuzzy Hash: ffec637c8259a18f5241ac3077646ca467aa47a9a348421ddbaa2147e73c95d7
Instruction Fuzzy Hash: 443137746002069FD710DF68C885FAABBE9BF48744F144584FAA8DB3E2DB30ED548B94

Function 00423C28 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,00423D0B), ref: 00423CAE
GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,00423D0B), ref: 00423CB4

Strings

yyyy, xrefs: 00423C89
, xrefs: 00423C7A

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: $yyyy
API String ID: 3303714858-404527807
Opcode ID: 0809fa2659c157af8da77a48e90bfea0ac0ad0ed8c95e6ae3a57ad6ba9429efe
Instruction ID: 4198a1d351d31b9a86c79895a928489856ad1452b39a35c365c2990c697424f4
Opcode Fuzzy Hash: 0809fa2659c157af8da77a48e90bfea0ac0ad0ed8c95e6ae3a57ad6ba9429efe
Instruction Fuzzy Hash: F4217F35A046289BDB10EF95D842AAEB3F8EF08701F91406BF905F7281D63C9F00C76A

Function 0042D69C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(0041F85C,00000001), ref: 0042D6B8
GetCPInfo.KERNEL32(0042D79C,0042C1C5,0041F85C,00000001), ref: 0042D6D9

Strings

\A, xrefs: 0042D6EA
$CA, xrefs: 0042D6E2

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Info
String ID: $CA$\A
API String ID: 1807457897-218779800
Opcode ID: c333d9008389caf3d2b7a62747e31d087ad93cbcde306d0b54cc15cb44afa7b7
Instruction ID: ebbfc3f9cbe9bf8f46c4dc39453f4120fc533cccd9d0050bd4b81853795f0a58
Opcode Fuzzy Hash: c333d9008389caf3d2b7a62747e31d087ad93cbcde306d0b54cc15cb44afa7b7
Instruction Fuzzy Hash: 2B01D671B00A158FC720EF69E981997B7E4AF05364B00853FFC99C7351EB39D9048BA9

Function 004E3964 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,004E3BCC), ref: 004E39AC
LeaveCriticalSection.KERNEL32(?,004E3BA3,?,00000000,004E3BCC), ref: 004E3B96

Strings

Default, xrefs: 004E3A5A
-Q, xrefs: 004E3A80

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Default$-Q
API String ID: 3168844106-3821686248
Opcode ID: 1a1d0b3d7fef57fbd369e5ba3f48b81e015b8509224f28914d8de7d590d176ed
Instruction ID: 19d7f923896caa44bc4d2895c7d959a39db7ed687c0c5984d3f2fc8e9670fb4e
Opcode Fuzzy Hash: 1a1d0b3d7fef57fbd369e5ba3f48b81e015b8509224f28914d8de7d590d176ed
Instruction Fuzzy Hash: BA519470A083589FDB02DFA9C845AEEBBF5FF48305F51446AE404A7352D778AE44CB14

Function 004E3ED0 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,00000000,00000000), ref: 004E3EF7
GetObjectW.GDI32(?,00000010,?), ref: 004E3F0A
GetObjectW.GDI32(?,00000000,?), ref: 004E3F63

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Object
String ID:
API String ID: 2936123098-0
Opcode ID: a40579d9f90c76d0c9fca4423f8c07d8447b4155338eb9add3561dc35ea178ad
Instruction ID: b9ca84249461113418995685c1b411e63f59ddf32e5f5f2b3ba05ad8a3118a75
Opcode Fuzzy Hash: a40579d9f90c76d0c9fca4423f8c07d8447b4155338eb9add3561dc35ea178ad
Instruction Fuzzy Hash: 09319471A047849FD711CF5AC885EAABBF9EF49311F14846EF854DB741D234E9008B64

Function 0040C998 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON

Download Yara Rule

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040C9A9
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040CA07
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040CA64
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040CA97

Part of subcall function 0040C954: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040CA15), ref: 0040C96B
Part of subcall function 0040C954: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040CA15), ref: 0040C988

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: ab0a3fc87b5d274f299d69668d3c9eef21079eaeea860c77a07499101e2d6c50
Instruction ID: 8d1cb3547ee4b9364daa38f1b6dc697d03ddbece5e120c74778344a30482e11a
Opcode Fuzzy Hash: ab0a3fc87b5d274f299d69668d3c9eef21079eaeea860c77a07499101e2d6c50
Instruction Fuzzy Hash: DF313D70A0021E9BDB10DBA9C8C57AFB7B5EF04304F00427AE555E7291DB789A04CB95

Function 004EA788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E4778: EnterCriticalSection.KERNEL32(0051DE34,?,004E4858,?,?,?,?,?,?,?,?,00000000,004E4870,?,0051DE34), ref: 004E4780
Part of subcall function 004E4778: LeaveCriticalSection.KERNEL32(0051DE34,0051DE34,?,004E4858,?,?,?,?,?,?,?,?,00000000,004E4870,?,0051DE34), ref: 004E478D
Part of subcall function 004E4778: EnterCriticalSection.KERNEL32(?,0051DE34,0051DE34,?,004E4858,?,?,?,?,?,?,?,?,00000000,004E4870), ref: 004E4796

Part of subcall function 004EC31C: GetDC.USER32(00000000), ref: 004EC372
Part of subcall function 004EC31C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 004EC387
Part of subcall function 004EC31C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 004EC391
Part of subcall function 004EC31C: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004EA7DB,00000000,004EA867), ref: 004EC3B5
Part of subcall function 004EC31C: ReleaseDC.USER32(00000000,00000000), ref: 004EC3C0

CreateCompatibleDC.GDI32(00000000), ref: 004EA7DD
SelectObject.GDI32(00000000,?), ref: 004EA7F6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004EA81F
RealizePalette.GDI32(00000000), ref: 004EA82B

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
String ID:
API String ID: 979337279-0
Opcode ID: e4708b13d4162338c8fa8d9abf0c706dab058b01908a5adb0ec73a38d2e26af5
Instruction ID: 70351cf6032dbd0939f732d494bf93bb1b6777d92977e90662745986a4f58f41
Opcode Fuzzy Hash: e4708b13d4162338c8fa8d9abf0c706dab058b01908a5adb0ec73a38d2e26af5
Instruction Fuzzy Hash: E8310634A00684EFD704EF5AD981D5EB7F5FF48315B6241A6E804AB322C738EE82DB54

Function 004EDF8C Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetIconInfo.USER32(?,?), ref: 004EDFAD
GetObjectW.GDI32(?,00000018,?), ref: 004EDFCE
DeleteObject.GDI32(?), ref: 004EDFFA
DeleteObject.GDI32(?), ref: 004EE003

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: Object$Delete$IconInfo
String ID:
API String ID: 507670407-0
Opcode ID: 7a1785c32ae41643537aa2786bfbdbae53e7e625d4899cd26e3bbc34933ba4e6
Instruction ID: 1a97c13f3edbda2b3c1502a7d4827854aa80e6db8bf7018fb0a338cf34cd0894
Opcode Fuzzy Hash: 7a1785c32ae41643537aa2786bfbdbae53e7e625d4899cd26e3bbc34933ba4e6
Instruction Fuzzy Hash: 32119175A00208AFDB00DFABC982C9EB7F9EB48311B1085AAF904D7351DB75EE00DA94

Function 004EEDD0 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004EEDD9
SelectObject.GDI32(00000000,058A00B4), ref: 004EEDEB
GetTextMetricsW.GDI32(00000000), ref: 004EEDF6
ReleaseDC.USER32(00000000,00000000), ref: 004EEE07

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: MetricsObjectReleaseSelectText
String ID:
API String ID: 2013942131-0
Opcode ID: 69fa914ca851ee74fc1149395581ca18b64c37d6fa6240ddf4510f1bbda6b75f
Instruction ID: a86a7c8164184303e7b2e3849245c9a5924fc7d8bd12fc902a680fb7c4b12911
Opcode Fuzzy Hash: 69fa914ca851ee74fc1149395581ca18b64c37d6fa6240ddf4510f1bbda6b75f
Instruction Fuzzy Hash: 94E04F626027B032D551666B5D86BDB2A4C4F026ABF480116FD44997D1DA0DCE5083FA

Function 00427150 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,00427356), ref: 004271F0
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,0000001C,00000000,00427356), ref: 0042721C

Part of subcall function 0040EDD0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 0040EE15

Strings

T@A, xrefs: 00427307

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: T@A
API String ID: 902310565-1700159869
Opcode ID: c0d047f943028d97e04232e986cdd5189ba5f93e1f1aba3def660c9e40b683b8
Instruction ID: 01bb5f6f549524bffea9cf7d5818f966a37fd6a44b94a829212173a91a13da92
Opcode Fuzzy Hash: c0d047f943028d97e04232e986cdd5189ba5f93e1f1aba3def660c9e40b683b8
Instruction Fuzzy Hash: 64512934A08269DFDB10DF29DC88AD9B7F4EF48304F5045EAA808A7351D778AE84CF59

Function 00428748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00000000,0042BB77,00000000,0042BCB7), ref: 00428707

Strings

Z, xrefs: 00428763
A, xrefs: 0042875E

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: CharUpper
String ID: A$Z
API String ID: 9403516-4098844585
Opcode ID: 0853d31e4c62cbf45948dc29de724639dcf269313cc23831c9dadc14004e3c7b
Instruction ID: b9253ecd29e492176c38fe4a03f9f14fb6b287faa95297cdab911eb37b575cf8
Opcode Fuzzy Hash: 0853d31e4c62cbf45948dc29de724639dcf269313cc23831c9dadc14004e3c7b
Instruction Fuzzy Hash: 431136127466200BE720643FAC817FF958A87C63A4F99023FF505D73C1DC5C8C0142D9

Function 00408F1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00408F8A
UnhandledExceptionFilter.KERNEL32(?,?,?,Function_00008F20), ref: 00408FC7

Strings

hsB, xrefs: 00408F45

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID: hsB
API String ID: 3192549508-625297667
Opcode ID: 71af4e390d5abfd6d2040d1b975c0e968029a7204a6687ef051946c3d04c1d81
Instruction ID: a3b05377a8d17e60e07457b386e13646049d2c6927d33ce14a72d1f6f32e6c37
Opcode Fuzzy Hash: 71af4e390d5abfd6d2040d1b975c0e968029a7204a6687ef051946c3d04c1d81
Instruction Fuzzy Hash: 1A3180B0604301AFD720DB24C984F2BB7EAEB88714F14857EF548972A2CB38EC45D719

Function 004D8F38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,004D9018), ref: 004D8FBC
RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,004D9018), ref: 004D8FD4

Strings

0DA, xrefs: 004D8FEB

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: CloseCreate
String ID: 0DA
API String ID: 2932200918-1323616133
Opcode ID: fac5e3721a245bfcc9ed623455fcf57c0582175419c53dfd0b0fa12a3f3d5d3f
Instruction ID: 017f4d9452f0a09ddcf7a8119e01f2a5f81c362e6e8ec416fd70992e05365c57
Opcode Fuzzy Hash: fac5e3721a245bfcc9ed623455fcf57c0582175419c53dfd0b0fa12a3f3d5d3f
Instruction Fuzzy Hash: 47215171B04208ABDB11EFA5CC52BAE77F9EB49704F10407BB504E7381EA78AE059659

Function 0040945E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 0040947F

Strings

ptB, xrefs: 004094DA
hsB, xrefs: 004094B8

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID: hsB$ptB
API String ID: 3192549508-579888589
Opcode ID: 6040466f00e2c8a053fbe7c5040ef9d1dac393dd0ce99f32a3ea5679555daf94
Instruction ID: 1c15842ca407df81533eab869cf356bb1e86fa8830085c109665a44f2841b22d
Opcode Fuzzy Hash: 6040466f00e2c8a053fbe7c5040ef9d1dac393dd0ce99f32a3ea5679555daf94
Instruction Fuzzy Hash: 722187742082059BDB24DF29D884B2B7391AB98710F14C53AA845973D7C73CEC46DB59

Function 004E9928 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

SetEnhMetaFileBits.GDI32(0000006C,?,00000000,004E99F3), ref: 004E99AB

Strings

EMF, xrefs: 004E994B
l, xrefs: 004E9959

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: BitsFileMeta
String ID: EMF$l
API String ID: 858000408-2398670571
Opcode ID: 48f28cece0e3049f6e68b153f511514110a478f4b34ab4d1ccafa09be0ed4e3a
Instruction ID: d8b59ccd57732e94ff2d5b122cdf495c560b21a665579054683b94a632da62f7
Opcode Fuzzy Hash: 48f28cece0e3049f6e68b153f511514110a478f4b34ab4d1ccafa09be0ed4e3a
Instruction Fuzzy Hash: 84217F71A00244DFCB10EFAAC881A6EB7F5FF49714F55426EE405AB786DB38AD01CB58

Function 00433380 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0043338D

Strings

U8C, xrefs: 004333D0
U8C, xrefs: 0043339E

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: InitVariant
String ID: U8C$U8C
API String ID: 1927566239-2794899156
Opcode ID: e25a5720908425a500fd415a8d3bf4564bb395e1b66fba7ebba665d040fcf2b1
Instruction ID: fa363addd61d485d6cd68e3682c1b4edaac74f53fc75c8844fd0c6c500103e91
Opcode Fuzzy Hash: e25a5720908425a500fd415a8d3bf4564bb395e1b66fba7ebba665d040fcf2b1
Instruction Fuzzy Hash: D2F09C75E0421DEBCB40DF99D881AEEBBF8FB08710F008156EA58E7350E774AA44CB95

Function 004339A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004339AD

Strings

>C, xrefs: 004339BE
>C, xrefs: 004339F0

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: InitVariant
String ID: >C$>C
API String ID: 1927566239-3959820462
Opcode ID: 76e66cb95d50e58f59da6bcf5122f1f55b7cd9c70dd6052c65af163639564bd1
Instruction ID: 99dd6d0ffc60b9a8bd0ee7024b4cc4d7b98f478dc9cfe1d555ab3fe70c1b1c27
Opcode Fuzzy Hash: 76e66cb95d50e58f59da6bcf5122f1f55b7cd9c70dd6052c65af163639564bd1
Instruction Fuzzy Hash: 17F0EC75E0020DABCB00DF99C881ADFB7F8FB08310F008156EA14E7350E774AA44CB95

Function 004289EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,0050E4DB,00000000,0050E512), ref: 004289F2

Part of subcall function 004139B0: GetProcAddress.KERNEL32(0043C998,?), ref: 004139DA

Strings

kernel32.dll, xrefs: 004289ED
GetDiskFreeSpaceExW, xrefs: 004289FD

Memory Dump Source

Source File: 00000005.00000002.1484938604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484893894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485332412.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485397388.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485511802.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485549574.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1485603858.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486030869.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486136533.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486220481.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1486260822.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExW$kernel32.dll
API String ID: 1646373207-1127948838
Opcode ID: c7edea2ffbbda9fdc0d07ee16b935c76c2adbbdc0e38b75f3dfa78325f9fbb0d
Instruction ID: 8ccd786351900723a36e45e0a3bb3a683afe0fdfe4abf5b7f5dbba0d790a7421
Opcode Fuzzy Hash: c7edea2ffbbda9fdc0d07ee16b935c76c2adbbdc0e38b75f3dfa78325f9fbb0d
Instruction Fuzzy Hash: 24D05EB07123624AD760ABA1B882B1E2288A320F06F80013FB20145B26CFFD8848534C

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tiiEwuElgl.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2fe5f38a4f5ae3ed51518cca5baa2e5e637fb76_7522e4b5_64422e78-53cc-46d8-a19d-7baef0af0e5c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2fe5f38a4f5ae3ed51518cca5baa2e5e637fb76_7522e4b5_d2f2c237-4255-4da5-8098-3eac21645fd8\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_b0cdffbca525ee12a6aa688b50d1504e3557d02a_7522e4b5_063399f1-1e56-4d88-a8ba-4023344517e5\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER12A0.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER12FE.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER133E.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER13BC.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER13DA.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER140A.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE576.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE632.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE662.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
tiiEwuElgl.dll